Loading ...

Play interactive tourEdit tour

Analysis Report dt9XEhpeQQ

Overview

General Information

Sample Name:dt9XEhpeQQ (renamed file extension from none to exe)
Analysis ID:431849
MD5:5423976b486afd6a8dad047fb947b190
SHA1:f04947aa1b4e9500e4b31d2365ac886447ba4427
SHA256:e73ecaf549049b8c4f8701e55c95220e09890df2d93ef52465ccd4b448a6d19f
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Potential malicious icon found
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to read the PEB
Detected potential crypto function
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • dt9XEhpeQQ.exe (PID: 3924 cmdline: 'C:\Users\user\Desktop\dt9XEhpeQQ.exe' MD5: 5423976B486AFD6A8DAD047FB947B190)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.726927827.0000000002270000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Machine Learning detection for sampleShow sources
    Source: dt9XEhpeQQ.exeJoe Sandbox ML: detected
    Source: dt9XEhpeQQ.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

    System Summary:

    barindex
    Potential malicious icon foundShow sources
    Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeProcess Stats: CPU usage > 98%
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_0227578F NtAllocateVirtualMemory,0_2_0227578F
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_004013680_2_00401368
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_0227578F0_2_0227578F
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_02274A310_2_02274A31
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_02272A050_2_02272A05
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_0227127D0_2_0227127D
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_022702470_2_02270247
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_022782E30_2_022782E3
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_022776CE0_2_022776CE
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_02271F060_2_02271F06
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_02272F010_2_02272F01
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_022747000_2_02274700
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_02271F110_2_02271F11
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_022707630_2_02270763
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_02278F6A0_2_02278F6A
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_0227737E0_2_0227737E
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_02278F7C0_2_02278F7C
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_02274B5A0_2_02274B5A
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_022723A50_2_022723A5
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_022717A40_2_022717A4
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_02270F820_2_02270F82
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_022713890_2_02271389
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_022717930_2_02271793
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_022783EB0_2_022783EB
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_0227282E0_2_0227282E
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_0227903F0_2_0227903F
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_0227541A0_2_0227541A
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_022728690_2_02272869
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_022730410_2_02273041
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_02272CBB0_2_02272CBB
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_02271C8D0_2_02271C8D
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_0227389C0_2_0227389C
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_022714980_2_02271498
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_022784E90_2_022784E9
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_022730D60_2_022730D6
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_022749220_2_02274922
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_0227452A0_2_0227452A
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_022779290_2_02277929
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_022741B90_2_022741B9
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_022725ED0_2_022725ED
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_022705C40_2_022705C4
    Source: dt9XEhpeQQ.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: dt9XEhpeQQ.exe, 00000000.00000002.730326538.0000000002B90000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSkiftela2.exeFE2XG vs dt9XEhpeQQ.exe
    Source: dt9XEhpeQQ.exe, 00000000.00000000.197757674.0000000000431000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSkiftela2.exe vs dt9XEhpeQQ.exe
    Source: dt9XEhpeQQ.exeBinary or memory string: OriginalFilenameSkiftela2.exe vs dt9XEhpeQQ.exe
    Source: dt9XEhpeQQ.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: classification engineClassification label: mal76.rans.troj.evad.winEXE@1/0@0/0
    Source: dt9XEhpeQQ.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: 00000000.00000002.726927827.0000000002270000.00000040.00000001.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_004190F0 push eax; retf 0_2_004190FB
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_0041B14B push cs; retf 0_2_0041B156
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_0041DB0B push es; iretd 0_2_0041DB0C
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_00419F95 push cs; retf 0_2_00419F9A
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_006215F3 push edx; ret 0_2_00621621
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_00623063 push edx; ret 0_2_00623091
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_00621863 push edx; ret 0_2_00621891
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_00624863 push edx; ret 0_2_00624891
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_00626065 push edx; ret 0_2_00626091
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_00620068 push edx; ret 0_2_00620091
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_00622074 push edx; ret 0_2_006220A1
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_00623874 push edx; ret 0_2_006238A1
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_00625074 push edx; ret 0_2_006250A1
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_00626875 push edx; ret 0_2_006268A1
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_00620878 push edx; ret 0_2_006208A1
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_00620843 push edx; ret 0_2_00620871
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_00622043 push edx; ret 0_2_00622071
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_00623843 push edx; ret 0_2_00623871
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_00625043 push edx; ret 0_2_00625071
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_00626844 push edx; ret 0_2_00626871
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_00621054 push edx; ret 0_2_00621081
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_00622854 push edx; ret 0_2_00622881
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_00624054 push edx; ret 0_2_00624081
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_00625854 push edx; ret 0_2_00625881
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_00627054 push edx; ret 0_2_00627081
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_00621023 push edx; ret 0_2_00621051
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_00622823 push edx; ret 0_2_00622851
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_00624023 push edx; ret 0_2_00624051
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_00627024 push edx; ret 0_2_00627051
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_00625825 push edx; ret 0_2_00625851
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_00624833 push edx; ret 0_2_00624861
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion:

    barindex
    Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_0227578F NtAllocateVirtualMemory,0_2_0227578F
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_022782E3 0_2_022782E3
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_02272F01 0_2_02272F01
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_02274700 0_2_02274700
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_02278F6A 0_2_02278F6A
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_022723A5 0_2_022723A5
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_02270F82 0_2_02270F82
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_022783EB 0_2_022783EB
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_0227282E 0_2_0227282E
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_02273041 0_2_02273041
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_02272CBB 0_2_02272CBB
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_022784E9 0_2_022784E9
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_022730D6 0_2_022730D6
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_0227452A 0_2_0227452A
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_02277929 0_2_02277929
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_022741B9 0_2_022741B9
    Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeRDTSC instruction interceptor: First address: 00000000022759C0 second address: 00000000022759C0 instructions:
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeRDTSC instruction interceptor: First address: 0000000002277E3F second address: 0000000002277E3F instructions:
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeRDTSC instruction interceptor: First address: 0000000002279186 second address: 0000000002279186 instructions:
    Tries to detect virtualization through RDTSC time measurementsShow sources
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeRDTSC instruction interceptor: First address: 00000000022759C0 second address: 00000000022759C0 instructions:
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeRDTSC instruction interceptor: First address: 0000000002277E3F second address: 0000000002277E3F instructions:
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeRDTSC instruction interceptor: First address: 0000000002279186 second address: 0000000002279186 instructions:
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeRDTSC instruction interceptor: First address: 0000000002277B34 second address: 0000000002277B34 instructions: 0x00000000 rdtsc 0x00000002 mov eax, A61B5935h 0x00000007 sub eax, 0A56D0FAh 0x0000000c sub eax, E6EE1F05h 0x00000011 sub eax, B4D66935h 0x00000016 cpuid 0x00000018 cmp ax, bx 0x0000001b popad 0x0000001c call 00007F8C6CD58698h 0x00000021 lfence 0x00000024 mov edx, DFDCCA82h 0x00000029 add edx, 10E79E27h 0x0000002f add edx, 1BD31F13h 0x00000035 xor edx, 736987A8h 0x0000003b mov edx, dword ptr [edx] 0x0000003d lfence 0x00000040 cmp edx, edx 0x00000042 cmp ch, dh 0x00000044 cmp ah, dh 0x00000046 test dh, 00000068h 0x00000049 test dl, cl 0x0000004b ret 0x0000004c sub edx, esi 0x0000004e ret 0x0000004f add edi, edx 0x00000051 test bl, FFFFFFB5h 0x00000054 dec dword ptr [ebp+000000F8h] 0x0000005a test dx, dx 0x0000005d cmp dword ptr [ebp+000000F8h], 00000000h 0x00000064 jne 00007F8C6CD58672h 0x00000066 test dl, al 0x00000068 cmp bh, bh 0x0000006a call 00007F8C6CD586B9h 0x0000006f call 00007F8C6CD586BCh 0x00000074 lfence 0x00000077 mov edx, DFDCCA82h 0x0000007c add edx, 10E79E27h 0x00000082 add edx, 1BD31F13h 0x00000088 xor edx, 736987A8h 0x0000008e mov edx, dword ptr [edx] 0x00000090 lfence 0x00000093 cmp edx, edx 0x00000095 cmp ch, dh 0x00000097 cmp ah, dh 0x00000099 test dh, 00000068h 0x0000009c test dl, cl 0x0000009e ret 0x0000009f mov esi, edx 0x000000a1 pushad 0x000000a2 rdtsc
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_0227578F rdtsc 0_2_0227578F
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

    Anti Debugging:

    barindex
    Found potential dummy code loops (likely to delay analysis)Show sources
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeProcess Stats: CPU usage > 90% for more than 60s
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_0227578F rdtsc 0_2_0227578F
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_022782E3 mov eax, dword ptr fs:[00000030h]0_2_022782E3
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_02275346 mov eax, dword ptr fs:[00000030h]0_2_02275346
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_02277390 mov eax, dword ptr fs:[00000030h]0_2_02277390
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_0227787F mov eax, dword ptr fs:[00000030h]0_2_0227787F
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_02272CBB mov eax, dword ptr fs:[00000030h]0_2_02272CBB
    Source: C:\Users\user\Desktop\dt9XEhpeQQ.exeCode function: 0_2_0227389C mov eax, dword ptr fs:[00000030h]0_2_0227389C
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: dt9XEhpeQQ.exe, 00000000.00000002.726264180.0000000000DA0000.00000002.00000001.sdmpBinary or memory string: Program Manager
    Source: dt9XEhpeQQ.exe, 00000000.00000002.726264180.0000000000DA0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
    Source: dt9XEhpeQQ.exe, 00000000.00000002.726264180.0000000000DA0000.00000002.00000001.sdmpBinary or memory string: Progman
    Source: dt9XEhpeQQ.exe, 00000000.00000002.726264180.0000000000DA0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11OS Credential DumpingSecurity Software Discovery41Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery31Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.