Analysis file activities

The Analysis subject sections display the actual activity of the sample as collected by the VMware backend. The sections include the original subject being analyzed as well as additional subjects tracked by the analysis environment because they were either spawned by the original subject or because the original subject tampered with their memory.

Note:

Not all these activities are present for a specific sample.

Click the plus icon to expand each of the following sections:

  • Console I/O Data written to console handles (standard input and standard output file descriptors).

  • Decoded command line arguments The arguments to malicious PowerShell scripts are often encoded or obfuscated. If a script was executed during the analysis, the VMware backend decodes it, making its arguments available in a more human-readable form.

  • Device I/O List of I/O operations attempted by the subject during runtime. For each operation, the targeted device and the control code are recorded.

  • Driver activity List of drivers accessed by the subject during runtime. The following operations are recorded: loading and unloading.

  • Exceptions List of exceptions triggered by the subject during runtime. The error code is recorded

  • Executed scripts List of scripts executed by the subject during runtime. For each row, there is an entry for the Name, Type, and Interpreter. You can sort the list by any column.

  • File system activity List of files accessed by the subject during runtime. The following operations are recorded: reading, writing, renaming, deletion. For written files, the new size and MD5 hash of the file is recorded.

  • Libraries List of library files loaded by the subject during runtime.

  • Memory contents Noteworthy data found in program memory. The system extracts, for example, IPs, domains, and URLs during analysis.

  • Mutex activity List of mutex locks accessed by the subject during runtime. The following operations are recorded: creation and opening.

  • Network activity List of network conversations involving the subject during runtime. The following type of conversations are recorded: communications over FTP, HTTP, IRC, SMTP, and other types of UDP/TCP protocols. DNS requests and remote file downloads are also recorded.

  • Process interactions List of process interactions attempted by the subject during runtime. The following operations are recorded: process creation, thread creation, memory reading and writing.

  • Registry activity List of registry keys and values accessed by the subject during runtime. The following operations are recorded: reading, writing, deletion and monitoring.

  • Service activity List of services accessed by the subject during runtime. The following operations are recorded: starting, stopping, modifying parameters.

  • Windows activity List of windows opened by the subject during runtime.