Malware analysis config_20180706.exe Malicious activity

Add for printing

File name:	config_20180706.exe
Full analysis:	https://app.any.run/tasks/80109919-f430-4dd2-956e-c9db9d893923
Verdict:	Malicious activity
Analysis date:	May 20, 2019, 10:02:54
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (console) Intel 80386, for MS Windows
MD5:	00CBA2112C9EB46E844D8EAC43FA3B5A
SHA1:	FBEA05E845B072CC4A714D8344976F58A59BF037
SHA256:	077904AAFD3F9D33AF98ABB2125289B4E4B9711C52841E7B8A507CA8156E4DA6
SSDEEP:	1536:MVIn7vLAsry2eslLS8Ti1nQyd9O3jKVfO1HoHoSSq+0Elh6:MU/9+vstGGGFO9SzEi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 60 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (73.0.3683.75)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Changes internet zones settings
  - reg.exe (PID: 1336)
  - reg.exe (PID: 960)
  - reg.exe (PID: 920)
  - reg.exe (PID: 2652)
  - reg.exe (PID: 2896)
  - reg.exe (PID: 3932)
  - reg.exe (PID: 324)
  - reg.exe (PID: 1972)
  - reg.exe (PID: 2568)
  - reg.exe (PID: 2068)
  - reg.exe (PID: 3984)
  - reg.exe (PID: 4028)
  - reg.exe (PID: 3360)
  - reg.exe (PID: 3120)
  - reg.exe (PID: 980)
  - reg.exe (PID: 3860)
  - reg.exe (PID: 3640)
  - reg.exe (PID: 2904)
- Uses NET.EXE to stop Windows Update service
  - cmd.exe (PID: 2504)
- Starts NET.EXE for connection to shared resources
  - cmd.exe (PID: 2504)
- Starts NET.EXE for service management
  - cmd.exe (PID: 2504)
SUSPICIOUS
- Creates files in the user directory
  - cmd.exe (PID: 2504)
  - xcopy.exe (PID: 3292)
- Starts CMD.EXE for commands execution
  - cmd.exe (PID: 2504)
  - config_20180706.exe (PID: 3688)
- Application launched itself
  - cmd.exe (PID: 2504)
- Uses TASKKILL.EXE to kill process
  - cmd.exe (PID: 2504)
- Uses REG.EXE to modify Windows registry
  - cmd.exe (PID: 2504)
- Modifies the phishing filter of IE
  - reg.exe (PID: 3504)
  - reg.exe (PID: 1572)
- Changes the started page of IE
  - reg.exe (PID: 892)
- Starts Internet Explorer
  - cmd.exe (PID: 2504)
- Creates files in the Windows directory
  - cmd.exe (PID: 2504)
- Starts SC.EXE for service management
  - cmd.exe (PID: 2504)
INFO
- Reads internet explorer settings
  - iexplore.exe (PID: 3396)
- Creates files in the user directory
  - iexplore.exe (PID: 1020)
  - iexplore.exe (PID: 3396)
- Changes internet zones settings
  - iexplore.exe (PID: 1020)
- Reads Internet Cache Settings
  - iexplore.exe (PID: 3396)
  - iexplore.exe (PID: 1020)
- Application launched itself
  - iexplore.exe (PID: 1020)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable PureBasic (generic) (58)
.exe	\|	Win32 Executable MS Visual C++ (generic) (17.2)
.exe	\|	Win64 Executable (generic) (15.2)
.dll	\|	Win32 Dynamic Link Library (generic) (3.6)
.exe	\|	Win32 Executable (generic) (2.4)

EXIF

EXE

Subsystem:	Windows command line
SubsystemVersion:	4
ImageVersion:	-
OSVersion:	4
EntryPoint:	0x1000
UninitializedDataSize:	-
InitializedDataSize:	23552
CodeSize:	61440
LinkerVersion:	2.5
PEType:	PE32
TimeStamp:	2017:01:18 11:10:31+01:00
MachineType:	Intel 386 or later, and compatibles

Summary

Architecture:	IMAGE_FILE_MACHINE_I386
Subsystem:	IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date:	18-Jan-2017 10:10:31

DOS Header

Magic number:	MZ
Bytes on last page of file:	0x0090
Pages in file:	0x0003
Relocations:	0x0000
Size of header:	0x0004
Min extra paragraphs:	0x0000
Max extra paragraphs:	0xFFFF
Initial SS value:	0x0000
Initial SP value:	0x00B8
Checksum:	0x0000
Initial IP value:	0x0000
Initial CS value:	0x0000
Overlay number:	0x0000
OEM identifier:	0x0000
OEM information:	0x0000
Address of NE header:	0x00000080

PE Headers

Signature:	PE
Machine:	IMAGE_FILE_MACHINE_I386
Number of sections:	5
Time date stamp:	18-Jan-2017 10:10:31
Pointer to Symbol Table:	0x00000000
Number of symbols:	0
Size of Optional Header:	0x00E0
Characteristics:	IMAGE_FILE_32BIT_MACHINE IMAGE_FILE_EXECUTABLE_IMAGE IMAGE_FILE_LINE_NUMS_STRIPPED IMAGE_FILE_LOCAL_SYMS_STRIPPED IMAGE_FILE_RELOCS_STRIPPED

Sections

Name	Virtual Address	Virtual Size	Raw Size	Charateristics	Entropy
.code	0x00001000	0x000035B7	0x00003600	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	5.26514
.text	0x00005000	0x0000B8BB	0x0000BA00	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.57376
.rdata	0x00011000	0x0000098E	0x00000A00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	6.61645
.data	0x00012000	0x00001C58	0x00001600	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	5.51551
.rsrc	0x00014000	0x00003B64	0x00003C00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	7.74554

Resources

Title	Entropy	Size	Codepage	Language	Type
1	5.08821	672	Latin 1 / Western European	UNKNOWN	RT_MANIFEST
18E747D2FAC6E4DDDF94C2F42BA6D6F3	7.9775	8444	Latin 1 / Western European	UNKNOWN	RT_RCDATA
31E81A43F23E3702349C634706F5C27B	5.32307	44	Latin 1 / Western European	UNKNOWN	RT_RCDATA
40C70B0595CC3EAAD8DE9429D807ED50	7.24058	5316	Latin 1 / Western European	UNKNOWN	RT_RCDATA
6ABBCDA4AE3D0AF1CDD41FD12CB16D57	5.16993	36	Latin 1 / Western European	UNKNOWN	RT_RCDATA
7A811C37905472EE8758C73DE1F5D192	0.918296	6	Latin 1 / Western European	UNKNOWN	RT_RCDATA

Imports


COMCTL32.DLL
GDI32.DLL
KERNEL32.dll
MSVCRT.dll
OLE32.DLL
SHELL32.DLL
SHLWAPI.DLL
USER32.DLL

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

174

Monitored processes

136

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
1816	"C:\Users\admin\Desktop\config_20180706.exe"	C:\Users\admin\Desktop\config_20180706.exe	—	explorer.exe
User: admin Integrity Level: MEDIUM Exit code: 3221226540
3688	"C:\Users\admin\Desktop\config_20180706.exe"	C:\Users\admin\Desktop\config_20180706.exe		explorer.exe
User: admin Integrity Level: HIGH Exit code: 0
2504	"C:\Windows\system32\cmd" /c "C:\Users\admin\AppData\Local\Temp\41DE.tmp\41EF.bat C:\Users\admin\Desktop\config_20180706.exe"	C:\Windows\system32\cmd.exe	—	config_20180706.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
2948	taskkill /f /im "iexplore.exe"	C:\Windows\system32\taskkill.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
4028	taskkill /f /im "jp2luncher.exe"	C:\Windows\system32\taskkill.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
3292	xcopy /y trusted.certs "C:\Users\admin\AppData\Roaming\Sun\Java\Deployment\security"	C:\Windows\system32\xcopy.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Extended Copy Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
724	xcopy /y priv.ser "C:\Users\admin\AppData\Roaming\..\locallow\.wt"	C:\Windows\system32\xcopy.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Extended Copy Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
2344	xcopy /y priv.ser "C:\Users\admin\AppData\Roaming\..\.wt"	C:\Windows\system32\xcopy.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Extended Copy Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
3380	setx /m JAVA_TOOL_OPTIONS -Djava.vendor="'Sun Microsystems Inc.'"	C:\Windows\system32\setx.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Setx - Sets environment variables Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
908	setx /m JAVA_HOME "C:\Program Files\java\jre6"	C:\Windows\system32\setx.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Setx - Sets environment variables Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)

Add for printing

Total events

510

Read events

377

Write events

130

Delete events

Modification events


(PID) Process:	—	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Environment
Operation:	write	Name:	JAVA_TOOL_OPTIONS
Value: -Djava.vendor='Sun Microsystems Inc.'
(PID) Process:	—	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Environment
Operation:	write	Name:	JAVA_HOME
Value: C:\Program Files\java\jre6
(PID) Process:	—	Key:	HKEY_CURRENT_USER\Software\JavaSoft\Java Update\Policy
Operation:	write	Name:	EnableAutoUpdateCheck
Value: 01000000D08C9DDF0115D1118C7A00C04FC297EB01000000CC700B22821A48429B4B3FF2B5ABB4EC0000000002000000000003660000C000000010000000D7F5D95A87E042F5C72CCAD82FC304EA0000000004800000A0000000100000007DA00FEDF908B9DE9489A7731C1A842B08000000A8FEE4BD7990A5CC14000000CC6BA7DFDFCA71FC5C1FBBB09D1D65DB40FE04EA
(PID) Process:	—	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation\ClearableListData
Operation:	write	Name:	UserFilter
Value: 411F00005308ADBA020000006200000001000000020000000C000000EBB23155DF1FD301010000000C006300750063006B006F006F002E0063006F002E006B0072000C00000021BDA49A5E20D301010000000D006300750063006B006F006F002E0064006F006D00610069006E00
(PID) Process:	(1336) reg.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
Operation:	write	Name:	1809
Value: 3
(PID) Process:	—	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:	write	Name:	PopupsUseNewWindow
Value: 0
(PID) Process:	(960) reg.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
Operation:	write	Name:	2301
Value: 0
(PID) Process:	(2652) reg.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
Operation:	write	Name:	2101
Value: 0
(PID) Process:	(324) reg.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
Operation:	write	Name:	1409
Value: 3
(PID) Process:	(2896) reg.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Operation:	write	Name:	1409
Value: 3

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3688	config_20180706.exe	C:\Users\admin\Desktop\priv.ser		binary
		MD5:C0DA0804F7504A815D4CCBC058FAFD32	SHA256:0DB8A90924915C57BBA4BFE3ABA2EB344E58C2BA316FCC2E2019C8CAF9320916
3688	config_20180706.exe	C:\Users\admin\AppData\Local\Temp\41DE.tmp\41EF.bat		text
		MD5:F6434B520CE3AA32020B5FC4A999B986	SHA256:3D9640C0E15933764B9C61835840DCE916B1F00189645CE90B6EAF5C05BFF71F
724	xcopy.exe	C:\Users\admin\AppData\locallow\.wt\priv.ser		binary
		MD5:C0DA0804F7504A815D4CCBC058FAFD32	SHA256:0DB8A90924915C57BBA4BFE3ABA2EB344E58C2BA316FCC2E2019C8CAF9320916
2344	xcopy.exe	C:\Users\admin\AppData\.wt\priv.ser		binary
		MD5:C0DA0804F7504A815D4CCBC058FAFD32	SHA256:0DB8A90924915C57BBA4BFE3ABA2EB344E58C2BA316FCC2E2019C8CAF9320916
3292	xcopy.exe	C:\Users\admin\AppData\Roaming\Sun\Java\Deployment\security\trusted.certs		jks
		MD5:3020F9F2B36B2F1303A46F5234A13AF5	SHA256:D90EBEAF1A97BFAF9B7BAF9A52DC67AE5859C97DC9694AF101E84B7C43EF44B4
2504	cmd.exe	C:\Users\admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties		text
		MD5:A1802B912096CD1E89746A211946E9B1	SHA256:F7015EC0CBBFF5006E931F0494A4EC5D3E3008C4FA94472A1C260667B69C54C8
2504	cmd.exe	C:\Users\admin\AppData\Roaming\Sun\Java\Deployment\deployment.properties		text
		MD5:A1802B912096CD1E89746A211946E9B1	SHA256:F7015EC0CBBFF5006E931F0494A4EC5D3E3008C4FA94472A1C260667B69C54C8
2504	cmd.exe	C:\Windows\ip.bat		text
		MD5:1F2B70D8D91E9E1708BCD4A8AFE4D849	SHA256:963C26040CDD500856D1CB74DDD175A17A033E173EACD887E00A09FFDD3C36C1
2504	cmd.exe	C:\Users\admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties.bak		text
		MD5:83AD36C3676F18050C889097D9840AE7	SHA256:F3960EB590E0BD44502ABC60979F664CA200FE1405046048769F9908CC92A9DA
2504	cmd.exe	C:\Windows\ipp.bat		text
		MD5:4085F2383D3B8448877745F2BD7163CA	SHA256:ED1FB7494112587F67A837985B8F24662A3672C23306B3C64338DCD5D0977BA7

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3396	iexplore.exe	GET	—	210.105.131.211:80	http://silkroad.cuckoo.co.kr/ohs_images/swanEXTN-custom-2_3_6_5-ko-ie-windows.css	KR	—	—	suspicious
3396	iexplore.exe	GET	—	210.105.131.211:80	http://silkroad.cuckoo.co.kr/ohs_images/oafcoreR121.js	KR	—	—	suspicious
3396	iexplore.exe	GET	200	210.105.131.211:80	http://silkroad.cuckoo.co.kr/ohs_images/Common2_3_6_5.js	KR	text	116 Kb	suspicious
3396	iexplore.exe	GET	200	210.105.131.211:80	http://silkroad.cuckoo.co.kr/ohs_images/globalTop.jpg	KR	image	19.3 Kb	suspicious
3396	iexplore.exe	GET	200	210.105.131.211:80	http://silkroad.cuckoo.co.kr/ohs_images/people.jpg	KR	image	971 b	suspicious
3396	iexplore.exe	GET	—	210.105.131.211:80	http://silkroad.cuckoo.co.kr/ohs_images/lightBlue_back.jpg	KR	—	—	suspicious
1020	iexplore.exe	GET	200	23.210.249.75:80	http://www.naver.com/favicon.ico	NL	image	322 b	whitelisted
3396	iexplore.exe	GET	200	210.105.131.211:80	http://silkroad.cuckoo.co.kr/ohs_images/FNDSSCORP.gif	KR	image	322 b	suspicious
3396	iexplore.exe	GET	200	210.105.131.211:80	http://silkroad.cuckoo.co.kr/ohs_images/t.htm	KR	html	29 b	suspicious
3396	iexplore.exe	GET	200	210.105.131.211:80	http://silkroad.cuckoo.co.kr/ohs_images/topLines.gif	KR	image	9.66 Kb	suspicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3396	iexplore.exe	210.105.131.211:80	silkroad.cuckoo.co.kr	Korea Telecom	KR	suspicious
1020	iexplore.exe	23.210.249.75:80	www.naver.com	Akamai International B.V.	NL	whitelisted

DNS requests

Domain	IP	Reputation
silkroad.cuckoo.co.kr	210.105.131.211	suspicious
www.naver.com	23.210.249.75	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

config_20180706.exe

00CBA2112C9EB46E844D8EAC43FA3B5A

FBEA05E845B072CC4A714D8344976F58A59BF037

077904AAFD3F9D33AF98ABB2125289B4E4B9711C52841E7B8A507CA8156E4DA6

1536:MVIn7vLAsry2eslLS8Ti1nQyd9O3jKVfO1HoHoSSq+0Elh6:MU/9+vstGGGFO9SzEi

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes internet zones settings

Uses NET.EXE to stop Windows Update service

Starts NET.EXE for connection to shared resources

Starts NET.EXE for service management

SUSPICIOUS

Creates files in the user directory

Starts CMD.EXE for commands execution

Application launched itself

Uses TASKKILL.EXE to kill process

Uses REG.EXE to modify Windows registry

Modifies the phishing filter of IE

Changes the started page of IE

Starts Internet Explorer

Creates files in the Windows directory

Starts SC.EXE for service management

INFO

Reads internet explorer settings

Creates files in the user directory

Changes internet zones settings

Reads Internet Cache Settings

Application launched itself

Malware configuration

Static information

TRiD

EXIF

EXE

Summary

DOS Header

PE Headers

Sections

Resources

Imports

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings