Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
6Sy6PrInNl.exe

Overview

General Information

Sample Name:6Sy6PrInNl.exe
Analysis ID:708240
MD5:cd1ffe7c30311659ea1be07ed7923d65
SHA1:310fcf3a43286785eb88d742f5deeae150c661e9
SHA256:842342b4db7bbc84d8e4da35f8d79d8b76a52815b7a22272f331ba906d2dba6c
Tags:exemorpheuspwtorun
Infos:

Detection

Score:36
Range:0 - 100
Whitelisted:false
Confidence:40%

Signatures

Multi AV Scanner detection for submitted file
Uses 32bit PE files
Tries to load missing DLLs
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
File is packed with WinRar
Found evasive API chain (date check)
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to communicate with device drivers
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Program does not show much activity (idle)

Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample reads itself and does not show any behavior, likely it performs some host environment checks which are compared to an embedded key
  • System is w10x64
  • 6Sy6PrInNl.exe (PID: 1404 cmdline: "C:\Users\user\Desktop\6Sy6PrInNl.exe" -install MD5: CD1FFE7C30311659EA1BE07ED7923D65)
  • 6Sy6PrInNl.exe (PID: 5552 cmdline: "C:\Users\user\Desktop\6Sy6PrInNl.exe" /install MD5: CD1FFE7C30311659EA1BE07ED7923D65)
  • 6Sy6PrInNl.exe (PID: 5016 cmdline: "C:\Users\user\Desktop\6Sy6PrInNl.exe" /load MD5: CD1FFE7C30311659EA1BE07ED7923D65)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: 6Sy6PrInNl.exeReversingLabs: Detection: 27%
Source: 6Sy6PrInNl.exeVirustotal: Detection: 30%Perma Link
Source: 6Sy6PrInNl.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 6Sy6PrInNl.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 6Sy6PrInNl.exe
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_0098A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_0099C330 SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_009AB348 FindFirstFileExA,
Source: 6Sy6PrInNl.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dll
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeSection loaded: dxgidebug.dll
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dll
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeSection loaded: dxgidebug.dll
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dll
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeSection loaded: dxgidebug.dll
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_0098848E
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_00994088
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_009900B7
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_009840FE
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_009A51C9
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_00997153
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_009962CA
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_009832F7
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_009943BF
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_0098C426
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_009AD440
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_0098F461
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_009977EF
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_009AD8EE
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_0098286B
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_0098E9B7
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_009B19F4
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_00996CDC
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_00993E0B
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_009A4F9A
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_0098EFE2
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: String function: 0099EC50 appears 55 times
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: String function: 0099F5F0 appears 31 times
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: String function: 0099EB78 appears 39 times
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_00986FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,
Source: 6Sy6PrInNl.exeReversingLabs: Detection: 27%
Source: 6Sy6PrInNl.exeVirustotal: Detection: 30%
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeFile read: C:\Users\user\Desktop\6Sy6PrInNl.exeJump to behavior
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_00986C74 GetLastError,FormatMessageW,
Source: 6Sy6PrInNl.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: unknownProcess created: C:\Users\user\Desktop\6Sy6PrInNl.exe "C:\Users\user\Desktop\6Sy6PrInNl.exe" -install
Source: unknownProcess created: C:\Users\user\Desktop\6Sy6PrInNl.exe "C:\Users\user\Desktop\6Sy6PrInNl.exe" /install
Source: unknownProcess created: C:\Users\user\Desktop\6Sy6PrInNl.exe "C:\Users\user\Desktop\6Sy6PrInNl.exe" /load
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_0099A6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCommand line argument: sfxname
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCommand line argument: sfxstime
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCommand line argument: STARTDLG
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeFile created: C:\Users\user\Desktop\__tmp_rar_sfx_access_check_7126781Jump to behavior
Source: classification engineClassification label: sus36.winEXE@3/0@0/0
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeFile read: C:\Windows\win.iniJump to behavior
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: 6Sy6PrInNl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 6Sy6PrInNl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 6Sy6PrInNl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 6Sy6PrInNl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 6Sy6PrInNl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 6Sy6PrInNl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 6Sy6PrInNl.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: 6Sy6PrInNl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 6Sy6PrInNl.exe
Source: 6Sy6PrInNl.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 6Sy6PrInNl.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 6Sy6PrInNl.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 6Sy6PrInNl.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 6Sy6PrInNl.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_0099F640 push ecx; ret
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_0099EB78 push eax; ret
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeFile created: C:\Users\user\Desktop\__tmp_rar_sfx_access_check_7126781Jump to behavior
Source: 6Sy6PrInNl.exeStatic PE information: section name: .didat
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeEvasive API call chain: GetLocalTime,DecisionNodes
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_0099E6A3 VirtualQuery,GetSystemInfo,
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_0098A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_0099C330 SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_009AB348 FindFirstFileExA,
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAPI call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_0099F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_009A7DEE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_009AC030 GetProcessHeap,
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_0099F9D5 SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_0099F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_0099FBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_009A8EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: GetLocaleInfoW,GetNumberFormatW,
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_0099F654 cpuid
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_0098B146 GetVersionExW,
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_0099DF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,CloseHandle,
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts2
Command and Scripting Interpreter
1
DLL Side-Loading
1
Process Injection
1
Masquerading
OS Credential Dumping1
System Time Discovery
Remote Services1
Archive Collected Data
Exfiltration Over Other Network Medium1
Encrypted Channel
Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default Accounts1
Native API
Boot or Logon Initialization Scripts1
DLL Side-Loading
1
Process Injection
LSASS Memory2
Security Software Discovery
Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information
Security Account Manager2
File and Directory Discovery
SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)2
Obfuscated Files or Information
NTDS25
System Information Discovery
Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
Software Packing
LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.common1
DLL Side-Loading
Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet