Loading ...

Play interactive tourEdit tour

Analysis Report Tranf111.exe

Overview

General Information

Sample Name:Tranf111.exe
MD5:ff429ca7815826081dcfc73e48b3afa1
SHA1:b5c7cdf2635bb1be0d9703c5fb11e699f39a75f1
SHA256:828754781079f808a0def249c960490fdba73680442940cf5d1d669406d4de38

Most interesting Screenshot:

Detection

NetWire GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Sigma detected: NetWire
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Hides threads from debuggers
Sleep loop found (likely to delay execution)
Tries to detect virtualization through RDTSC time measurements
Uses dynamic DNS services
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • Tranf111.exe (PID: 4924 cmdline: 'C:\Users\user\Desktop\Tranf111.exe' MD5: FF429CA7815826081DCFC73E48B3AFA1)
    • Tranf111.exe (PID: 3532 cmdline: 'C:\Users\user\Desktop\Tranf111.exe' MD5: FF429CA7815826081DCFC73E48B3AFA1)
      • Host.exe (PID: 4524 cmdline: 'C:\Users\user\AppData\Roaming\Install\Host.exe' MD5: FF429CA7815826081DCFC73E48B3AFA1)
        • Host.exe (PID: 3832 cmdline: 'C:\Users\user\AppData\Roaming\Install\Host.exe' MD5: FF429CA7815826081DCFC73E48B3AFA1)
  • Host.exe (PID: 5228 cmdline: 'C:\Users\user\AppData\Roaming\Install\Host.exe' MD5: FF429CA7815826081DCFC73E48B3AFA1)
    • Host.exe (PID: 5208 cmdline: 'C:\Users\user\AppData\Roaming\Install\Host.exe' MD5: FF429CA7815826081DCFC73E48B3AFA1)
  • Host.exe (PID: 4200 cmdline: 'C:\Users\user\AppData\Roaming\Install\Host.exe' MD5: FF429CA7815826081DCFC73E48B3AFA1)
    • Host.exe (PID: 5204 cmdline: 'C:\Users\user\AppData\Roaming\Install\Host.exe' MD5: FF429CA7815826081DCFC73E48B3AFA1)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.1135888516.0000000000560000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
    00000009.00000002.1182104003.0000000000560000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
      0000000D.00000002.1175398766.0000000000560000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
        00000002.00000002.833452695.0000000000560000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
          Process Memory Space: Tranf111.exe PID: 3532JoeSecurity_GuLoaderYara detected GuLoaderJoe Security
            Click to see the 7 entries

            Sigma Overview


            System Summary:

            barindex
            Sigma detected: NetWireShow sources
            Source: Registry Key setAuthor: Joe Security: Data: Details: C:\Users\user\AppData\Roaming\Install\Host.exe, EventID: 13, Image: C:\Users\user\AppData\Roaming\Install\Host.exe, ProcessId: 3832, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\NetWire

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: Tranf111.exeAvira: detected
            Antivirus detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeAvira: detection malicious, Label: HEUR/AGEN.1043844
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeVirustotal: Detection: 12%Perma Link

            Networking:

            barindex
            Uses dynamic DNS servicesShow sources
            Source: unknownDNS query: name: grace38.duckdns.org
            Source: global trafficTCP traffic: 192.168.2.5:49736 -> 91.193.75.228:3372
            Source: Joe Sandbox ViewASN Name: unknown unknown
            Source: unknownDNS traffic detected: queries for: onedrive.live.com
            Source: Host.exe, 0000000D.00000002.1175971095.00000000009B6000.00000004.00000020.sdmpString found in binary or memory: http://crl.microsoft.c8
            Source: Tranf111.exe, 00000002.00000002.834374750.0000000000914000.00000004.00000020.sdmp, Host.exe, 00000009.00000002.1182580461.0000000000978000.00000004.00000020.sdmp, Host.exe, 0000000C.00000002.1136772284.0000000000929000.00000004.00000020.sdmp, Host.exe, 0000000D.00000002.1176033093.00000000009DA000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
            Source: Tranf111.exe, 00000002.00000002.834374750.0000000000914000.00000004.00000020.sdmp, Host.exe, 00000009.00000002.1182580461.0000000000978000.00000004.00000020.sdmp, Host.exe, 0000000C.00000002.1136772284.0000000000929000.00000004.00000020.sdmp, Host.exe, 0000000D.00000002.1176033093.00000000009DA000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
            Source: Tranf111.exe, 00000002.00000002.834374750.0000000000914000.00000004.00000020.sdmp, Host.exe, 00000009.00000002.1182580461.0000000000978000.00000004.00000020.sdmp, Host.exe, 0000000C.00000002.1136772284.0000000000929000.00000004.00000020.sdmp, Host.exe, 0000000D.00000002.1176033093.00000000009DA000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.msocsp.com0
            Source: Host.exe, 00000009.00000002.1182580461.0000000000978000.00000004.00000020.sdmp, Host.exe, 0000000D.00000002.1175828891.0000000000957000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/
            Source: Host.exe, 00000009.00000002.1182580461.0000000000978000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/8
            Source: Host.exe, 0000000C.00000002.1136702324.0000000000909000.00000004.00000020.sdmp, Host.exe, 0000000D.00000002.1175828891.0000000000957000.00000004.00000020.sdmp, Host.exe, 0000000D.00000002.1175971095.00000000009B6000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=030A9BC8FCC283CB&resid=30A9BC8FCC283CB%21485&authkey=ACP2x7be
            Source: Tranf111.exe, 00000002.00000002.834374750.0000000000914000.00000004.00000020.sdmp, Host.exe, 00000009.00000002.1182580461.0000000000978000.00000004.00000020.sdmp, Host.exe, 0000000C.00000002.1136772284.0000000000929000.00000004.00000020.sdmp, Host.exe, 0000000D.00000002.1176033093.00000000009DA000.00000004.00000020.sdmpString found in binary or memory: https://www.digicert.com/CPS0
            Source: Host.exe, 0000000D.00000002.1175828891.0000000000957000.00000004.00000020.sdmpString found in binary or memory: https://znsxra.am.files.1drv.com/
            Source: Host.exe, 00000009.00000002.1182580461.0000000000978000.00000004.00000020.sdmpString found in binary or memory: https://znsxra.am.files.1drv.com/6x
            Source: Host.exe, 0000000D.00000002.1176033093.00000000009DA000.00000004.00000020.sdmp, Host.exe, 0000000D.00000002.1175828891.0000000000957000.00000004.00000020.sdmpString found in binary or memory: https://znsxra.am.files.1drv.com/y4mTV4THJ20L_JIEWubssfmWQK0SyfcSdaL34V7DqZPjQXb7jhJxDtpVTLvC6UPh6gJ
            Source: Host.exe, 0000000C.00000002.1136702324.0000000000909000.00000004.00000020.sdmpString found in binary or memory: https://znsxra.am.files.1drv.com/y4mVAQQl6Sd3P1OczukrNdIP0e9E7vfIWADCKwvUX9A-tSXIXmFZMDUrz_OgVwZ28KK
            Source: Host.exe, 00000009.00000002.1182580461.0000000000978000.00000004.00000020.sdmpString found in binary or memory: https://znsxra.am.files.1drv.com/y4mbj0T0WVKBrd5-2NlyxQKUAVxkSJtL1-E_cUs8GlzE-b8fjQkIXtzY8U-umEmlpRA
            Source: Host.exe, 0000000D.00000002.1175828891.0000000000957000.00000004.00000020.sdmp, Host.exe, 0000000D.00000002.1175971095.00000000009B6000.00000004.00000020.sdmpString found in binary or memory: https://znsxra.am.files.1drv.com/y4mjcdbJ3QRfuUnZCDH1_ob-E5xgYWc0xgURurNPRCN_8kTInvGQVCy_MQIJrR9IW_h
            Source: Tranf111.exe, 00000002.00000002.834374750.0000000000914000.00000004.00000020.sdmpString found in binary or memory: https://znsxra.am.files.1drv.com/y4mw2X1MHaU4Cj4ZzQZlESIRrkgURTSIS8CPmZ3JQxDYupTjBIRVHhMzOtqfn8rJXFh

            Source: Host.exe, 00000003.00000002.875522987.0000000000720000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            System Summary:

            barindex
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess Stats: CPU usage > 98%
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 0_2_021C2A1E NtProtectVirtualMemory,0_2_021C2A1E
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 0_2_021C0F18 NtWriteVirtualMemory,0_2_021C0F18
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 0_2_021C0199 EnumWindows,NtSetInformationThread,TerminateProcess,0_2_021C0199
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 0_2_021C2DB4 NtResumeThread,0_2_021C2DB4
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 0_2_021C0F44 NtWriteVirtualMemory,0_2_021C0F44
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 0_2_021C1164 NtWriteVirtualMemory,0_2_021C1164
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 0_2_021C2DBC NtResumeThread,0_2_021C2DBC
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 0_2_021C01CD NtSetInformationThread,TerminateProcess,0_2_021C01CD
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 0_2_021C2DF8 NtResumeThread,0_2_021C2DF8
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 2_2_00562A1E NtProtectVirtualMemory,2_2_00562A1E
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 2_2_0056143A NtProtectVirtualMemory,2_2_0056143A
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 2_2_00560D90 LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,NtProtectVirtualMemory,NtProtectVirtualMemory,2_2_00560D90
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 2_2_00560199 EnumWindows,NtSetInformationThread,NtProtectVirtualMemory,LdrInitializeThunk,2_2_00560199
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 2_2_00562DB4 NtSetInformationThread,2_2_00562DB4
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 2_2_00560331 NtProtectVirtualMemory,2_2_00560331
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 2_2_00561431 NtProtectVirtualMemory,2_2_00561431
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 2_2_00560D3D NtProtectVirtualMemory,2_2_00560D3D
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 2_2_005601CD NtSetInformationThread,2_2_005601CD
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 2_2_00562DF8 NtSetInformationThread,2_2_00562DF8
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 2_2_00562DBC NtSetInformationThread,2_2_00562DBC
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 3_2_006F2A1E NtProtectVirtualMemory,3_2_006F2A1E
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 3_2_006F0F18 NtWriteVirtualMemory,3_2_006F0F18
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 3_2_006F2DB4 NtResumeThread,3_2_006F2DB4
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 3_2_006F0199 EnumWindows,NtSetInformationThread,TerminateProcess,3_2_006F0199
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 3_2_006F1164 NtWriteVirtualMemory,3_2_006F1164
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 3_2_006F0F44 NtWriteVirtualMemory,3_2_006F0F44
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 3_2_006F2DF8 NtResumeThread,3_2_006F2DF8
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 3_2_006F01CD NtSetInformationThread,TerminateProcess,3_2_006F01CD
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 3_2_006F2DBC NtResumeThread,3_2_006F2DBC
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 9_2_00562A1E LdrInitializeThunk,NtProtectVirtualMemory,9_2_00562A1E
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 9_2_00560D3D CreateThread,TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,9_2_00560D3D
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 9_2_0056143A LdrInitializeThunk,NtProtectVirtualMemory,9_2_0056143A
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 9_2_005613C2 Sleep,LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,9_2_005613C2
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 9_2_00560D90 LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,9_2_00560D90
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 9_2_00560199 EnumWindows,LdrInitializeThunk,NtSetInformationThread,LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,LdrInitializeThunk,9_2_00560199
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 9_2_00562DB4 NtSetInformationThread,9_2_00562DB4
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 9_2_00560331 LdrInitializeThunk,NtProtectVirtualMemory,9_2_00560331
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 9_2_00561431 LdrInitializeThunk,NtProtectVirtualMemory,9_2_00561431
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 9_2_005601CD NtSetInformationThread,LdrInitializeThunk,LdrInitializeThunk,9_2_005601CD
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 9_2_00562DF8 NtSetInformationThread,9_2_00562DF8
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 9_2_00562DBC NtSetInformationThread,9_2_00562DBC
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 10_2_021D2A1E NtProtectVirtualMemory,10_2_021D2A1E
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 10_2_021D0F18 NtWriteVirtualMemory,10_2_021D0F18
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 10_2_021D0199 EnumWindows,NtSetInformationThread,TerminateProcess,10_2_021D0199
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 10_2_021D2DB4 NtResumeThread,10_2_021D2DB4
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 10_2_021D0F44 NtWriteVirtualMemory,10_2_021D0F44
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 10_2_021D1164 NtWriteVirtualMemory,10_2_021D1164
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 10_2_021D2DBC NtResumeThread,10_2_021D2DBC
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 10_2_021D01CD NtSetInformationThread,TerminateProcess,10_2_021D01CD
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 10_2_021D2DF8 NtResumeThread,10_2_021D2DF8
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 11_2_02010F18 NtWriteVirtualMemory,11_2_02010F18
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 11_2_02012A1E NtProtectVirtualMemory,11_2_02012A1E
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 11_2_02010199 EnumWindows,NtSetInformationThread,TerminateProcess,11_2_02010199
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 11_2_02012DB4 NtResumeThread,11_2_02012DB4
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 11_2_02010F44 NtWriteVirtualMemory,11_2_02010F44
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 11_2_02011164 NtWriteVirtualMemory,11_2_02011164
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 11_2_02012DBC NtResumeThread,11_2_02012DBC
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 11_2_020101CD NtSetInformationThread,TerminateProcess,11_2_020101CD
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 11_2_02012DF8 NtResumeThread,11_2_02012DF8
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 12_2_00562A1E NtProtectVirtualMemory,12_2_00562A1E
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 12_2_0056143A NtProtectVirtualMemory,12_2_0056143A
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 12_2_00560D90 LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,NtProtectVirtualMemory,NtProtectVirtualMemory,12_2_00560D90
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 12_2_00560199 EnumWindows,NtSetInformationThread,NtProtectVirtualMemory,LdrInitializeThunk,12_2_00560199
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 12_2_00562DB4 NtSetInformationThread,12_2_00562DB4
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 12_2_00560331 NtProtectVirtualMemory,12_2_00560331
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 12_2_00561431 NtProtectVirtualMemory,12_2_00561431
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 12_2_00560D3D NtProtectVirtualMemory,12_2_00560D3D
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 12_2_005601CD NtSetInformationThread,12_2_005601CD
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 12_2_00562DF8 NtSetInformationThread,12_2_00562DF8
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 12_2_00562DBC NtSetInformationThread,12_2_00562DBC
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 13_2_00562A1E NtProtectVirtualMemory,13_2_00562A1E
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 13_2_0056143A NtProtectVirtualMemory,13_2_0056143A
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 13_2_00560D90 LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,NtProtectVirtualMemory,NtProtectVirtualMemory,13_2_00560D90
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 13_2_00560199 EnumWindows,NtSetInformationThread,NtProtectVirtualMemory,LdrInitializeThunk,13_2_00560199
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 13_2_00562DB4 NtSetInformationThread,13_2_00562DB4
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 13_2_00560331 NtProtectVirtualMemory,13_2_00560331
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 13_2_00561431 NtProtectVirtualMemory,13_2_00561431
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 13_2_00560D3D NtProtectVirtualMemory,13_2_00560D3D
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 13_2_005601CD NtSetInformationThread,13_2_005601CD
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 13_2_00562DF8 NtSetInformationThread,13_2_00562DF8
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 13_2_00562DBC NtSetInformationThread,13_2_00562DBC
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 0_2_0040E1600_2_0040E160
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 0_2_021C16080_2_021C1608
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 2_2_005601992_2_00560199
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 2_2_005616082_2_00561608
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 3_2_006F16083_2_006F1608
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 9_2_005601999_2_00560199
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 9_2_005616089_2_00561608
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 10_2_021D160810_2_021D1608
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 11_2_0201160811_2_02011608
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 12_2_0056019912_2_00560199
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 12_2_0056160812_2_00561608
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 13_2_0056019913_2_00560199
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 13_2_0056160813_2_00561608
            Source: Tranf111.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Host.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Tranf111.exe, 00000000.00000002.798986162.0000000002190000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Tranf111.exe
            Source: Tranf111.exe, 00000000.00000002.797995936.0000000000411000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMedica.exe vs Tranf111.exe
            Source: Tranf111.exe, 00000000.00000002.801592067.0000000002AE0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMedica.exeFE2XComix Interval vs Tranf111.exe
            Source: Tranf111.exe, 00000002.00000002.834668861.0000000002510000.00000004.00000040.sdmpBinary or memory string: OriginalFilenameMedica.exe vs Tranf111.exe
            Source: Tranf111.exe, 00000002.00000002.836632034.000000001F230000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Tranf111.exe
            Source: Tranf111.exe, 00000002.00000002.836590399.000000001F1F0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Tranf111.exe
            Source: Tranf111.exe, 00000002.00000002.836590399.000000001F1F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Tranf111.exe
            Source: Tranf111.exe, 00000002.00000002.836486039.000000001EF60000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Tranf111.exe
            Source: Tranf111.exeBinary or memory string: OriginalFilenameMedica.exe vs Tranf111.exe
            Source: Tranf111.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: Host.exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: classification engineClassification label: mal100.troj.evad.winEXE@13/1@67/1
            Source: C:\Users\user\Desktop\Tranf111.exeFile created: C:\Users\user\AppData\Roaming\InstallJump to behavior
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeMutant created: \Sessions\1\BaseNamedObjects\EFNLWBNX
            Source: C:\Users\user\Desktop\Tranf111.exeFile created: C:\Users\user\AppData\Local\Temp\~DF8C7051B02469CB06.TMPJump to behavior
            Source: Tranf111.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Tranf111.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\Desktop\Tranf111.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Tranf111.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\Tranf111.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\Tranf111.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\Tranf111.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\Tranf111.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\Tranf111.exeFile read: C:\Users\user\Desktop\Tranf111.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Tranf111.exe 'C:\Users\user\Desktop\Tranf111.exe'
            Source: unknownProcess created: C:\Users\user\Desktop\Tranf111.exe 'C:\Users\user\Desktop\Tranf111.exe'
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\Install\Host.exe 'C:\Users\user\AppData\Roaming\Install\Host.exe'
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\Install\Host.exe 'C:\Users\user\AppData\Roaming\Install\Host.exe'
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\Install\Host.exe 'C:\Users\user\AppData\Roaming\Install\Host.exe'
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\Install\Host.exe 'C:\Users\user\AppData\Roaming\Install\Host.exe'
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\Install\Host.exe 'C:\Users\user\AppData\Roaming\Install\Host.exe'
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\Install\Host.exe 'C:\Users\user\AppData\Roaming\Install\Host.exe'
            Source: C:\Users\user\Desktop\Tranf111.exeProcess created: C:\Users\user\Desktop\Tranf111.exe 'C:\Users\user\Desktop\Tranf111.exe' Jump to behavior
            Source: C:\Users\user\Desktop\Tranf111.exeProcess created: C:\Users\user\AppData\Roaming\Install\Host.exe 'C:\Users\user\AppData\Roaming\Install\Host.exe' Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess created: C:\Users\user\AppData\Roaming\Install\Host.exe 'C:\Users\user\AppData\Roaming\Install\Host.exe' Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess created: C:\Users\user\AppData\Roaming\Install\Host.exe 'C:\Users\user\AppData\Roaming\Install\Host.exe' Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess created: C:\Users\user\AppData\Roaming\Install\Host.exe 'C:\Users\user\AppData\Roaming\Install\Host.exe' Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: 0000000C.00000002.1135888516.0000000000560000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.1182104003.0000000000560000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.1175398766.0000000000560000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.833452695.0000000000560000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Tranf111.exe PID: 3532, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Host.exe PID: 4200, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Host.exe PID: 5228, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Host.exe PID: 5204, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Host.exe PID: 4524, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Host.exe PID: 3832, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Host.exe PID: 5208, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Tranf111.exe PID: 4924, type: MEMORY
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 2_2_0056237A LoadLibraryA,GetProcAddress,2_2_0056237A
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 0_2_004044C4 push cs; iretd 0_2_004044CF
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 0_2_00404499 push cs; iretd 0_2_004044CF
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 0_2_004024AF push ds; iretd 0_2_004024B1
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 0_2_004066B9 push ebx; ret 0_2_004066BB
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 0_2_004034BC push edi; retf 0_2_004034BD
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 0_2_0040416F push edx; ret 0_2_00404176
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 0_2_00403F0C push ebp; retf 0_2_00403F23
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 0_2_004027B7 push edi; retf 0_2_004027F2
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 3_2_006F2561 push ebp; retf 9FC3h3_2_006F3046
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 9_2_00562561 push ebp; retf 9FC3h9_2_00563046
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 10_2_021D2561 push ebp; retf 9FC3h10_2_021D3046
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 11_2_02012561 push ebp; retf 9FC3h11_2_02013046
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 12_2_00562561 push ebp; retf 9FC3h12_2_00563046
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 13_2_00562561 push ebp; retf 9FC3h13_2_00563046
            Source: initial sampleStatic PE information: section name: .text entropy: 7.11585281492
            Source: initial sampleStatic PE information: section name: .text entropy: 7.11585281492

            Source: C:\Users\user\Desktop\Tranf111.exeFile created: C:\Users\user\AppData\Roaming\Install\Host.exeJump to dropped file

            Source: C:\Users\user\AppData\Roaming\Install\Host.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NetWireJump to behavior
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NetWireJump to behavior

            Source: C:\Users\user\Desktop\Tranf111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Tranf111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Tranf111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Tranf111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Tranf111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Tranf111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Tranf111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Tranf111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Tranf111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Tranf111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Tranf111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Tranf111.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 0_2_021C2514 0_2_021C2514
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 2_2_00562514 2_2_00562514
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 3_2_006F2514 3_2_006F2514
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 9_2_00562514 9_2_00562514
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 10_2_021D2514 10_2_021D2514
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 11_2_02012514 11_2_02012514
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 12_2_00562514 12_2_00562514
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 13_2_00562514 13_2_00562514
            Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)Show sources
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeEvasive API call chain: GetPEB, DecisionNodes, Sleepgraph_9-2228
            Sleep loop found (likely to delay execution)Show sources
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeThread sleep count: Count: 3038 delay: -5Jump to behavior
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\Desktop\Tranf111.exeRDTSC instruction interceptor: First address: 00000000021C2517 second address: 00000000021C2537 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a mov esi, edx 0x0000000c pushad 0x0000000d mov eax, 00000001h 0x00000012 cpuid 0x00000014 bt ecx, 1Fh 0x00000018 jc 00007FAA0C677A64h 0x0000001a fnop 0x0000001c popad 0x0000001d lfence 0x00000020 rdtsc
            Source: C:\Users\user\Desktop\Tranf111.exeRDTSC instruction interceptor: First address: 00000000021C2537 second address: 00000000021C2517 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jle 00007FAA0CACE54Eh 0x00000011 ret 0x00000012 pop ecx 0x00000013 cmp edx, 32h 0x00000016 jl 00007FAA0CACE576h 0x00000018 add edi, edx 0x0000001a dec ecx 0x0000001b cmp ecx, 00000000h 0x0000001e jne 00007FAA0CACE56Eh 0x00000020 push ecx 0x00000021 call 00007FAA0CACE5A3h 0x00000026 lfence 0x00000029 rdtsc
            Source: C:\Users\user\Desktop\Tranf111.exeRDTSC instruction interceptor: First address: 0000000000562517 second address: 0000000000562537 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a mov esi, edx 0x0000000c pushad 0x0000000d mov eax, 00000001h 0x00000012 cpuid 0x00000014 bt ecx, 1Fh 0x00000018 jc 00007FAA0C677A64h 0x0000001a fnop 0x0000001c popad 0x0000001d lfence 0x00000020 rdtsc
            Source: C:\Users\user\Desktop\Tranf111.exeRDTSC instruction interceptor: First address: 0000000000562537 second address: 0000000000562517 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jle 00007FAA0CACE54Eh 0x00000011 ret 0x00000012 pop ecx 0x00000013 cmp edx, 32h 0x00000016 jl 00007FAA0CACE576h 0x00000018 add edi, edx 0x0000001a dec ecx 0x0000001b cmp ecx, 00000000h 0x0000001e jne 00007FAA0CACE56Eh 0x00000020 push ecx 0x00000021 call 00007FAA0CACE5A3h 0x00000026 lfence 0x00000029 rdtsc
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeRDTSC instruction interceptor: First address: 00000000006F2517 second address: 00000000006F2537 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a mov esi, edx 0x0000000c pushad 0x0000000d mov eax, 00000001h 0x00000012 cpuid 0x00000014 bt ecx, 1Fh 0x00000018 jc 00007FAA0C677A64h 0x0000001a fnop 0x0000001c popad 0x0000001d lfence 0x00000020 rdtsc
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeRDTSC instruction interceptor: First address: 00000000006F2537 second address: 00000000006F2517 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jle 00007FAA0CACE54Eh 0x00000011 ret 0x00000012 pop ecx 0x00000013 cmp edx, 32h 0x00000016 jl 00007FAA0CACE576h 0x00000018 push ecx 0x00000019 call 00007FAA0CACE5A3h 0x0000001e lfence 0x00000021 rdtsc
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeRDTSC instruction interceptor: First address: 0000000000562517 second address: 0000000000562537 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a mov esi, edx 0x0000000c pushad 0x0000000d mov eax, 00000001h 0x00000012 cpuid 0x00000014 bt ecx, 1Fh 0x00000018 jc 00007FAA0C677A64h 0x0000001a fnop 0x0000001c popad 0x0000001d lfence 0x00000020 rdtsc
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeRDTSC instruction interceptor: First address: 0000000000562537 second address: 0000000000562517 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jle 00007FAA0CACB76Eh 0x00000011 lfence 0x00000014 rdtsc
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeRDTSC instruction interceptor: First address: 00000000021D2517 second address: 00000000021D2537 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a mov esi, edx 0x0000000c pushad 0x0000000d mov eax, 00000001h 0x00000012 cpuid 0x00000014 bt ecx, 1Fh 0x00000018 jc 00007FAA0C829064h 0x0000001a fnop 0x0000001c popad 0x0000001d lfence 0x00000020 rdtsc
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeRDTSC instruction interceptor: First address: 00000000021D2537 second address: 00000000021D2517 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jle 00007FAA0CACB76Eh 0x00000011 ret 0x00000012 pop ecx 0x00000013 cmp edx, 32h 0x00000016 jl 00007FAA0CACB796h 0x00000018 add edi, edx 0x0000001a dec ecx 0x0000001b cmp ecx, 00000000h 0x0000001e jne 00007FAA0CACB78Eh 0x00000020 push ecx 0x00000021 call 00007FAA0CACB7C3h 0x00000026 lfence 0x00000029 rdtsc
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeRDTSC instruction interceptor: First address: 0000000002012517 second address: 0000000002012537 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a mov esi, edx 0x0000000c pushad 0x0000000d mov eax, 00000001h 0x00000012 cpuid 0x00000014 bt ecx, 1Fh 0x00000018 jc 00007FAA0C829064h 0x0000001a fnop 0x0000001c popad 0x0000001d lfence 0x00000020 rdtsc
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeRDTSC instruction interceptor: First address: 0000000002012537 second address: 0000000002012517 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jle 00007FAA0CACB76Eh 0x00000011 ret 0x00000012 pop ecx 0x00000013 cmp edx, 32h 0x00000016 jl 00007FAA0CACB796h 0x00000018 add edi, edx 0x0000001a dec ecx 0x0000001b cmp ecx, 00000000h 0x0000001e jne 00007FAA0CACB78Eh 0x00000020 push ecx 0x00000021 call 00007FAA0CACB7C3h 0x00000026 lfence 0x00000029 rdtsc
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeRDTSC instruction interceptor: First address: 0000000000562517 second address: 0000000000562537 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a mov esi, edx 0x0000000c pushad 0x0000000d mov eax, 00000001h 0x00000012 cpuid 0x00000014 bt ecx, 1Fh 0x00000018 jc 00007FAA0C829064h 0x0000001a fnop 0x0000001c popad 0x0000001d lfence 0x00000020 rdtsc
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeRDTSC instruction interceptor: First address: 0000000000562537 second address: 0000000000562517 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jle 00007FAA0CACB76Eh 0x00000011 ret 0x00000012 pop ecx 0x00000013 cmp edx, 32h 0x00000016 jl 00007FAA0CACB796h 0x00000018 add edi, edx 0x0000001a dec ecx 0x0000001b cmp ecx, 00000000h 0x0000001e jne 00007FAA0CACB78Eh 0x00000020 push ecx 0x00000021 call 00007FAA0CACB7C3h 0x00000026 lfence 0x00000029 rdtsc
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 0_2_021C2514 rdtsc 0_2_021C2514
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeWindow / User API: threadDelayed 3038Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Install\Host.exe TID: 6044Thread sleep count: 3038 > 30Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeLast function: Thread delayed
            Source: Host.exe, 0000000D.00000002.1175828891.0000000000957000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW0r
            Source: Host.exe, 00000003.00000002.875522987.0000000000720000.00000004.00000020.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exee
            Source: Host.exe, 00000009.00000002.1182580461.0000000000978000.00000004.00000020.sdmp, Host.exe, 0000000D.00000002.1175828891.0000000000957000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
            Source: Host.exe, 0000000D.00000002.1175828891.0000000000957000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW,
            Source: Tranf111.exe, 00000000.00000002.799037669.00000000021C0000.00000040.00000001.sdmp, Tranf111.exe, 00000002.00000002.833452695.0000000000560000.00000040.00000001.sdmp, Host.exe, 00000003.00000002.875464623.00000000006F0000.00000040.00000001.sdmp, Host.exe, 00000009.00000002.1182104003.0000000000560000.00000040.00000001.sdmp, Host.exe, 0000000A.00000002.1072737406.00000000021D0000.00000040.00000001.sdmp, Host.exe, 0000000B.00000002.1123629851.0000000002010000.00000040.00000001.sdmp, Host.exe, 0000000C.00000002.1135888516.0000000000560000.00000040.00000001.sdmp, Host.exe, 0000000D.00000002.1175398766.0000000000560000.00000040.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: Host.exe, 00000009.00000002.1182580461.0000000000978000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW@

            Anti Debugging:

            barindex
            Contains functionality to hide a thread from the debuggerShow sources
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 0_2_021C0199 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,000000000_2_021C0199
            Hides threads from debuggersShow sources
            Source: C:\Users\user\Desktop\Tranf111.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\Tranf111.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\Tranf111.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 0_2_021C2514 rdtsc 0_2_021C2514
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 0_2_021C1AE6 LdrInitializeThunk,0_2_021C1AE6
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 2_2_0056237A LoadLibraryA,GetProcAddress,2_2_0056237A
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 0_2_021C223B mov eax, dword ptr fs:[00000030h]0_2_021C223B
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 0_2_021C2452 mov eax, dword ptr fs:[00000030h]0_2_021C2452
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 0_2_021C268C mov eax, dword ptr fs:[00000030h]0_2_021C268C
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 0_2_021C0CB0 mov eax, dword ptr fs:[00000030h]0_2_021C0CB0
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 0_2_021C08AB mov eax, dword ptr fs:[00000030h]0_2_021C08AB
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 0_2_021C271F mov eax, dword ptr fs:[00000030h]0_2_021C271F
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 0_2_021C1323 mov eax, dword ptr fs:[00000030h]0_2_021C1323
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 0_2_021C2759 mov eax, dword ptr fs:[00000030h]0_2_021C2759
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 2_2_00560CB0 mov eax, dword ptr fs:[00000030h]2_2_00560CB0
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 2_2_00562452 mov eax, dword ptr fs:[00000030h]2_2_00562452
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 2_2_00562759 mov eax, dword ptr fs:[00000030h]2_2_00562759
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 2_2_0056271F mov eax, dword ptr fs:[00000030h]2_2_0056271F
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 2_2_0056223B mov eax, dword ptr fs:[00000030h]2_2_0056223B
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 2_2_00561323 mov eax, dword ptr fs:[00000030h]2_2_00561323
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 2_2_0056268C mov eax, dword ptr fs:[00000030h]2_2_0056268C
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 2_2_005608AB mov eax, dword ptr fs:[00000030h]2_2_005608AB
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 3_2_006F2759 mov eax, dword ptr fs:[00000030h]3_2_006F2759
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 3_2_006F2452 mov eax, dword ptr fs:[00000030h]3_2_006F2452
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 3_2_006F1323 mov eax, dword ptr fs:[00000030h]3_2_006F1323
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 3_2_006F223B mov eax, dword ptr fs:[00000030h]3_2_006F223B
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 3_2_006F271F mov eax, dword ptr fs:[00000030h]3_2_006F271F
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 3_2_006F08AB mov eax, dword ptr fs:[00000030h]3_2_006F08AB
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 3_2_006F0CB0 mov eax, dword ptr fs:[00000030h]3_2_006F0CB0
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 3_2_006F268C mov eax, dword ptr fs:[00000030h]3_2_006F268C
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 9_2_00560CAF mov eax, dword ptr fs:[00000030h]9_2_00560CAF
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 9_2_00562452 mov eax, dword ptr fs:[00000030h]9_2_00562452
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 9_2_00562759 mov eax, dword ptr fs:[00000030h]9_2_00562759
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 9_2_0056271F mov eax, dword ptr fs:[00000030h]9_2_0056271F
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 9_2_0056223B mov eax, dword ptr fs:[00000030h]9_2_0056223B
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 9_2_00561323 mov eax, dword ptr fs:[00000030h]9_2_00561323
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 9_2_0056268C mov eax, dword ptr fs:[00000030h]9_2_0056268C
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 9_2_005608AB mov eax, dword ptr fs:[00000030h]9_2_005608AB
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 10_2_021D271F mov eax, dword ptr fs:[00000030h]10_2_021D271F
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 10_2_021D223B mov eax, dword ptr fs:[00000030h]10_2_021D223B
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 10_2_021D1323 mov eax, dword ptr fs:[00000030h]10_2_021D1323
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 10_2_021D2759 mov eax, dword ptr fs:[00000030h]10_2_021D2759
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 10_2_021D2452 mov eax, dword ptr fs:[00000030h]10_2_021D2452
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 10_2_021D268C mov eax, dword ptr fs:[00000030h]10_2_021D268C
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 10_2_021D0CB0 mov eax, dword ptr fs:[00000030h]10_2_021D0CB0
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 10_2_021D08AB mov eax, dword ptr fs:[00000030h]10_2_021D08AB
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 11_2_0201271F mov eax, dword ptr fs:[00000030h]11_2_0201271F
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 11_2_02011323 mov eax, dword ptr fs:[00000030h]11_2_02011323
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 11_2_0201223B mov eax, dword ptr fs:[00000030h]11_2_0201223B
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 11_2_02012452 mov eax, dword ptr fs:[00000030h]11_2_02012452
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 11_2_02012759 mov eax, dword ptr fs:[00000030h]11_2_02012759
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 11_2_0201268C mov eax, dword ptr fs:[00000030h]11_2_0201268C
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 11_2_020108AB mov eax, dword ptr fs:[00000030h]11_2_020108AB
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 11_2_02010CB0 mov eax, dword ptr fs:[00000030h]11_2_02010CB0
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 12_2_00560CB0 mov eax, dword ptr fs:[00000030h]12_2_00560CB0
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 12_2_00562452 mov eax, dword ptr fs:[00000030h]12_2_00562452
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 12_2_00562759 mov eax, dword ptr fs:[00000030h]12_2_00562759
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 12_2_0056271F mov eax, dword ptr fs:[00000030h]12_2_0056271F
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 12_2_0056223B mov eax, dword ptr fs:[00000030h]12_2_0056223B
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 12_2_00561323 mov eax, dword ptr fs:[00000030h]12_2_00561323
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 12_2_0056268C mov eax, dword ptr fs:[00000030h]12_2_0056268C
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 12_2_005608AB mov eax, dword ptr fs:[00000030h]12_2_005608AB
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 13_2_00560CB0 mov eax, dword ptr fs:[00000030h]13_2_00560CB0
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 13_2_00562452 mov eax, dword ptr fs:[00000030h]13_2_00562452
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 13_2_00562759 mov eax, dword ptr fs:[00000030h]13_2_00562759
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 13_2_0056271F mov eax, dword ptr fs:[00000030h]13_2_0056271F
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 13_2_0056223B mov eax, dword ptr fs:[00000030h]13_2_0056223B
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 13_2_00561323 mov eax, dword ptr fs:[00000030h]13_2_00561323
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 13_2_0056268C mov eax, dword ptr fs:[00000030h]13_2_0056268C
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 13_2_005608AB mov eax, dword ptr fs:[00000030h]13_2_005608AB
            Source: C:\Users\user\Desktop\Tranf111.exeCode function: 2_2_00560D90 LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,NtProtectVirtualMemory,NtProtectVirtualMemory,2_2_00560D90
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 9_2_00560D90 LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,9_2_00560D90
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 12_2_00560D90 LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,NtProtectVirtualMemory,NtProtectVirtualMemory,12_2_00560D90
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 13_2_00560D90 LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,NtProtectVirtualMemory,NtProtectVirtualMemory,13_2_00560D90

            Source: C:\Users\user\Desktop\Tranf111.exeProcess created: C:\Users\user\Desktop\Tranf111.exe 'C:\Users\user\Desktop\Tranf111.exe' Jump to behavior
            Source: C:\Users\user\Desktop\Tranf111.exeProcess created: C:\Users\user\AppData\Roaming\Install\Host.exe 'C:\Users\user\AppData\Roaming\Install\Host.exe' Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess created: C:\Users\user\AppData\Roaming\Install\Host.exe 'C:\Users\user\AppData\Roaming\Install\Host.exe' Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess created: C:\Users\user\AppData\Roaming\Install\Host.exe 'C:\Users\user\AppData\Roaming\Install\Host.exe' Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess created: C:\Users\user\AppData\Roaming\Install\Host.exe 'C:\Users\user\AppData\Roaming\Install\Host.exe' Jump to behavior
            Source: Host.exe, 00000009.00000002.1182921054.0000000000F00000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: Host.exe, 00000009.00000002.1182921054.0000000000F00000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: Host.exe, 00000009.00000002.1182921054.0000000000F00000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: Host.exe, 00000009.00000002.1182921054.0000000000F00000.00000002.00000001.sdmpBinary or memory string: Progmanlock

            Source: C:\Users\user\Desktop\Tranf111.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\Install\Host.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsExecution through API11Registry Run Keys / Startup Folder1Process Injection12Masquerading1Input Capture1Virtualization/Sandbox Evasion21Application Deployment SoftwareInput Capture1Data Encrypted1Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Replication Through Removable MediaGraphical User Interface1Port MonitorsAccessibility FeaturesSoftware Packing2Network SniffingProcess Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumUncommonly Used Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionVirtualization/Sandbox Evasion21Input CaptureApplication Window Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Non-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingProcess Injection12Credentials in FilesSecurity Software Discovery511Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol11SIM Card SwapPremium SMS Toll Fraud
            Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessObfuscated Files or Information2Account ManipulationRemote System Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceDLL Search Order HijackingBrute ForceFile and Directory Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
            Spearphishing AttachmentScriptingPath InterceptionScheduled TaskSoftware PackingTwo-Factor Authentication InterceptionSystem Information Discovery212Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process