Managed XDR

gui-scraper-proxy-2.3.zip — malware analysis report

File info

Filename: gui-scraper-proxy-2.3.zip
File type: Zip archive data, at least v2.0 to extract
File size: 518.6 KB
First seen: 2026-05-16 08:40
Last seen: 2026-05-16 08:40

Environment

w10/x64 en

Hashes

SHA1: 4cf7988354734001332cd16aa8ef3f8d2fe5f83d
SHA256: 827ee16ebb0abd00b08d60fd2801501721ab2e75ce16db19e219bfc6ed805e18
MD5: a2ba013b82f141f82431fff87e94d029

Signatures

Execution

T1053.005 persistence_autorun: Makes itself run automatically on Windows startup

T1053.005 creates_tasks: Creates a delayed task using Task Scheduler

T1047 antivm_wmi: Uses WMI to detect virtual environment

T1047 has_wmi: Executes one or several WMI requests

Persistence

T1053.005 persistence_autorun: Makes itself run automatically on Windows startup

T1053.005 creates_tasks: Creates a delayed task using Task Scheduler

T1574 dropper_dll: Creates DLL, which is then loaded into the process

Privilege Escalation

T1053.005 persistence_autorun: Makes itself run automatically on Windows startup

T1053.005 creates_tasks: Creates a delayed task using Task Scheduler

T1574 dropper_dll: Creates DLL, which is then loaded into the process

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1027.002 unnamed_memory_regions: Code was executed in unnamed regions

T1497.001 antivm_wmi: Uses WMI to detect virtual environment

T1574 dropper_dll: Creates DLL, which is then loaded into the process

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers

T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization

T1497.001 antivm_queries_computername: Retrieves the computer name

Credential Access

T1555.004 windows_credential_manager: Acquire credentials from the Windows Credential Manager

Discovery

T1057 has_wmi: Executes one or several WMI requests

T1497.001 antivm_wmi: Uses WMI to detect virtual environment

T1082 has_wmi: Executes one or several WMI requests

T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers

T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization

T1497.001 antivm_queries_computername: Retrieves the computer name

Command and Control

T1071.001 network_http: Performs HTTP requests

T1071.001 winhttp_https: Performs HTTP/HTTPS requests using WinHttp

T1071.001 wininet_openurl: Performs HTTP/HTTPS-requests using InternetOpenUrl

T1071.001 wininet_https: Performs HTTP/HTTPS requests using WinInet

Other

suricata_alert: Malicious traffic detected

creates_in_windows: Creates files in the Windows directory

copies_self: Creates a copy of itself

ip_domains: Identifies an IP address using external resources

network_bind: Starts servers listening at None

creates_exe: Creates executable files in the file system

creates_suspended_process: Creates suspended process

suspicious_network_port: Performs TCP or UDP request to non-standard port

test_check_service: Starts services

Managed XDR