Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Variant.Jaik.46242.3594.22390

Overview

General Information

Sample Name:SecuriteInfo.com.Variant.Jaik.46242.3594.22390 (renamed file extension from 22390 to exe)
Analysis ID:431830
MD5:99bbf83abe9d6e4ecc91493e32230833
SHA1:b0bd6ba2dc10eb5552edc7a3460c80ee0eb1b11e
SHA256:2b2a00650dc91d1a7ccfa4a62e3462762c62d8a092bddb75943f87074f1d56a5
Tags:exeGuLoader
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Potential malicious icon found
Yara detected GuLoader
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to read the PEB
Detected potential crypto function
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://www.pos.nblwarehouse.my.id/bin_GgrWeMMq137.bin, http://benvenuti.rs/wp-co"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
SecuriteInfo.com.Variant.Jaik.46242.3594.exeJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.722670441.0000000002280000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      00000000.00000000.197018556.0000000000401000.00000020.00020000.sdmpJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security
        00000000.00000002.721540373.0000000000401000.00000020.00020000.sdmpJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.SecuriteInfo.com.Variant.Jaik.46242.3594.exe.400000.0.unpackJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security
            0.0.SecuriteInfo.com.Variant.Jaik.46242.3594.exe.400000.0.unpackJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: SecuriteInfo.com.Variant.Jaik.46242.3594.exeMalware Configuration Extractor: GuLoader {"Payload URL": "https://www.pos.nblwarehouse.my.id/bin_GgrWeMMq137.bin, http://benvenuti.rs/wp-co"}
              Multi AV Scanner detection for submitted fileShow sources
              Source: SecuriteInfo.com.Variant.Jaik.46242.3594.exeVirustotal: Detection: 26%Perma Link
              Source: SecuriteInfo.com.Variant.Jaik.46242.3594.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

              Networking:

              barindex
              C2 URLs / IPs found in malware configurationShow sources
              Source: Malware configuration extractorURLs: https://www.pos.nblwarehouse.my.id/bin_GgrWeMMq137.bin, http://benvenuti.rs/wp-co

              System Summary:

              barindex
              Potential malicious icon foundShow sources
              Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeProcess Stats: CPU usage > 98%
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_02286A2E NtAllocateVirtualMemory,0_2_02286A2E
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_02286C20 NtAllocateVirtualMemory,0_2_02286C20
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_02286A78 NtAllocateVirtualMemory,0_2_02286A78
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_02286AF8 NtAllocateVirtualMemory,0_2_02286AF8
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_02286B94 NtAllocateVirtualMemory,0_2_02286B94
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_00401C100_2_00401C10
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_004055F30_2_004055F3
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_02286A2E0_2_02286A2E
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_022866290_2_02286629
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_022832380_2_02283238
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_02283A300_2_02283A30
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_022838340_2_02283834
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_0228B4090_2_0228B409
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_0228341C0_2_0228341C
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_0228666C0_2_0228666C
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_02286A780_2_02286A78
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_022844400_2_02284440
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_0228185A0_2_0228185A
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_022832A00_2_022832A0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_02283AA00_2_02283AA0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_022866B80_2_022866B8
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_022844900_2_02284490
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_02286AF80_2_02286AF8
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_022834C00_2_022834C0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_022836DE0_2_022836DE
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_022839250_2_02283925
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_0228173C0_2_0228173C
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_02283B300_2_02283B30
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_0228350C0_2_0228350C
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_0228450C0_2_0228450C
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_0228331C0_2_0228331C
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_022837140_2_02283714
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_022833A40_2_022833A4
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_022817B80_2_022817B8
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_022837880_2_02283788
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_022849930_2_02284993
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_022847ED0_2_022847ED
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_022843FB0_2_022843FB
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_022831D80_2_022831D8
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_022839DC0_2_022839DC
              Source: SecuriteInfo.com.Variant.Jaik.46242.3594.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: SecuriteInfo.com.Variant.Jaik.46242.3594.exe, 00000000.00000002.721975031.00000000020B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs SecuriteInfo.com.Variant.Jaik.46242.3594.exe
              Source: SecuriteInfo.com.Variant.Jaik.46242.3594.exe, 00000000.00000000.197037296.0000000000424000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTWINEMAKER.exe vs SecuriteInfo.com.Variant.Jaik.46242.3594.exe
              Source: SecuriteInfo.com.Variant.Jaik.46242.3594.exeBinary or memory string: OriginalFilenameTWINEMAKER.exe vs SecuriteInfo.com.Variant.Jaik.46242.3594.exe
              Source: SecuriteInfo.com.Variant.Jaik.46242.3594.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
              Source: classification engineClassification label: mal96.rans.troj.evad.winEXE@1/0@0/0
              Source: SecuriteInfo.com.Variant.Jaik.46242.3594.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: SecuriteInfo.com.Variant.Jaik.46242.3594.exeVirustotal: Detection: 26%

              Data Obfuscation:

              barindex
              Yara detected GuLoaderShow sources
              Source: Yara matchFile source: 00000000.00000002.722670441.0000000002280000.00000040.00000001.sdmp, type: MEMORY
              Yara detected GuLoaderShow sources
              Source: Yara matchFile source: SecuriteInfo.com.Variant.Jaik.46242.3594.exe, type: SAMPLE
              Source: Yara matchFile source: 00000000.00000000.197018556.0000000000401000.00000020.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.721540373.0000000000401000.00000020.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0.2.SecuriteInfo.com.Variant.Jaik.46242.3594.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.SecuriteInfo.com.Variant.Jaik.46242.3594.exe.400000.0.unpack, type: UNPACKEDPE
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_00409C54 push es; iretd 0_2_00409C5E
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_0040605F push 00000059h; retf 0_2_00406061
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_00406E64 push eax; retf 0_2_00406E65
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_0040A065 pushad ; retf 0_2_0040A0B8
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_00409E0D push edx; iretd 0_2_00409E12
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_00409EF8 push ss; iretd 0_2_00409EFE
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_00406AFE push es; iretd 0_2_00406B02
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_004079CA push cs; iretd 0_2_004079CE
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_00409387 push ss; iretd 0_2_004093A6
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_00408D90 push cs; iretd 0_2_00408D9E
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_00403191 push dword ptr [ebp-44h]; ret 0_2_0041ECA4
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_02285356 push edi; iretd 0_2_02285357
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeRDTSC instruction interceptor: First address: 0000000002289F94 second address: 000000000228A040 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a sub esp, 00000100h 0x00000010 mov edi, esp 0x00000012 test cx, dx 0x00000015 add esp, 00000100h 0x0000001b test eax, eax 0x0000001d mov dword ptr [edi+28h], eax 0x00000020 test bx, dx 0x00000023 mov esi, BEC25DA1h 0x00000028 add esi, 4F1D403Dh 0x0000002e xor esi, E8F819C0h 0x00000034 add esi, 1AD96BE2h 0x0000003a jmp 00007F7DFCC1F3BEh 0x0000003c pushad 0x0000003d mov eax, 0000003Fh 0x00000042 cpuid 0x00000044 popad 0x00000045 add esi, 00001000h 0x0000004b cmp esi, 0000F000h 0x00000051 je 00007F7DFCC1F8D0h 0x00000057 cmp esi, 7FFFF000h 0x0000005d je 00007F7DFCC1F8C4h 0x00000063 push 0AF1A7F6h 0x00000068 xor dword ptr [esp], 7FA34B79h 0x0000006f pushad 0x00000070 rdtsc
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeRDTSC instruction interceptor: First address: 000000000228A040 second address: 000000000228A040 instructions:
              Tries to detect virtualization through RDTSC time measurementsShow sources
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeRDTSC instruction interceptor: First address: 0000000002289F94 second address: 000000000228A040 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a sub esp, 00000100h 0x00000010 mov edi, esp 0x00000012 test cx, dx 0x00000015 add esp, 00000100h 0x0000001b test eax, eax 0x0000001d mov dword ptr [edi+28h], eax 0x00000020 test bx, dx 0x00000023 mov esi, BEC25DA1h 0x00000028 add esi, 4F1D403Dh 0x0000002e xor esi, E8F819C0h 0x00000034 add esi, 1AD96BE2h 0x0000003a jmp 00007F7DFCC1F3BEh 0x0000003c pushad 0x0000003d mov eax, 0000003Fh 0x00000042 cpuid 0x00000044 popad 0x00000045 add esi, 00001000h 0x0000004b cmp esi, 0000F000h 0x00000051 je 00007F7DFCC1F8D0h 0x00000057 cmp esi, 7FFFF000h 0x0000005d je 00007F7DFCC1F8C4h 0x00000063 push 0AF1A7F6h 0x00000068 xor dword ptr [esp], 7FA34B79h 0x0000006f pushad 0x00000070 rdtsc
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeRDTSC instruction interceptor: First address: 000000000228A040 second address: 000000000228A040 instructions:
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_02284E28 rdtsc 0_2_02284E28
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

              Anti Debugging:

              barindex
              Found potential dummy code loops (likely to delay analysis)Show sources
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeProcess Stats: CPU usage > 90% for more than 60s
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_02284E28 rdtsc 0_2_02284E28
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_02284440 mov eax, dword ptr fs:[00000030h]0_2_02284440
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_022864F9 mov eax, dword ptr fs:[00000030h]0_2_022864F9
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_022890F5 mov eax, dword ptr fs:[00000030h]0_2_022890F5
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_022836DE mov eax, dword ptr fs:[00000030h]0_2_022836DE
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_0228993D mov eax, dword ptr fs:[00000030h]0_2_0228993D
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.46242.3594.exeCode function: 0_2_022843FB mov eax, dword ptr fs:[00000030h]0_2_022843FB
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: SecuriteInfo.com.Variant.Jaik.46242.3594.exe, 00000000.00000002.721862094.0000000000C30000.00000002.00000001.sdmpBinary or memory string: Program Manager
              Source: SecuriteInfo.com.Variant.Jaik.46242.3594.exe, 00000000.00000002.721862094.0000000000C30000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: SecuriteInfo.com.Variant.Jaik.46242.3594.exe, 00000000.00000002.721862094.0000000000C30000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: SecuriteInfo.com.Variant.Jaik.46242.3594.exe, 00000000.00000002.721862094.0000000000C30000.00000002.00000001.sdmpBinary or memory string: Progmanlock

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11OS Credential DumpingSecurity Software Discovery31Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery21Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.