An antivirus service flagged an artifact as malicious. When using antivirus software, relying on a single engine is susceptible to false-positives. Online services, such as VirusTotal and Reversing Labs, use multiple antivirus engines to scan a file and the scan results of all engines are taken together to make a more accurate determination. One or more of these services have indicated that the file is malicious with a high degree of confidence. The results of individual antivirus engine scans are displayed, if available.

A domain referenced during the sample run has been categorized as adware by Cisco Umbrella. Cisco Umbrella is a cloud security platform which provides additional detail about network activity such as security and content categorization for domains. Adware is a special type of malware, that typically causes no harm to the computer or user, but may modify the behaviour of programs or operating systems to display ads. They often included some kind of persistence, and are generally unwanted programs. Being categorized as adware by Cisco Umbrella suggests that the site hosts freeware that comes bundles with adware so caution should be taken when navigating to these sites.

A domain referenced during the sample run has been categorized as a potentially harmful by Cisco Umbrella. Cisco Umbrella is a cloud security platform which provides additional detail about network activity such as security and content categorization for domains. Being categorized as potentially harmful suggests that malicious activity has been seen on, or at least associated with the domain in question. It is also possible that Cisco Umbrella has detected an exploit which has yet to be classified by an analyst. These domains should be handled very carefully.

A machine learning model has determined that one or more artifacts are likely malicious. The machine learning model is trained on a very large number of samples. The output of the training is a decision engine that takes static features of executables as input and returns a verdict on whether it is malicious or unknown. In general, a single feature of an artifact will not cause it to be determined as malicious, but rather the decision engine uses all features about the artifact together to come up with a verdict.

A Snort rule identified a network stream that may contain shellcode. Snort is an intrusion prevention service that watches network traffic for unusual and/or malicious material. In this case, the rule belongs to a set that checks for patterns common to shellcode.

A process deleted a file using cmd.exe. Malware authors will often delete the original binary and files containing configuration instructions and commands. The files are then deleted to remove any visible evidence of the malware infection.

An App Path registry key was modified. These parituclar keys are used to allow users to run programs based on their common name rather than their full path. Malware can replace the path of a legitimate executable with it's own malicious file.

Malware will modify files within the Program Files to hamper legitimate applications (such as security software) and attempt to appear as a legitimate application on the system. Other reasons for modification include attempts to remove evidence of malicious software activity.

An excessive number of DNS queries detected. Malware will generally attempt to make contact with its command and control infrastructure when it is first executed. Malware that makes use of domain generation algorithms will often query a large number of domains looking for an active command and control server. In addition, adware and potentially unwanted applications often attempt to resolve a large number of domains.

Most compilers add a resource to PE files called "Version Info". The Version Info resource contains metadata about the PE file, including the PE file's original filename. The original filename attribute can be used to determine if the PE's filename was changed from the name it had when it was originally compiled. Most legitimate software will not change the name of PE files from their original name.

A process was found that made an extraordinarily large number of file modifications. Most processes will perform some file modification to a single file or a small set of files. Installers may write many files. While these file modifications are not necessarily malicious, modification of more than a hundred files is suspicious. Viruses and ransomware may modify hundreds or thousands of files on a system in a short time.

Malware will modify executables on a system, to hide logs or other evidence. Also, by modifying various executables it can disable functionality in the system which may detect or hamper the operation of the malware. Lastly, it may be attempting to hide an executable, so that it appears to be a legitimate file. Please review the 'Disk Artifacts' section in order to view additional details about this file.

Malware will often create a new executable file in a user directory such as 'Local Settings' or 'Application Data' in an attempt to hide its presence on the system. Often the name of the file is similar to the name of common system or user files. This is done to hide the executable, as the user may believe it's a legitimate file. Please review the 'Disk Artifacts' section in order to view additional details about this file.

Outbound HTTP GET to a remote server was detected. This is not inherently suspicious but malware will often use Gets in order to check in to the Command and Control servers upon infection or to download or exfiltrate data. Please view the 'HTTP' section under 'Network Analysis' for the associated traffic/communications. Additionally, the provided network PCAP will provide more details on the traffic stream.

Malware will modify files in user directories to hide logs or other evidence. Also, by modifying various files it can disable functionality in the system which may detect or hamper the operation of the malware. Lastly, it may be attempting to hide an executable, so that it appears to be a legitimate file. Please review the 'Disk Artifacts' section in order to view additional details about this file.

DNS network traffic was sent to a known public DNS server that is not the system's assigned DNS server. A small number of reliable public DNS servers are available for public use. For example, Google maintains the DNS servers at 8.8.8.8 and 8.8.4.4. The use of a public DNS server is not by itself malicious, but could indicate attempts to evade network filtering or hide malicious data.

A Snort rule identified a network stream as likely obfuscated. Snort is an intrusion prevention service that watches network traffic for unusual and/or malicious material. In this case, the rule belongs to a set that checks for the transfer of sensitive information over the network. Sensitive data can include credit card numbers, social security numbers and email addresses.

A Snort rule identified a network stream as possibly carrying an executable program. Snort is an intrusion prevention service that watches network traffic for unusual and/or malicious material. In this case, the rule belongs to a set that checks for material concerning executable filetypes (such as PE files for Windows). These rules either note the presence of executable code or warn of known patterns associated with packers or vulnerabilities.

A PE executable was downloaded over the network. While this does not necessarily imply that it is malicious, it is suspicious. Malware will often download additional executables for added capabilities and so this file should be reviewed for additional activity that might be suspicious.

A file was uploaded to the network using HTTP. Legitimate programs do this at the user's direction or to provide needed information to an online service. Malware may enumerate a disk using standard tools to gather information, which is sent back to a command and control server for a more targeted second-stage attack.

A COM class has a few subkeys of particular interest to a packager and his associated support teams. One of these attributes in particular is: InProcServer32. The InProcServer32 key contains the path to the actual DLL itself, or can also contain a Windows Installer Darwin Descriptor. When an application or script uses an API call such as "CreateObject", The operating system will first lookup the ProgID in the Windows registry, it will then cross reference the ProgID with its associated ClassID which will in turn look for an InProcServer32 value which will contain the path to the actual DLL which contains the COM class.

A static analysis rule identified an artifact that has one or more anomalous characteristics. These anomalies may exist due to flaws in the file generation or misunderstandings of the format. Malware may use file anomalies to confuse antivirus parsers and hide code in unusual locations.

A process executed a file using cmd.exe. Malware authors will often launch batch or shellscripts that utilize Windows shell utilities. Additional uses include launching an interactive command shell.

A new file was added to the Windows Start Menu folder to ensure that this file runs on system startup. Please review the 'Disk Artifacts' section in order to view additional details about this file.

An executable file imports the Process Status library (psapi.dll). This allows the process to gather information about all the processes and device drivers running on the system and the libraries that those processes import. Legitimate uses for this include writing debuggers and system utilities. Malware may use this library to check the system for antivirus programs or anti-malware techniques. This allows the malicious program to disable or circumvent protective measures.

An executable file imports one or more of the ToolHelp functions. These functions simplify gathering information about running processes, such as the libraries imported, threads and heap allocations. Legitimate uses for this include writing debuggers and system utilities. Malware may use these functions to check the system for antivirus programs or anti-malware techniques. This allows the malicious program to disable or circumvent protective measures.

A process was started with an exceptionally long command-line. Many processes will use a command-line option beyond the filename itself. Other items may use a script on the command-line, which executes in the shell. Malware will sometimes make very long command-lines that contain obfuscated information, to avoid writing their command to disk, where it may be found by forensic tools.

A file was downloaded to disk. This is not inherently suspicious, but this indicator will help an analyst correlate files to download sources.

Some malware applications write code into areas of memory intended for data (such as a thread's stack) and then the application executes the malicious code. Windows introduced Data Execution Prevention (DEP) which provided protection against this type of attack. If an attempt to execute code is made in a page that does not have the PAGE_EXECUTE_ protection, an access violation will occur. Malware will often allocate memory in which it will inject code. In order to bypass DEP the allocated memory must be marked Read, Write and Execute. The submitted sample allocated a memory region with the flag PAGE_EXECUTE_READWRITE. This could indicate the presence of code injection, into itself or a remote process.

A process registered a service DLL using Regsvr32.exe. Malware will often download additional DLLs to provide enhanced functionality. These DLLs will be registered and their path with often be added to various autorun or other registry keys used to maintain persistence on a system.

What most programmers call flags, the COFF/PE format calls characteristics. This field is a set of flags that indicate the section's attributes (such as code/data, readable, or writeable). When used with a DLL, the data in this section will be shared among all processes using the DLL. The default is for data sections to be nonshared, meaning that each process using a DLL gets its own copy of this section's data. In more technical terms, a shared section tells the memory manager to set the page mappings for this section such that all processes using the DLL refer to the same physical page in memory. This creates a certain security problem where the attacker is able to directly manipulate a certain portion of memory.

Thread Local Storage (TLS) is a Windows storage class in which a data object is not an automatic stack variable, yet is local to each thread that runs the code. When TLS is implemented by an executable, the code will typically contain a .tls section in the PE header. TLS supports callback functions for initialization and termination of TLS data objects. Windows executes these functions before running code at the normal start of a program. TLS callback functions allow malware authors to execute malicious code before the debugger has a chance to pause at the traditional entry point. This allows malware to infect the system or disable the debugger before the analyst has a chance to look at the sample's code.

The MoveFileEX API call adds the file names to a registry key. Session Manager (smss.exe) queries the registry key PendingFileRenameOperations on each reboot and deletes any files listed in this key. Malware will utilize this registry key to get rid of temporary files that it dropped or downloaded. Each call to MoveFileEx will contain two strings being added to the key; the first is the original file name, the second is the destination. If the original file is to be deleted, then the destination file name is an empty string.

A domain referenced during the sample run has been categorized with content that is likely benign by Cisco Umbrella. Cisco Umbrella is a cloud security platform which provides additional detail about network activity such as security and content categorization for domains. Certain categories attributed to domains by Cisco Umbrella imply that a domain is likely safe. This is because the content hosted by the domain owners is well understood and unlikely to accidentally host malware.

The sample contacted only benign or likely benign domains. It is unlikely that malware will download malicious content from such sites.

Executables not importing functions are very suspicious, since they do not use the Windows API. They are very often corrupted programs or are using other means to load libraries.

Fast flux is a DNS technique used by botnets to maintain a resilient command and control infrastructure of compromised hosts acting as proxies. Fast flux is characterized by multiple individual nodes within the network registering and de-registering their addresses as part of the DNS A record list for a DNS name. Double-flux networks are a more complex technique providing an additional layer of redundancy. Specifically, both the DNS A record sets and the authoritative NS records for a domain are continually changed in a round robin manner. Please view the 'DNS' section under 'Network Analysis' for the associated traffic/communications. Additionally, the provided network PCAP will provide more details on the traffic stream.

A process read a Windows initialization (INI) file. The INI file acts as a basic configuration in a human-readable format. They are common through the Windows operating system and used to set configurations for things like boot menus, program options, display of files and so on. In Windows Vista and later, INI files are no longer used for system configuration, though some programs still read and use them.

An executable file contains a library reference to the SetWindowsHookEx function. This library could be used to monitor keyboard or other input, which could indicate the presence of a keylogger or other spyware.

Authenticode is Microsoft's solution to ensuring integrity of software introduced to the operating system. Authenticode only assures users that the publisher is participating in the trusted entities infrastructure and that the binary has not been altered, the presence of a certificate does not guarantee that the signed code is safe to execute. Starting with Windows Vista, Microsoft required that all driver code contain a digital signature.