Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
NEW__Review_202591760.svg

Overview

General Information

Sample name:NEW__Review_202591760.svg
Analysis ID:1632062
MD5:dbe4e5ff327c90a29d8d9572f2370e6a
SHA1:e0bc1420e1452bccd10b866550dc2d94b6055931
SHA256:33e9211b81d6e05d555f1918dbc1c882d617087a58ef4f054ba7a798e8a50d4f
Infos:

Detection

Invisible JS
Score:60
Range:0 - 100
Confidence:100%

Signatures

Yara detected Invisible JS
Yara detected Obfuscation Via HangulCharacter
AI detected suspicious Javascript
Creates files inside the system directory
Deletes files inside the Windows folder
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware

Classification

Process Tree

  • System is w10x64
  • chrome.exe (PID: 7884 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "C:\Users\user\Desktop\NEW__Review_202591760.svg" MD5: E81F54E6C1129887AEA47E7D092680BF)
    • chrome.exe (PID: 6932 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2392,i,6980206507368788743,134108683658003021,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2420 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)
    • chrome.exe (PID: 9096 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --no-pre-read-main-dll --field-trial-handle=2392,i,6980206507368788743,134108683658003021,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=4288 /prefetch:8 MD5: E81F54E6C1129887AEA47E7D092680BF)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

HTML

SourceRuleDescriptionAuthorStrings
0.1.d.script.csvJoeSecurity_HangulCharacterYara detected Obfuscation Via HangulCharacterJoe Security
    0.1.d.script.csvJoeSecurity_InvisibleJSYara detected Invisible JSJoe Security

      Sigma Signatures

      No Sigma rule has matched

      Suricata Signatures

      No Suricata rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      Phishing

      barindex
      Yara detected Invisible JS
      Source: Yara matchFile source: 0.1.d.script.csv, type: HTML
      Yara detected Obfuscation Via HangulCharacter
      Source: Yara matchFile source: 0.1.d.script.csv, type: HTML
      AI detected suspicious Javascript
      Source: 0.0..script.csvJoe Sandbox AI: Detected suspicious JavaScript with source url: https://hta.kervan2qh.com/NorvPJ/... This script demonstrates several high-risk behaviors, including dynamic code execution, data exfiltration, and obfuscated code/URLs. The use of `atob()` to decode base64-encoded strings, followed by `eval()` to execute the decoded content, poses a significant security risk. Additionally, the script appears to be sending user data to an untrusted domain, which is a clear indicator of potential malicious intent. Overall, this script exhibits a high level of suspicion and should be treated as a high-risk security threat.
      Source: 0.1.d.script.csvJoe Sandbox AI: Detected suspicious JavaScript with source url: ... This script demonstrates high-risk behaviors, including dynamic code execution using `eval()` and potential data exfiltration. The obfuscated code and use of proxy objects further increase the risk. Overall, this script exhibits a high level of suspicious activity and should be thoroughly investigated.
      Source: 0.2.d.script.csvJoe Sandbox AI: Detected suspicious JavaScript with source url: ... This script demonstrates several high-risk behaviors, including detecting the presence of web automation tools, blocking common keyboard shortcuts and right-click functionality, and using a setInterval loop with a debugger statement to potentially trigger a redirect to an external website. These behaviors indicate a high likelihood of malicious intent, such as preventing analysis or redirecting users to a potentially malicious site.
      Source: file:///C:/Users/user/Desktop/NEW__Review_202591760.svgHTTP Parser: No favicon
      Source: https://mikeandwaynes.com/tunnelvission/untitledtext388.html?omnisendContactID=67b8a06e691b7688452b7464&utm_campaign=campaign%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Copy+of%3A+Kirk+%2867c9a08129f21f66bdbad6af%29&utm_medium=email&utm_source=omnisendHTTP Parser: No favicon
      Source: unknownHTTPS traffic detected: 131.253.33.254:443 -> 192.168.2.4:49732 version: TLS 1.2
      Source: Joe Sandbox ViewIP Address: 104.18.94.41 104.18.94.41
      Source: Joe Sandbox ViewIP Address: 151.101.2.137 151.101.2.137
      Source: Joe Sandbox ViewIP Address: 151.101.2.137 151.101.2.137
      Source: Joe Sandbox ViewJA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
      Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.27
      Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.27
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
      Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.27
      Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.27
      Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.27
      Source: unknownTCP traffic detected without corresponding DNS query: 52.113.196.254
      Source: unknownTCP traffic detected without corresponding DNS query: 52.113.196.254
      Source: unknownTCP traffic detected without corresponding DNS query: 52.113.196.254
      Source: unknownTCP traffic detected without corresponding DNS query: 52.113.196.254
      Source: unknownTCP traffic detected without corresponding DNS query: 52.113.196.254
      Source: unknownTCP traffic detected without corresponding DNS query: 52.113.196.254
      Source: unknownTCP traffic detected without corresponding DNS query: 52.113.196.254
      Source: unknownTCP traffic detected without corresponding DNS query: 52.113.196.254
      Source: unknownTCP traffic detected without corresponding DNS query: 52.113.196.254
      Source: unknownTCP traffic detected without corresponding DNS query: 52.113.196.254
      Source: unknownTCP traffic detected without corresponding DNS query: 52.113.196.254
      Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.254
      Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.254
      Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.254
      Source: unknownTCP traffic detected without corresponding DNS query: 172.217.18.3
      Source: unknownTCP traffic detected without corresponding DNS query: 172.217.18.3
      Source: unknownTCP traffic detected without corresponding DNS query: 172.217.18.3
      Source: unknownTCP traffic detected without corresponding DNS query: 172.217.18.3
      Source: unknownTCP traffic detected without corresponding DNS query: 172.217.18.3
      Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.254
      Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.27
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
      Source: unknownTCP traffic detected without corresponding DNS query: 131.253.33.254
      Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.27
      Source: unknownTCP traffic detected without corresponding DNS query: 172.217.18.3
      Source: unknownTCP traffic detected without corresponding DNS query: 172.217.18.3
      Source: unknownTCP traffic detected without corresponding DNS query: 52.113.196.254
      Source: unknownTCP traffic detected without corresponding DNS query: 48.209.164.47
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /turnstile/v0/api.js?onload=onloadTurnstileCallback HTTP/1.1Host: challenges.cloudflare.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://hta.kervan2qh.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
      Source: global trafficHTTP traffic detected: GET /ajax/libs/crypto-js/4.1.1/crypto-js.min.js HTTP/1.1Host: cdnjs.cloudflare.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://hta.kervan2qh.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
      Source: global trafficHTTP traffic detected: GET /jquery-3.6.0.min.js HTTP/1.1Host: code.jquery.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://hta.kervan2qh.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
      Source: global trafficHTTP traffic detected: GET /r/gsr1.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: */*If-Modified-Since: Tue, 07 Jan 2025 07:28:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
      Source: global trafficHTTP traffic detected: GET /r/r4.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: */*If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
      Source: global trafficDNS traffic detected: DNS query: qrco.de
      Source: global trafficDNS traffic detected: DNS query: www.google.com
      Source: global trafficDNS traffic detected: DNS query: jbl.soundestlink.com
      Source: global trafficDNS traffic detected: DNS query: mikeandwaynes.com
      Source: global trafficDNS traffic detected: DNS query: a.nel.cloudflare.com
      Source: global trafficDNS traffic detected: DNS query: hta.kervan2qh.com
      Source: global trafficDNS traffic detected: DNS query: code.jquery.com
      Source: global trafficDNS traffic detected: DNS query: challenges.cloudflare.com
      Source: global trafficDNS traffic detected: DNS query: cdnjs.cloudflare.com
      Source: unknownHTTP traffic detected: POST /report/v4?s=sKxMYLe2Db9IvpbqAESCXWNtLwinM5YUGRaW8qsQs53JcdksQJy3wDbWuJmq47CkGC%2BX0cf8QoabWKnO6Kgh8ATmAWSe8lsLk%2BfMkdx83cfdXEk3izA4dFyqhZVqyqiRm4K7Xw%3D%3D HTTP/1.1Host: a.nel.cloudflare.comConnection: keep-aliveContent-Length: 725Content-Type: application/reports+jsonOrigin: https://mikeandwaynes.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
      Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
      Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
      Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
      Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
      Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
      Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
      Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
      Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49679 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49671 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
      Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
      Source: unknownHTTPS traffic detected: 131.253.33.254:443 -> 192.168.2.4:49732 version: TLS 1.2
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\scoped_dir7884_1063139499Jump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile deleted: C:\Windows\SystemTemp\scoped_dir7884_1063139499Jump to behavior
      Source: classification engineClassification label: mal60.phis.winSVG@25/8@20/12
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Local\Packages\cr.sb.odm3E4D1A088C1F6D498C84F3C86DE73CE49F82A104Jump to behavior
      Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "C:\Users\user\Desktop\NEW__Review_202591760.svg"
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2392,i,6980206507368788743,134108683658003021,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2420 /prefetch:3
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --no-pre-read-main-dll --field-trial-handle=2392,i,6980206507368788743,134108683658003021,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=4288 /prefetch:8
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2392,i,6980206507368788743,134108683658003021,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2420 /prefetch:3Jump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --no-pre-read-main-dll --field-trial-handle=2392,i,6980206507368788743,134108683658003021,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=4288 /prefetch:8Jump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
      Browser Extensions      		1
      Process Injection      		11
      Masquerading      		OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local System1
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
      Process Injection      		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media3
      Non-Application Layer Protocol      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
      File Deletion      		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive4
      Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture1
      Ingress Tool Transfer      		Traffic DuplicationData Destruction

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.