Loading ...

Play interactive tourEdit tour

Windows Analysis Report sVNHE4jjOw.exe

Overview

General Information

Sample Name:sVNHE4jjOw.exe
Analysis ID:449805
MD5:72fe87cb4fd41cf172a9caecbdc6887f
SHA1:2c8c745378f4a80e96dbabf574d1ac2d6408df69
SHA256:6d26df7a7163053aa756f62ee4504af93020696cee98a1fc891c600ac76acc1c
Tags:exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Detected potential crypto function
PE / OLE file has an invalid certificate
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • sVNHE4jjOw.exe (PID: 2412 cmdline: 'C:\Users\user\Desktop\sVNHE4jjOw.exe' MD5: 72FE87CB4FD41CF172A9CAECBDC6887F)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://ceattire.com/bin_BDePikHU25.bin"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1293352201.0000000002490000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: sVNHE4jjOw.exeMalware Configuration Extractor: GuLoader {"Payload URL": "http://ceattire.com/bin_BDePikHU25.bin"}
    Multi AV Scanner detection for submitted fileShow sources
    Source: sVNHE4jjOw.exeVirustotal: Detection: 34%Perma Link
    Source: sVNHE4jjOw.exeReversingLabs: Detection: 23%
    Source: sVNHE4jjOw.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\Dragt1.pdb source: sVNHE4jjOw.exe
    Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\Dragt1.pdb@ source: sVNHE4jjOw.exe

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: http://ceattire.com/bin_BDePikHU25.bin
    Source: sVNHE4jjOw.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
    Source: sVNHE4jjOw.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
    Source: sVNHE4jjOw.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
    Source: sVNHE4jjOw.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
    Source: sVNHE4jjOw.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
    Source: sVNHE4jjOw.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
    Source: sVNHE4jjOw.exeString found in binary or memory: http://ocsp.digicert.com0C
    Source: sVNHE4jjOw.exeString found in binary or memory: http://ocsp.digicert.com0O
    Source: sVNHE4jjOw.exeString found in binary or memory: http://www.digicert.com/CPS0
    Source: sVNHE4jjOw.exeString found in binary or memory: https://www.digicert.com/CPS0
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeProcess Stats: CPU usage > 98%
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_0249561F NtAllocateVirtualMemory,
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_02495608 NtAllocateVirtualMemory,
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_02495761 NtAllocateVirtualMemory,
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_00401470
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_0249561F
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_02495A62
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_02492A7D
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_02492A1E
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_02495AE6
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_024982F3
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_02491282
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_02498299
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_024922A2
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_02495AB8
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_02493B61
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_0249830C
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_02496B29
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_02492B26
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_02492BDA
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_0249738E
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_02493860
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_02490000
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_024980B4
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_0249214C
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_024901CD
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_024979F8
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_024941FC
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_02495985
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_0249399F
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_024949A8
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_024979AB
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_02490644
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_0249065D
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_02494653
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_02494668
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_02492662
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_02493E65
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_02495608
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_0249363C
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_024986DD
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_02492EE8
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_024926F6
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_02491F7E
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_02498F74
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_0249470F
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_024979AB
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_024977D5
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_02491F82
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_02494787
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_02498FAD
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_024927BE
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_02494C1D
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_02493CC0
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_024904C2
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_024924DC
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_02496CE4
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_024934F9
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_02491C99
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_02491CAE
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_02493506
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_0249351C
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_02494511
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_024945CF
    Source: sVNHE4jjOw.exeStatic PE information: invalid certificate
    Source: sVNHE4jjOw.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: sVNHE4jjOw.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: sVNHE4jjOw.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: sVNHE4jjOw.exe, 00000000.00000000.208241006.0000000000438000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDragt1.exe vs sVNHE4jjOw.exe
    Source: sVNHE4jjOw.exeBinary or memory string: OriginalFilenameDragt1.exe vs sVNHE4jjOw.exe
    Source: sVNHE4jjOw.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: classification engineClassification label: mal84.troj.evad.winEXE@1/0@0/0
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeFile created: C:\Users\user\AppData\Local\Temp\~DFCFF2D9BF10EAD27A.TMPJump to behavior
    Source: sVNHE4jjOw.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: sVNHE4jjOw.exeVirustotal: Detection: 34%
    Source: sVNHE4jjOw.exeReversingLabs: Detection: 23%
    Source: sVNHE4jjOw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\Dragt1.pdb source: sVNHE4jjOw.exe
    Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\Dragt1.pdb@ source: sVNHE4jjOw.exe

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: 00000000.00000002.1293352201.0000000002490000.00000040.00000001.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_00404960 push es; ret
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_021B1774 push edx; ret
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_021B0218 push edx; ret
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_021B4A13 push edx; ret
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_021B3213 push edx; ret
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_021B1A13 push edx; ret
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_021B6214 push edx; ret
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_021B5A03 push edx; ret
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_021B4205 push edx; ret
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_021B2A05 push edx; ret
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_021B1205 push edx; ret
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_021B4233 push edx; ret
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_021B2A33 push edx; ret
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_021B1233 push edx; ret
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_021B5A33 push edx; ret
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_021B5225 push edx; ret
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_021B3A24 push edx; ret
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_021B2224 push edx; ret
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_021B0A24 push edx; ret
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_021B6A24 push edx; ret
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_021B0A58 push edx; ret
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_021B5253 push edx; ret
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_021B3A54 push edx; ret
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_021B2254 push edx; ret
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_021B6A54 push edx; ret
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_021B0248 push edx; ret
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_021B4A44 push edx; ret
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_021B3244 push edx; ret
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_021B1A44 push edx; ret
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_021B6244 push edx; ret
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_021B0278 push edx; ret
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeProcess information set: NOOPENFILEERRORBOX

    Malware Analysis System Evasion:

    barindex
    Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_02495A62
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_02492A7D
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_02492A1E
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_02493B61
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_02492B26
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_02492BDA
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_0249385C
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_02493860
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_024980B4
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_02492EE8
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_024924DC
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_02493506
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_0249351C
    Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeRDTSC instruction interceptor: First address: 0000000002497129 second address: 0000000002497129 instructions:
    Tries to detect virtualization through RDTSC time measurementsShow sources
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeRDTSC instruction interceptor: First address: 0000000002497129 second address: 0000000002497129 instructions:
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeRDTSC instruction interceptor: First address: 00000000024992E8 second address: 00000000024992E8 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b cmp edx, dword ptr [ebp+44h] 0x0000000e jne 00007F638CBCE529h 0x00000010 sub edx, 04h 0x00000013 xor dword ptr [edx], ecx 0x00000015 pushad 0x00000016 lfence 0x00000019 rdtsc
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_02493A60 rdtsc
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

    Anti Debugging:

    barindex
    Found potential dummy code loops (likely to delay analysis)Show sources
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeProcess Stats: CPU usage > 90% for more than 60s
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_02493A60 rdtsc
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_0249320F mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_02492A1E mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_02495283 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_024980B4 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_02496F30 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_024974A3 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_02493506 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_0249351C mov eax, dword ptr fs:[00000030h]
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: sVNHE4jjOw.exe, 00000000.00000002.1292457219.0000000000D80000.00000002.00000001.sdmpBinary or memory string: Program Manager
    Source: sVNHE4jjOw.exe, 00000000.00000002.1292457219.0000000000D80000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
    Source: sVNHE4jjOw.exe, 00000000.00000002.1292457219.0000000000D80000.00000002.00000001.sdmpBinary or memory string: Progman
    Source: sVNHE4jjOw.exe, 00000000.00000002.1292457219.0000000000D80000.00000002.00000001.sdmpBinary or memory string: Progmanlock
    Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_02490644 cpuid

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11OS Credential DumpingSecurity Software Discovery41Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery311Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.