Loading ...

Play interactive tourEdit tour

Analysis Report underman.exe

Overview

General Information

Sample Name:underman.exe
Analysis ID:313196
MD5:0a09ebb8c7577680c36868b3bc13e5c9
SHA1:4212282634817e4600981d650f06f86803dcf72f
SHA256:c256466dc256d55f7cba0f1c2201f208b82deabd903dd3a71a4e7989e6a61ff7
Tags:exeGuLoader

Most interesting Screenshot:

Detection

GuLoader
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to read the PEB
Detected potential crypto function
PE file contains an invalid checksum
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • underman.exe (PID: 6648 cmdline: 'C:\Users\user\Desktop\underman.exe' MD5: 0A09EBB8C7577680C36868B3BC13E5C9)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: underman.exe PID: 6648JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
    Process Memory Space: underman.exe PID: 6648JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: underman.exeVirustotal: Detection: 32%Perma Link
      Source: underman.exeReversingLabs: Detection: 25%
      Source: underman.exeVirustotal: Detection: 32%Perma Link
      Source: underman.exeReversingLabs: Detection: 25%
      Machine Learning detection for sampleShow sources
      Source: underman.exeJoe Sandbox ML: detected
      Source: underman.exeJoe Sandbox ML: detected
      Source: C:\Users\user\Desktop\underman.exeProcess Stats: CPU usage > 98%
      Source: C:\Users\user\Desktop\underman.exeProcess Stats: CPU usage > 98%
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004032830_2_00403283
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004038490_2_00403849
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004038550_2_00403855
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_0040366B0_2_0040366B
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004038740_2_00403874
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_0040387B0_2_0040387B
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004036110_2_00403611
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004034150_2_00403415
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004038200_2_00403820
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004036220_2_00403622
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004036330_2_00403633
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004034340_2_00403434
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_0040383D0_2_0040383D
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004036C60_2_004036C6
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004034F40_2_004034F4
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004036F60_2_004036F6
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004034F70_2_004034F7
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004036800_2_00403680
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004034820_2_00403482
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_0040368D0_2_0040368D
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004036980_2_00403698
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004036A20_2_004036A2
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004038AA0_2_004038AA
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004036AD0_2_004036AD
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_0040376D0_2_0040376D
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004035770_2_00403577
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004035260_2_00403526
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004037260_2_00403726
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004035350_2_00403535
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004035D30_2_004035D3
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004037DC0_2_004037DC
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004037E70_2_004037E7
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004037F60_2_004037F6
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004037AB0_2_004037AB
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004032830_2_00403283
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004038490_2_00403849
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004038550_2_00403855
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_0040366B0_2_0040366B
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004038740_2_00403874
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_0040387B0_2_0040387B
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004036110_2_00403611
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004034150_2_00403415
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004038200_2_00403820
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004036220_2_00403622
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004036330_2_00403633
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004034340_2_00403434
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_0040383D0_2_0040383D
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004036C60_2_004036C6
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004034F40_2_004034F4
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004036F60_2_004036F6
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004034F70_2_004034F7
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004036800_2_00403680
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004034820_2_00403482
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_0040368D0_2_0040368D
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004036980_2_00403698
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004036A20_2_004036A2
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004038AA0_2_004038AA
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004036AD0_2_004036AD
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_0040376D0_2_0040376D
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004035770_2_00403577
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004035260_2_00403526
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004037260_2_00403726
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004035350_2_00403535
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004035D30_2_004035D3
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004037DC0_2_004037DC
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004037E70_2_004037E7
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004037F60_2_004037F6
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004037AB0_2_004037AB
      Source: underman.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: underman.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: underman.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: underman.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: underman.exe, 00000000.00000002.928328782.00000000021E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs underman.exe
      Source: underman.exe, 00000000.00000002.927976374.0000000000414000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameudsmyk.exe vs underman.exe
      Source: underman.exeBinary or memory string: OriginalFilenameudsmyk.exe vs underman.exe
      Source: underman.exe, 00000000.00000002.928328782.00000000021E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs underman.exe
      Source: underman.exe, 00000000.00000002.927976374.0000000000414000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameudsmyk.exe vs underman.exe
      Source: underman.exeBinary or memory string: OriginalFilenameudsmyk.exe vs underman.exe
      Source: classification engineClassification label: mal76.troj.evad.winEXE@1/0@0/0
      Source: C:\Users\user\Desktop\underman.exeFile created: C:\Users\user\AppData\Local\Temp\~DF9D86AF191351F744.TMPJump to behavior
      Source: C:\Users\user\Desktop\underman.exeFile created: C:\Users\user\AppData\Local\Temp\~DF9D86AF191351F744.TMPJump to behavior
      Source: underman.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: underman.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\underman.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\Desktop\underman.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\Desktop\underman.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\underman.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: underman.exeVirustotal: Detection: 32%
      Source: underman.exeReversingLabs: Detection: 25%
      Source: underman.exeVirustotal: Detection: 32%
      Source: underman.exeReversingLabs: Detection: 25%

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: Process Memory Space: underman.exe PID: 6648, type: MEMORY
      Yara detected VB6 Downloader GenericShow sources
      Source: Yara matchFile source: Process Memory Space: underman.exe PID: 6648, type: MEMORY
      Source: underman.exeStatic PE information: real checksum: 0x2101d should be: 0x1d2c3
      Source: underman.exeStatic PE information: real checksum: 0x2101d should be: 0x1d2c3
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004062B9 push ebx; iretd 0_2_004062BC
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_00406DBC push 9613F0F6h; iretd 0_2_00406DD1
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_02B80A86 push ds; iretd 0_2_02B80AA1
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_02B87222 push es; retf 0_2_02B8722F
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_02B80A6E push ds; iretd 0_2_02B80A84
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_02B80B80 push ecx; ret 0_2_02B80BA5
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_02B80C13 push ds; iretd 0_2_02B80C40
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_02B80C42 push ds; iretd 0_2_02B80C5D
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_004062B9 push ebx; iretd 0_2_004062BC
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_00406DBC push 9613F0F6h; iretd 0_2_00406DD1
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_02B80A86 push ds; iretd 0_2_02B80AA1
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_02B87222 push es; retf 0_2_02B8722F
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_02B80A6E push ds; iretd 0_2_02B80A84
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_02B80B80 push ecx; ret 0_2_02B80BA5
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_02B80C13 push ds; iretd 0_2_02B80C40
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_02B80C42 push ds; iretd 0_2_02B80C5D
      Source: C:\Users\user\Desktop\underman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\underman.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_02B85F94 0_2_02B85F94
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_02B85F8D 0_2_02B85F8D
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_02B85FFE 0_2_02B85FFE
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_02B85F94 0_2_02B85F94
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_02B85F8D 0_2_02B85F8D
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_02B85FFE 0_2_02B85FFE
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: underman.exe, 00000000.00000002.928968903.0000000002B80000.00000040.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE8
      Source: underman.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Source: underman.exe, 00000000.00000002.928968903.0000000002B80000.00000040.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE8
      Source: underman.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_02B81643 rdtsc 0_2_02B81643
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_02B81643 rdtsc 0_2_02B81643
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: underman.exe, 00000000.00000002.928968903.0000000002B80000.00000040.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe8
      Source: underman.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: underman.exe, 00000000.00000002.928968903.0000000002B80000.00000040.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe8
      Source: underman.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

      Anti Debugging:

      barindex
      Found potential dummy code loops (likely to delay analysis)Show sources
      Source: C:\Users\user\Desktop\underman.exeProcess Stats: CPU usage > 90% for more than 60s
      Source: C:\Users\user\Desktop\underman.exeProcess Stats: CPU usage > 90% for more than 60s
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_02B81643 rdtsc 0_2_02B81643
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_02B81643 rdtsc 0_2_02B81643
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_02B81A30 mov eax, dword ptr fs:[00000030h]0_2_02B81A30
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_02B82214 mov eax, dword ptr fs:[00000030h]0_2_02B82214
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_02B8220D mov eax, dword ptr fs:[00000030h]0_2_02B8220D
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_02B82270 mov eax, dword ptr fs:[00000030h]0_2_02B82270
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_02B81FA6 mov eax, dword ptr fs:[00000030h]0_2_02B81FA6
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_02B85F94 mov eax, dword ptr fs:[00000030h]0_2_02B85F94
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_02B85F8D mov eax, dword ptr fs:[00000030h]0_2_02B85F8D
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_02B85FFE mov eax, dword ptr fs:[00000030h]0_2_02B85FFE
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_02B82F22 mov eax, dword ptr fs:[00000030h]0_2_02B82F22
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_02B8507A mov eax, dword ptr fs:[00000030h]0_2_02B8507A
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_02B81A30 mov eax, dword ptr fs:[00000030h]0_2_02B81A30
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_02B82214 mov eax, dword ptr fs:[00000030h]0_2_02B82214
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_02B8220D mov eax, dword ptr fs:[00000030h]0_2_02B8220D
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_02B82270 mov eax, dword ptr fs:[00000030h]0_2_02B82270
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_02B81FA6 mov eax, dword ptr fs:[00000030h]0_2_02B81FA6
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_02B85F94 mov eax, dword ptr fs:[00000030h]0_2_02B85F94
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_02B85F8D mov eax, dword ptr fs:[00000030h]0_2_02B85F8D
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_02B85FFE mov eax, dword ptr fs:[00000030h]0_2_02B85FFE
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_02B82F22 mov eax, dword ptr fs:[00000030h]0_2_02B82F22
      Source: C:\Users\user\Desktop\underman.exeCode function: 0_2_02B8507A mov eax, dword ptr fs:[00000030h]0_2_02B8507A
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: underman.exe, 00000000.00000002.928215888.0000000000D80000.00000002.00000001.sdmpBinary or memory string: Program Manager
      Source: underman.exe, 00000000.00000002.928215888.0000000000D80000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: underman.exe, 00000000.00000002.928215888.0000000000D80000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: underman.exe, 00000000.00000002.928215888.0000000000D80000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: underman.exe, 00000000.00000002.928215888.0000000000D80000.00000002.00000001.sdmpBinary or memory string: Program Manager
      Source: underman.exe, 00000000.00000002.928215888.0000000000D80000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: underman.exe, 00000000.00000002.928215888.0000000000D80000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: underman.exe, 00000000.00000002.928215888.0000000000D80000.00000002.00000001.sdmpBinary or memory string: Progmanlock

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11OS Credential DumpingSecurity Software Discovery311Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery11Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.