Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
55hj0aeSzk.exe

Overview

General Information

Sample name:55hj0aeSzk.exe
renamed because original name is a hash value
Original sample name:c6ddc9c2852eddf30f945a50183e28d38f6b9b1bbad01aac52e9d9539482a433.exe
Analysis ID:1615969
MD5:1289a867fafe321b51a93aa47afaffc9
SHA1:221d0cbd5c7a0c84bb86b4351c552f6efcd4f3b6
SHA256:c6ddc9c2852eddf30f945a50183e28d38f6b9b1bbad01aac52e9d9539482a433
Tags:exeuser-JAMESWT_MHT
Infos:

Detection

Score:64
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Joe Sandbox ML detected suspicious sample
Uses the Telegram API (likely for C&C communication)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found large amount of non-executed APIs
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

  • System is w10x64
  • 55hj0aeSzk.exe (PID: 1948 cmdline: "C:\Users\user\Desktop\55hj0aeSzk.exe" MD5: 1289A867FAFE321B51A93AA47AFAFFC9)
    • conhost.exe (PID: 3500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-02-15T19:31:30.715678+010018100071Potentially Bad Traffic192.168.2.649710149.154.167.220443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: 55hj0aeSzk.exeVirustotal: Detection: 30%Perma Link
Source: 55hj0aeSzk.exeReversingLabs: Detection: 32%
Joe Sandbox ML detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 94.2% probability
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FAD884D0 BCryptGenRandom,SystemFunction036,BCryptGenRandom,SystemFunction036,BCryptGenRandom,SystemFunction036,BCryptGenRandom,SystemFunction036,0_2_00007FF7FAD884D0
Source: 55hj0aeSzk.exe, 00000000.00000002.3389644074.00007FF7FAE79000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_561220ce-d
Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: 55hj0aeSzk.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: encv2.pdb source: 55hj0aeSzk.exe

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.6:49710 -> 149.154.167.220:443
Uses the Telegram API (likely for C&C communication)
Source: unknownDNS query: name: api.telegram.org
Source: global trafficHTTP traffic detected: POST /bot8179978828:AAFZb_wnWRRevWh6sM7sqz9xb_wKE_G1Rzo/sendMessage HTTP/1.0Host: api.telegram.orgContent-Type: application/jsonContent-Length: 120
Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: api.telegram.org
Source: unknownHTTP traffic detected: POST /bot8179978828:AAFZb_wnWRRevWh6sM7sqz9xb_wKE_G1Rzo/sendMessage HTTP/1.0Host: api.telegram.orgContent-Type: application/jsonContent-Length: 120
Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FAD735B0 WakeByAddressSingle,NtCancelIoFileEx,RtlNtStatusToDosError,NtDeviceIoControlFile,RtlNtStatusToDosError,WakeByAddressSingle,WakeByAddressSingle,WakeByAddressSingle,WakeByAddressSingle,0_2_00007FF7FAD735B0
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FAD72BC0 NtCancelIoFileEx,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,RtlNtStatusToDosError,0_2_00007FF7FAD72BC0
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FAD735B0: WakeByAddressSingle,NtCancelIoFileEx,RtlNtStatusToDosError,NtDeviceIoControlFile,RtlNtStatusToDosError,WakeByAddressSingle,WakeByAddressSingle,WakeByAddressSingle,WakeByAddressSingle,0_2_00007FF7FAD735B0
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FAE577600_2_00007FF7FAE57760
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FAE554300_2_00007FF7FAE55430
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FAD735B00_2_00007FF7FAD735B0
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FAD815800_2_00007FF7FAD81580
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FAE4E5800_2_00007FF7FAE4E580
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FAE48AF00_2_00007FF7FAE48AF0
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FAE59E400_2_00007FF7FAE59E40
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FADA94000_2_00007FF7FADA9400
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FAD8D4100_2_00007FF7FAD8D410
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FACF10000_2_00007FF7FACF1000
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FAE3EBD00_2_00007FF7FAE3EBD0
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FAD893D00_2_00007FF7FAD893D0
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FAE717C00_2_00007FF7FAE717C0
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FAE477B00_2_00007FF7FAE477B0
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FACFE3CA0_2_00007FF7FACFE3CA
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FAE3FF700_2_00007FF7FAE3FF70
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FAD3B7600_2_00007FF7FAD3B760
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FACFDB800_2_00007FF7FACFDB80
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FAE34B600_2_00007FF7FAE34B60
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FADACB400_2_00007FF7FADACB40
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FACF2B500_2_00007FF7FACF2B50
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FAE47B300_2_00007FF7FAE47B30
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FACFC7400_2_00007FF7FACFC740
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FAD6D7300_2_00007FF7FAD6D730
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FAD018DB0_2_00007FF7FAD018DB
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FADB30E00_2_00007FF7FADB30E0
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FAE730E00_2_00007FF7FAE730E0
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FAD004F70_2_00007FF7FAD004F7
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FAE5A4D00_2_00007FF7FAE5A4D0
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FAE720D00_2_00007FF7FAE720D0
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FAD6B4D00_2_00007FF7FAD6B4D0
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FAD6D4B00_2_00007FF7FAD6D4B0
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FAE70C900_2_00007FF7FAE70C90
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FAD8A0600_2_00007FF7FAD8A060
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FAE784700_2_00007FF7FAE78470
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FACFA0300_2_00007FF7FACFA030
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FAD6F4500_2_00007FF7FAD6F450
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FAD870200_2_00007FF7FAD87020
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FAD3BC300_2_00007FF7FAD3BC30
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FAD858300_2_00007FF7FAD85830
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FADB35E00_2_00007FF7FADB35E0
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FACFCE000_2_00007FF7FACFCE00
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FAE735E00_2_00007FF7FAE735E0
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FAE3F9700_2_00007FF7FAE3F970
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FAE5E1300_2_00007FF7FAE5E130
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FAE711300_2_00007FF7FAE71130
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FAD016DF0_2_00007FF7FAD016DF
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FAD3DB100_2_00007FF7FAD3DB10
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FAE72B000_2_00007FF7FAE72B00
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FAE77F000_2_00007FF7FAE77F00
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FAD8DEE00_2_00007FF7FAD8DEE0
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FAD3BEF00_2_00007FF7FAD3BEF0
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FAE586E00_2_00007FF7FAE586E0
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FACF22D00_2_00007FF7FACF22D0
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FAD822800_2_00007FF7FAD82280
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FAD3CA900_2_00007FF7FAD3CA90
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FAD2DA600_2_00007FF7FAD2DA60
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FAE4C6700_2_00007FF7FAE4C670
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FAE3EE600_2_00007FF7FAE3EE60
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FAD876700_2_00007FF7FAD87670
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FAD036340_2_00007FF7FAD03634
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FACF46300_2_00007FF7FACF4630
Source: 55hj0aeSzk.exeBinary string: \Device\Afd\Mio
Source: 55hj0aeSzk.exeBinary string: Failed to open \Device\Afd\Mio:
Source: classification engineClassification label: mal64.troj.winEXE@2/3@1/1
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3500:120:WilError_03
Source: 55hj0aeSzk.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\55hj0aeSzk.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: 55hj0aeSzk.exeVirustotal: Detection: 30%
Source: 55hj0aeSzk.exeReversingLabs: Detection: 32%
Source: unknownProcess created: C:\Users\user\Desktop\55hj0aeSzk.exe "C:\Users\user\Desktop\55hj0aeSzk.exe"
Source: C:\Users\user\Desktop\55hj0aeSzk.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\55hj0aeSzk.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\55hj0aeSzk.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\55hj0aeSzk.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\55hj0aeSzk.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\55hj0aeSzk.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\55hj0aeSzk.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\55hj0aeSzk.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\55hj0aeSzk.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\55hj0aeSzk.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\55hj0aeSzk.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\Desktop\55hj0aeSzk.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\Desktop\55hj0aeSzk.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\55hj0aeSzk.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\55hj0aeSzk.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\Desktop\55hj0aeSzk.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\55hj0aeSzk.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\55hj0aeSzk.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\55hj0aeSzk.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\55hj0aeSzk.exeSection loaded: cryptnet.dllJump to behavior
Source: 55hj0aeSzk.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: 55hj0aeSzk.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: 55hj0aeSzk.exeStatic file information: File size 2170368 > 1048576
Source: 55hj0aeSzk.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x188000
Source: 55hj0aeSzk.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: 55hj0aeSzk.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: encv2.pdb source: 55hj0aeSzk.exe
Source: C:\Users\user\Desktop\55hj0aeSzk.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
Source: C:\Users\user\Desktop\55hj0aeSzk.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
Source: C:\Users\user\Desktop\55hj0aeSzk.exeAPI coverage: 2.4 %
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: 55hj0aeSzk.exe, 00000000.00000002.3389244899.0000016F65363000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FAE70790 GetProcessHeap,RtlReAllocateHeap,GetProcessHeap,HeapFree,0_2_00007FF7FAE70790
Source: C:\Users\user\Desktop\55hj0aeSzk.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\55hj0aeSzk.exeQueries volume information: C:\PE32-KEY\context.pe32c VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\55hj0aeSzk.exeQueries volume information: C:\PE32-KEY VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\55hj0aeSzk.exeQueries volume information: C:\PE32-KEY VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\55hj0aeSzk.exeQueries volume information: C:\PE32-KEY\context.pe32c VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\55hj0aeSzk.exeQueries volume information: C:\PE32-KEY\context.pe32c VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\55hj0aeSzk.exeQueries volume information: C:\PE32-KEY VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\55hj0aeSzk.exeQueries volume information: C:\PE32-KEY VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\55hj0aeSzk.exeQueries volume information: C:\PE32-KEY\context.pe32c VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\55hj0aeSzk.exeQueries volume information: C:\PE32-KEY VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\55hj0aeSzk.exeQueries volume information: C:\PE32-KEY\context.pe32c VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\55hj0aeSzk.exeQueries volume information: C:\PE32-KEY VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FAE5FEA4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF7FAE5FEA4
Source: C:\Users\user\Desktop\55hj0aeSzk.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: C:\Users\user\Desktop\55hj0aeSzk.exeCode function: 0_2_00007FF7FAE46030 WSASocketW,WSAGetLastError,WSASocketW,SetHandleInformation,GetLastError,closesocket,bind,WSAGetLastError,closesocket,WSAGetLastError,0_2_00007FF7FAE46030

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Disable or Modify Tools		OS Credential Dumping1
System Time Discovery		Remote Services11
Archive Collected Data		1
Web Service		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory1
Query Registry		Remote Desktop ProtocolData from Removable Media21
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account Manager11
Security Software Discovery		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDS13
System Information Discovery		Distributed Component Object ModelInput Capture3
Application Layer Protocol		Traffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.