Loading ...

Play interactive tourEdit tour

Analysis Report file

Overview

General Information

Sample Name:file (renamed file extension from none to exe)
Analysis ID:339189
MD5:4be8c93e9f60d0c2503dc3c6869975c4
SHA1:3554a4a68003edeef2e4385ec70d7d477fed77c0
SHA256:f188b5182bfe25b85b5748ae7932ff857fbeebe45c9b67718d708fa843d3b7b6
Tags:exeGuLoader

Most interesting Screenshot:

Detection

GuLoader
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Found potential dummy code loops (likely to delay analysis)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • file.exe (PID: 6492 cmdline: 'C:\Users\user\Desktop\file.exe' MD5: 4BE8C93E9F60D0C2503DC3C6869975C4)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: file.exe PID: 6492JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
    Process Memory Space: file.exe PID: 6492JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results
      Source: file.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: file.exe, 00000000.00000002.1276886652.000000000077A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
      Source: C:\Users\user\Desktop\file.exeProcess Stats: CPU usage > 98%
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00737B9C NtProtectVirtualMemory,0_2_00737B9C
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007338760_2_00733876
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00737C7A0_2_00737C7A
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007354630_2_00735463
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007318570_2_00731857
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00732C540_2_00732C54
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0073685F0_2_0073685F
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00736C430_2_00736C43
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007334420_2_00733442
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007360460_2_00736046
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007370450_2_00737045
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0073243A0_2_0073243A
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007338220_2_00733822
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0073542F0_2_0073542F
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0073801A0_2_0073801A
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0073201E0_2_0073201E
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007308040_2_00730804
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00735CF70_2_00735CF7
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007354FD0_2_007354FD
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007374E70_2_007374E7
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007300EB0_2_007300EB
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00737CD30_2_00737CD3
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007328D00_2_007328D0
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007330C20_2_007330C2
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007358C60_2_007358C6
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007380C50_2_007380C5
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007354CC0_2_007354CC
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00732CA70_2_00732CA7
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007334A60_2_007334A6
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007364AF0_2_007364AF
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007368920_2_00736892
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007354940_2_00735494
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0073808A0_2_0073808A
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007321730_2_00732173
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00737D770_2_00737D77
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0073256C0_2_0073256C
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00735D5F0_2_00735D5F
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007359410_2_00735941
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0073754B0_2_0073754B
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00737D480_2_00737D48
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007371330_2_00737133
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00735D300_2_00735D30
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0073292E0_2_0073292E
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00737D100_2_00737D10
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0073211B0_2_0073211B
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007359080_2_00735908
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0073650D0_2_0073650D
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007301F50_2_007301F5
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007351F40_2_007351F4
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00731DF80_2_00731DF8
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007355FC0_2_007355FC
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00737DDC0_2_00737DDC
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007301C40_2_007301C4
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007359CE0_2_007359CE
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007355CC0_2_007355CC
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007339AB0_2_007339AB
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00737DAB0_2_00737DAB
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007321A80_2_007321A8
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007371AE0_2_007371AE
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007381940_2_00738194
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00736D8A0_2_00736D8A
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007322740_2_00732274
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007356780_2_00735678
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00735E7F0_2_00735E7F
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007372600_2_00737260
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007376640_2_00737664
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00732E4E0_2_00732E4E
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00735A4D0_2_00735A4D
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007356380_2_00735638
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00737E3E0_2_00737E3E
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00737E100_2_00737E10
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00732E070_2_00732E07
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007372060_2_00737206
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00735A0B0_2_00735A0B
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007352F10_2_007352F1
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00735AE20_2_00735AE2
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00737EE70_2_00737EE7
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007372D60_2_007372D6
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00732EC00_2_00732EC0
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00736ECD0_2_00736ECD
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00735AB00_2_00735AB0
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007376B70_2_007376B7
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00736EA30_2_00736EA3
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00733EA80_2_00733EA8
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007356A80_2_007356A8
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007366A80_2_007366A8
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007332930_2_00733293
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007326980_2_00732698
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00732A980_2_00732A98
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00731A9C0_2_00731A9C
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0073737A0_2_0073737A
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007357790_2_00735779
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00731F610_2_00731F61
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007333680_2_00733368
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007323520_2_00732352
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00737F5C0_2_00737F5C
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00735B430_2_00735B43
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007367440_2_00736744
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00731F350_2_00731F35
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00735F3C0_2_00735F3C
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007373210_2_00737321
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00737F270_2_00737F27
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00732F1B0_2_00732F1B
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0073371A0_2_0073371A
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00736F030_2_00736F03
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007333020_2_00733302
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007317F20_2_007317F2
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00735BF10_2_00735BF1
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007353FC0_2_007353FC
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007363EA0_2_007363EA
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007367ED0_2_007367ED
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00737FD00_2_00737FD0
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007333D80_2_007333D8
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00731BDE0_2_00731BDE
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007313DC0_2_007313DC
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007337C70_2_007337C7
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00736BC60_2_00736BC6
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007373CA0_2_007373CA
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00735BB00_2_00735BB0
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00737F9A0_2_00737F9A
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00731B840_2_00731B84
      Source: file.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: file.exe, 00000000.00000002.1276125706.0000000000414000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDenotationen5.exe vs file.exe
      Source: file.exe, 00000000.00000002.1276790560.00000000005E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs file.exe
      Source: file.exeBinary or memory string: OriginalFilenameDenotationen5.exe vs file.exe
      Source: file.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: classification engineClassification label: mal68.troj.evad.winEXE@1/0@0/0
      Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\~DF5C53FDF4DEAA7056.TMPJump to behavior
      Source: file.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\file.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: Process Memory Space: file.exe PID: 6492, type: MEMORY
      Yara detected VB6 Downloader GenericShow sources
      Source: Yara matchFile source: Process Memory Space: file.exe PID: 6492, type: MEMORY
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040C41E pushfd ; retf 0_2_0040C425
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00409D74 push ebp; retf 0_2_00409D75
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004075AA push 00000000h; ret 0_2_004075AC
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00408AD8 pushfd ; retf 0_2_00408AD9
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00733C73 pushf ; iretd 0_2_00733C75
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00733C37 pushfd ; iretd 0_2_00733C75
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00730036 push eax; retf 0_2_0073003E
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00733CE5 push 85335BCEh; ret 0_2_00733CEA
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007319A1 push F7665BCEh; ret 0_2_007319A6
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00730A65 push 85C039CEh; retf 0_2_00730A6A
      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00732865 0_2_00732865
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0073284A 0_2_0073284A
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0073280D 0_2_0073280D
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007358C6 0_2_007358C6
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007358C4 0_2_007358C4
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00735941 0_2_00735941
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00735908 0_2_00735908
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007359CE 0_2_007359CE
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00735A4D 0_2_00735A4D
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00735A0B 0_2_00735A0B
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007352F1 0_2_007352F1
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00735AE2 0_2_00735AE2
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00735AB0 0_2_00735AB0
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00735B7F 0_2_00735B7F
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00735B43 0_2_00735B43
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0073534F 0_2_0073534F
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00731F1A 0_2_00731F1A
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00735B0B 0_2_00735B0B
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007353E5 0_2_007353E5
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007327D3 0_2_007327D3
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00735BB0 0_2_00735BB0
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: file.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 0000000000736986 second address: 0000000000736986 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F42B49A9418h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test al, bl 0x0000001f cmp bh, ch 0x00000021 test ebx, edx 0x00000023 add edi, edx 0x00000025 test cl, dl 0x00000027 dec dword ptr [ebp+000000F8h] 0x0000002d cmp dword ptr [ebp+000000F8h], 00000000h 0x00000034 jne 00007F42B49A93A9h 0x00000036 push ss 0x00000037 pop ss 0x00000038 jmp 00007F42B49A942Bh 0x0000003a jmp 00007F42B49A943Ah 0x0000003c test ch, bh 0x0000003e cmp ecx, ecx 0x00000040 call 00007F42B49A946Bh 0x00000045 call 00007F42B49A9428h 0x0000004a lfence 0x0000004d mov edx, dword ptr [7FFE0014h] 0x00000053 lfence 0x00000056 ret 0x00000057 mov esi, edx 0x00000059 pushad 0x0000005a rdtsc
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00737C70 rdtsc 0_2_00737C70
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: file.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

      Anti Debugging:

      barindex
      Found potential dummy code loops (likely to delay analysis)Show sources
      Source: C:\Users\user\Desktop\file.exeProcess Stats: CPU usage > 90% for more than 60s
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00737C70 rdtsc 0_2_00737C70
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00736074 mov eax, dword ptr fs:[00000030h]0_2_00736074
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00732865 mov eax, dword ptr fs:[00000030h]0_2_00732865
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0073284A mov eax, dword ptr fs:[00000030h]0_2_0073284A
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0073280D mov eax, dword ptr fs:[00000030h]0_2_0073280D
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00737133 mov eax, dword ptr fs:[00000030h]0_2_00737133
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00737131 mov eax, dword ptr fs:[00000030h]0_2_00737131
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007365F7 mov eax, dword ptr fs:[00000030h]0_2_007365F7
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007325A2 mov eax, dword ptr fs:[00000030h]0_2_007325A2
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007336B1 mov eax, dword ptr fs:[00000030h]0_2_007336B1
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00731F1A mov eax, dword ptr fs:[00000030h]0_2_00731F1A
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007327D3 mov eax, dword ptr fs:[00000030h]0_2_007327D3
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: file.exe, 00000000.00000002.1276937539.0000000000D00000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: file.exe, 00000000.00000002.1276937539.0000000000D00000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: file.exe, 00000000.00000002.1276937539.0000000000D00000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
      Source: file.exe, 00000000.00000002.1276937539.0000000000D00000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
      Source: file.exe, 00000000.00000002.1276937539.0000000000D00000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00735941 cpuid 0_2_00735941

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11Input Capture1Security Software Discovery411Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery211Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.