Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Payload.exe

Overview

General Information

Sample name:Payload.exe
Analysis ID:1487423
MD5:9c04cc2093d04bcb63b5505e26a5d681
SHA1:d699d464108c960f5d7aac5ffeff195f5749b57a
SHA256:d3d58aeaa5eff57a8235cacc3e5c8b2b7ca00064b80abbe8b4b062725bc6c659
Tags:exe
Infos:

Detection

Clipboard Hijacker
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Clipboard Hijacker
AI detected suspicious sample
Drops PE files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Drops PE files
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • Payload.exe (PID: 7292 cmdline: "C:\Users\user\Desktop\Payload.exe" MD5: 9C04CC2093D04BCB63B5505E26A5D681)
  • Payload.exe (PID: 7444 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe" MD5: 9C04CC2093D04BCB63B5505E26A5D681)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
Payload.exeJoeSecurity_Clipboard_Hijacker_3Yara detected Clipboard HijackerJoe Security
    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exeJoeSecurity_Clipboard_Hijacker_3Yara detected Clipboard HijackerJoe Security
      SourceRuleDescriptionAuthorStrings
      00000000.00000000.1642342731.0000000000C12000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_Clipboard_Hijacker_3Yara detected Clipboard HijackerJoe Security
        SourceRuleDescriptionAuthorStrings
        0.0.Payload.exe.c10000.0.unpackJoeSecurity_Clipboard_Hijacker_3Yara detected Clipboard HijackerJoe Security
          Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\Payload.exe, ProcessId: 7292, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe
          No Snort rule has matched

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: Payload.exeAvira: detected
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exeAvira: detection malicious, Label: HEUR/AGEN.1314455
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exeReversingLabs: Detection: 84%
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exeVirustotal: Detection: 62%Perma Link
          Source: Payload.exeReversingLabs: Detection: 84%
          Source: Payload.exeVirustotal: Detection: 62%Perma Link
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 91.6% probability
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exeJoe Sandbox ML: detected
          Source: Payload.exeJoe Sandbox ML: detected
          Source: Payload.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: Payload.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exeFile opened: C:\Users\user\AppData\Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exeFile opened: C:\Users\user\Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
          Source: C:\Users\user\Desktop\Payload.exeCode function: 4x nop then dec eax0_2_00007FFD9BA116E9
          Source: C:\Users\user\Desktop\Payload.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
          Source: Payload.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: classification engineClassification label: mal96.adwa.spyw.winEXE@2/3@0/0
          Source: C:\Users\user\Desktop\Payload.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exeMutant created: NULL
          Source: C:\Users\user\Desktop\Payload.exeMutant created: \Sessions\1\BaseNamedObjects\HZ7oDGV5TWzfti2Q
          Source: Payload.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: Payload.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
          Source: C:\Users\user\Desktop\Payload.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: Payload.exeReversingLabs: Detection: 84%
          Source: Payload.exeVirustotal: Detection: 62%
          Source: C:\Users\user\Desktop\Payload.exeFile read: C:\Users\user\Desktop\Payload.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Payload.exe "C:\Users\user\Desktop\Payload.exe"
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe"
          Source: C:\Users\user\Desktop\Payload.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\Payload.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\Payload.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\Payload.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\Payload.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\Payload.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\Payload.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\Payload.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\Payload.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\Payload.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\Payload.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\Payload.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Users\user\Desktop\Payload.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Payload.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\Payload.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\Payload.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\Payload.exeSection loaded: textinputframework.dllJump to behavior
          Source: C:\Users\user\Desktop\Payload.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Users\user\Desktop\Payload.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\Desktop\Payload.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\Desktop\Payload.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\Payload.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\Payload.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exeSection loaded: uxtheme.dllJump to behavior
          Source: Payload.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Payload.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: C:\Users\user\Desktop\Payload.exeCode function: 0_2_00007FFD9BA10508 push ebx; retf 0_2_00007FFD9BA1052A
          Source: C:\Users\user\Desktop\Payload.exeCode function: 0_2_00007FFD9BA104F0 push ebx; retf 0_2_00007FFD9BA1052A
          Source: C:\Users\user\Desktop\Payload.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exeJump to dropped file

          Boot Survival

          barindex
          Source: C:\Users\user\Desktop\Payload.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exeJump to dropped file
          Source: C:\Users\user\Desktop\Payload.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exeJump to behavior
          Source: C:\Users\user\Desktop\Payload.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exeJump to behavior
          Source: C:\Users\user\Desktop\Payload.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe\:Zone.Identifier:$DATAJump to behavior
          Source: C:\Users\user\Desktop\Payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Payload.exeMemory allocated: 1070000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Payload.exeMemory allocated: 1AF10000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exeMemory allocated: FF0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exeMemory allocated: 1AE30000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe TID: 7464Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exeFile opened: C:\Users\user\AppData\Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exeFile opened: C:\Users\user\Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
          Source: C:\Users\user\Desktop\Payload.exeMemory allocated: page read and write | page guardJump to behavior
          Source: C:\Users\user\Desktop\Payload.exeQueries volume information: C:\Users\user\Desktop\Payload.exe VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Payload.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Source: Yara matchFile source: Payload.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.Payload.exe.c10000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.1642342731.0000000000C12000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe, type: DROPPED
          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
          DLL Side-Loading
          1
          Process Injection
          1
          Masquerading
          OS Credential Dumping1
          Security Software Discovery
          Remote Services1
          Clipboard Data
          Data ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/Job12
          Registry Run Keys / Startup Folder
          1
          DLL Side-Loading
          1
          Disable or Modify Tools
          LSASS Memory31
          Virtualization/Sandbox Evasion
          Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)12
          Registry Run Keys / Startup Folder
          31
          Virtualization/Sandbox Evasion
          Security Account Manager1
          File and Directory Discovery
          SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          Process Injection
          NTDS12
          System Information Discovery
          Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          DLL Side-Loading
          LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
          Obfuscated Files or Information
          Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious