|Overall analysis duration:||0h 4m 2s|
|Graph type:||Execution Graph|
|Sample file name:||6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe|
|Cookbook file name:||VM Aware.jbs|
|Analysis system description:||Windows 7 (Office 2003 SP1, Java 1.6.0, Acrobat Reader 9.3.4, Internet Explorer 8)|
- Key Decision
- Not Executed
- Signature Matched
- Richest Path
- Thread / callback entry
- Thread / callback creation
- Show Help
Malware Analysis System Evasion:
|Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe||Evasive API call chain: RegOpenKey,...,DecisionNode,Sleep|
|Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe||Evasive API call chain: GetVolumeInformation,DecisionNodes,Sleep|
|Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe||Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep|
|Found decision node followed by non-executed suspicious APIs||Show sources|
|Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe||Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)|
|Source: C:\6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe||API coverage: 7.7 %|
Graph for Process: 6307c172aeabf69da9cc136691268842eebff98b5aa884749b18f9de9209a0b7.exe PID: 3244 Parent PID: 3472
|Dynamic/Decrypted Code Coverage:||98.4%|
|Total number of Nodes:||512|
|Total number of Limit Nodes:||2|
Execution Graphs are highly condensed control flow graphs which give the user a synthetic view of the code detected during Hybrid Code Analysis. They include additional runtime information such as the execution status which is highlighted with different colors and shapes.
Program entry point, most likely the entry point of the PE file.
A code location where a decision has been made to avoid execution of potentially malicious behavior.
Dynamic / Decrypted
Code which has been generated at runtime, often referred to as unpacked or self-modifying code.
Unpacker / Decrypter
Code section which is responsible for unpacking or decrypting a portion of dynamic code.
Code which has been executed at runtime.
Code which has not been executed at runtime.
Code for which it is unknown if it has been executed or not at runtime.
Code which matches a behavioral signature.
Path through the execution graph which shows a lot of behavior (e.g. with respect to called API functions).
Thread / callback entry
Code corresponding to a thread or callback entry point.
Thread / callback creation
Edges denoting either a thread creation (e.g. using CreateThread) or a callback registration (e.g. EnumWindows).