Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
http://nxtgen.infinitevaults.com/index.php/s/0jEImnXiQQYBh5D/download

Overview

General Information

Sample URL:http://nxtgen.infinitevaults.com/index.php/s/0jEImnXiQQYBh5D/download
Analysis ID:1419158
Infos:

Detection

Score:23
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Downloads suspicious files via Chrome
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Drops PE files
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
Tries to load missing DLLs

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
  • System is w10x64
  • chrome.exe (PID: 5580 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • chrome.exe (PID: 2736 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 --field-trial-handle=1912,i,11780309818604107129,14762667450560493039,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • unarchiver.exe (PID: 6224 cmdline: "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\MotionPro_Windows_1.2.25 (1).zip" MD5: 16FF3CC6CC330A08EED70CBC1D35F5D2)
      • 7za.exe (PID: 6268 cmdline: "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\2gqt1g00.4ae" "C:\Users\user\Downloads\MotionPro_Windows_1.2.25 (1).zip" MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)
        • conhost.exe (PID: 6900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • chrome.exe (PID: 6484 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://nxtgen.infinitevaults.com/index.php/s/0jEImnXiQQYBh5D/download" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results
Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\2gqt1g00.4ae\MotionProSetup\license.txtJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
Source: unknownHTTPS traffic detected: 23.196.177.159:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.196.177.159:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknownTCP traffic detected without corresponding DNS query: 104.46.162.224
Source: unknownTCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknownTCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknownTCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknownTCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknownTCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknownTCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknownTCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknownTCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknownTCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknownTCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknownTCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknownTCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknownTCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknownTCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknownTCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknownTCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknownTCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknownTCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknownTCP traffic detected without corresponding DNS query: 23.196.177.159
Source: unknownTCP traffic detected without corresponding DNS query: 104.89.170.181
Source: unknownTCP traffic detected without corresponding DNS query: 104.89.170.181
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 03 Apr 2024 05:37:32 GMTServer: Apache/2.4.29 (Ubuntu)Set-Cookie: oc0m4jav1y6q=f0v2v8p5hopslc21sc0jealdr2; path=/; HttpOnlyExpires: 0Cache-Control: must-revalidate, post-check=0, pre-check=0Pragma: publicX-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffX-Frame-Options: SameoriginContent-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src *; font-src 'self' data:; media-src *; connect-src *X-Robots-Tag: noneContent-Disposition: attachment; filename*=UTF-8''MotionPro_Windows_1.2.25%20%281%29.zip; filename="MotionPro_Windows_1.2.25%20%281%29.zip"Content-Transfer-Encoding: binaryContent-Length: 56270833Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/zipData Raw: 50 4b 03 04 0a 00 00 00 00 00 0c a4 8c 57 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 00 00 4d 6f 74 69 6f 6e 50 72 6f 53 65 74 75 70 2f 50 4b 03 04 14 00 00 00 08 00 8d a1 8c 57 0e 76 c0 a1 c7 12 00 00 3e 20 04 00 1e 00 00 00 4d 6f 74 69 6f 6e 50 72 6f 53 65 74 75 70 2f 61 70 70 6c 69 63 61 74 69 6f 6e 2e 69 63 6f ed dd 0b 94 94 f5 79 c7 f1 3f 17 01 11 88 07 51 10 05 d6 14 0d f6 a6 cd 49 a2 69 cd e1 d8 a4 1e 4f 62 1b a3 22 97 05 11 6f 88 09 20 20 de 62 aa 82 17 b4 d6 62 b4 46 31 7a 34 98 63 6a da a3 56 ab 56 13 c1 6a b0 96 1c 1b 2f b1 8a b2 f7 0b 77 f6 c6 b2 c0 ba 4f 9f ff 3b 2f b8 41 f6 9d 57 76 e7 d9 f7 9d f7 fb c9 f9 1d 8d 0b bb 3b 33 ef 77 66 76 66 77 d6 b9 3e fa 3f af 8f 2b 71 13 4a fa bb a3 f4 df 27 e4 fe 83 73 7d 73 ff 3d a0 6f 3b e2 30 17 2c 89 44 64 88 ee 14 dd 6c dd 2d ba 95 ba 55 ba 77 74 d5 ba cd ba 46 5d 13 63 09 5c 63 78 8c 56 87 c7 ec aa f0 18 f6 c7 f2 a5 ba af ea 86 3a 04 f4 bc 18 a0 9b a8 5b a2 7b 59 d7 20 40 71 6b 08 8f f5 25 e1 b1 3f c0 65 8c 9e e6 33 74 f7 e9 6a 05 c8 b6 da b0 85 33 5c 11 d3 d3 77 94 ee 2a dd bb 02 e0 40 7c 1b 8b 75 a3 5c 91 d0 d3 52 a2 5b 1e 7e 7d 04 20 bf 16 dd 8f 7d 3b 2e a5 fc e3 1c ba 65 ba 36 01 70 30 da c2 86 52 f5 98 a1 7e be 33 c2 c7 40 01 74 9f 6f e9 02 97 70 fa 39 9e a0 7b 41 00 14 82 6f eb 04 97 dc db fc 16 01 50 48 3b 92 76 5f 40 3f 9f 15 02 c0 d2 0a d7 cb f4 73 18 a9 5b 23 00 Data Ascii: PKWMotionProSetup/PKWv> MotionProSetup/application.icoy?QIiOb"o bbF1z4cjVVj/wO;/AWv;3wfvfw>?+qJ's}s=o;0,Ddl-UwtF]c\cxV:[{Y @qk%?e3tj3\w*@|u\R[~} };.e6p0R~3@top9{AoPH;v_@?s[#
Source: global trafficHTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global trafficHTTP traffic detected: GET /index.php/s/0jEImnXiQQYBh5D/download HTTP/1.1Host: nxtgen.infinitevaults.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: unknownDNS traffic detected: queries for: nxtgen.infinitevaults.com
Source: MotionProSetup.exe.6.drString found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: MotionProSetup.exe.6.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: OEM.ini.6.drString found in binary or memory: http://www.arraynetworks.net
Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
Source: unknownHTTPS traffic detected: 23.196.177.159:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknownHTTPS traffic detected: 23.196.177.159:443 -> 192.168.2.4:49743 version: TLS 1.2

System Summary

barindex
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile dump: C:\Users\user\Downloads\MotionPro_Windows_1.2.25 (1).zip (copy)Jump to dropped file
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\7za.exeSection loaded: 7z.dllJump to behavior
Source: classification engineClassification label: sus23.win@22/15@4/4
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\Downloads\56f01623-0cbf-4c0f-b639-a76b581c07a5.tmpJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6900:120:WilError_03
Source: C:\Windows\SysWOW64\unarchiver.exeFile created: C:\Users\user\AppData\Local\Temp\unarchiver.logJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 --field-trial-handle=1912,i,11780309818604107129,14762667450560493039,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://nxtgen.infinitevaults.com/index.php/s/0jEImnXiQQYBh5D/download"
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\SysWOW64\unarchiver.exe "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\MotionPro_Windows_1.2.25 (1).zip"
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\2gqt1g00.4ae" "C:\Users\user\Downloads\MotionPro_Windows_1.2.25 (1).zip"
Source: C:\Windows\SysWOW64\7za.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 --field-trial-handle=1912,i,11780309818604107129,14762667450560493039,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\SysWOW64\unarchiver.exe "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\MotionPro_Windows_1.2.25 (1).zip"Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\2gqt1g00.4ae" "C:\Users\user\Downloads\MotionPro_Windows_1.2.25 (1).zip"Jump to behavior
Source: C:\Windows\SysWOW64\7za.exeFile written: C:\Users\user\AppData\Local\Temp\2gqt1g00.4ae\MotionProSetup\motionpro_templete.iniJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\unarchiver.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\2gqt1g00.4ae\MotionProSetup\MotionProSetup.exeJump to dropped file
Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\2gqt1g00.4ae\MotionProSetup\license.txtJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeMemory allocated: 1960000 memory reserve | memory write watchJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeMemory allocated: 3640000 memory reserve | memory write watchJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeMemory allocated: 5640000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\7za.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2gqt1g00.4ae\MotionProSetup\MotionProSetup.exeJump to dropped file
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 6272Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 5_2_0189B1D6 GetSystemInfo,5_2_0189B1D6
Source: C:\Windows\SysWOW64\unarchiver.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: MotionPro_Windows_1.2.25 (1).zip.crdownload.0.dr, MotionProSetup.exe.6.drBinary or memory string: QEMUa
Source: C:\Windows\SysWOW64\unarchiver.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\2gqt1g00.4ae" "C:\Users\user\Downloads\MotionPro_Windows_1.2.25 (1).zip"Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading
11
Process Injection
1
Masquerading
OS Credential Dumping1
Security Software Discovery
Remote ServicesData from Local System1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
1
Disable or Modify Tools
LSASS Memory31
Virtualization/Sandbox Evasion
Remote Desktop ProtocolData from Removable Media3
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
Virtualization/Sandbox Evasion
Security Account Manager1
File and Directory Discovery
SMB/Windows Admin SharesData from Network Shared Drive4
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Process Injection
NTDS3
System Information Discovery
Distributed Component Object ModelInput Capture2
Ingress Tool Transfer
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading
LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process