Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
https://tron2wq18ufc.z13.web.core.windows.net/

Overview

General Information

Sample URL:https://tron2wq18ufc.z13.web.core.windows.net/
Analysis ID:1633898
Infos:

Detection

TechSupportScam
Score:56
Range:0 - 100
Confidence:100%

Signatures

AI detected phishing page
Yara detected TechSupportScam
Creates files inside the system directory
Deletes files inside the Windows folder
Detected clear text password fields (password is not hidden)
HTML body contains low number of good links
HTML title does not match URL
Javascript checks online IP of machine

Classification

Process Tree

  • System is w10x64
  • chrome.exe (PID: 2372 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: E81F54E6C1129887AEA47E7D092680BF)
    • chrome.exe (PID: 5432 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1952,i,13854107073325764673,16350697911316749083,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=1980 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)
  • chrome.exe (PID: 6384 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://tron2wq18ufc.z13.web.core.windows.net/" MD5: E81F54E6C1129887AEA47E7D092680BF)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
dropped/chromecache_71JoeSecurity_TechSupportScamYara detected TechSupportScamJoe Security

    HTML

    SourceRuleDescriptionAuthorStrings
    2.2.pages.csvJoeSecurity_TechSupportScamYara detected TechSupportScamJoe Security
      2.1.pages.csvJoeSecurity_TechSupportScamYara detected TechSupportScamJoe Security
        2.3.pages.csvJoeSecurity_TechSupportScamYara detected TechSupportScamJoe Security
          2.0.pages.csvJoeSecurity_TechSupportScamYara detected TechSupportScamJoe Security

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            Phishing

            barindex
            AI detected phishing page
            Source: https://tron2wq18ufc.z13.web.core.windows.net/Wi061nhelpVi067/index.htmlJoe Sandbox AI: Score: 7 Reasons: The URL 'tron2wq18ufc.z13.web.core.windows.net' is hosted on a Microsoft Azure domain, which is a legitimate cloud service provider., The brand 'Microsoft' is well-known and commonly associated with the domain 'microsoft.com'., The subdomain 'tron2wq18ufc.z13' does not directly relate to any known Microsoft service or product, which raises suspicion., The presence of input fields for 'Username' and 'Password' on a non-standard Microsoft domain increases the risk of phishing., The URL does not match the typical structure of a Microsoft login or service page, which would usually be under 'microsoft.com'. DOM: 2.1.pages.csv
            Source: https://tron2wq18ufc.z13.web.core.windows.net/Wi061nhelpVi067/index.htmlJoe Sandbox AI: Score: 7 Reasons: The URL 'tron2wq18ufc.z13.web.core.windows.net' is hosted on a Microsoft Azure domain, which is a legitimate cloud service provider., The brand 'Microsoft' is well-known and commonly associated with the domain 'microsoft.com'., The subdomain 'tron2wq18ufc.z13' does not match any known Microsoft services or products, which raises suspicion., The presence of input fields for 'Username' and 'Password' on a non-standard Microsoft domain increases the risk of phishing., The URL structure with random alphanumeric subdomains is often used in phishing attempts to obscure the true nature of the site. DOM: 2.3.pages.csv
            Yara detected TechSupportScam
            Source: Yara matchFile source: 2.2.pages.csv, type: HTML
            Source: Yara matchFile source: 2.1.pages.csv, type: HTML
            Source: Yara matchFile source: 2.3.pages.csv, type: HTML
            Source: Yara matchFile source: 2.0.pages.csv, type: HTML
            Source: Yara matchFile source: dropped/chromecache_71, type: DROPPED
            Source: https://tron2wq18ufc.z13.web.core.windows.net/Wi061nhelpVi067/index.htmlHTTP Parser: <input type="text"... for password input
            Source: https://tron2wq18ufc.z13.web.core.windows.net/Wi061nhelpVi067/index.htmlHTTP Parser: Number of links: 0
            Source: https://tron2wq18ufc.z13.web.core.windows.net/Wi061nhelpVi067/index.htmlHTTP Parser: Title: Helpdesk_Support-W does not match URL
            Source: https://tron2wq18ufc.z13.web.core.windows.net/Wi061nhelpVi067/QwUelq8gIjQ4.jsHTTP Parser: var t = new xmlhttprequest; t.onreadystatechange = function() { if (4 == this.readystate && 200 == this.status) { var a = json.parse(this.responsetext); ipadd = a.ip; city = a.city; country = a.country; isp = a.connection.isp; var b = new date; currtime = a.timezone.current_time; document.getelementbyid("ip_add").textcontent = "address ip: " + ipadd + " " + b.tolocalestring("en-us", currtime); document.getelementbyid("city").textcontent = "city: " + city + ", " + country; document.getelementbyid("isp").textcontent = "isp: " + isp } }; t.open("get", "https://ipwho.is/?lang=en", !0); t.send();
            Source: https://tron2wq18ufc.z13.web.core.windows.net/Wi061nhelpVi067/index.htmlHTTP Parser: No <meta name="author".. found
            Source: https://tron2wq18ufc.z13.web.core.windows.net/Wi061nhelpVi067/index.htmlHTTP Parser: No <meta name="author".. found
            Source: https://tron2wq18ufc.z13.web.core.windows.net/Wi061nhelpVi067/index.htmlHTTP Parser: No <meta name="author".. found
            Source: https://tron2wq18ufc.z13.web.core.windows.net/Wi061nhelpVi067/index.htmlHTTP Parser: No <meta name="author".. found
            Source: https://tron2wq18ufc.z13.web.core.windows.net/Wi061nhelpVi067/index.htmlHTTP Parser: No <meta name="copyright".. found
            Source: https://tron2wq18ufc.z13.web.core.windows.net/Wi061nhelpVi067/index.htmlHTTP Parser: No <meta name="copyright".. found
            Source: https://tron2wq18ufc.z13.web.core.windows.net/Wi061nhelpVi067/index.htmlHTTP Parser: No <meta name="copyright".. found
            Source: https://tron2wq18ufc.z13.web.core.windows.net/Wi061nhelpVi067/index.htmlHTTP Parser: No <meta name="copyright".. found
            Source: unknownTCP traffic detected without corresponding DNS query: 23.199.215.203
            Source: unknownTCP traffic detected without corresponding DNS query: 2.18.98.62
            Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
            Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
            Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
            Source: unknownTCP traffic detected without corresponding DNS query: 23.199.215.203
            Source: unknownTCP traffic detected without corresponding DNS query: 2.18.98.62
            Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
            Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
            Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
            Source: unknownTCP traffic detected without corresponding DNS query: 2.23.227.208
            Source: unknownTCP traffic detected without corresponding DNS query: 142.250.184.227
            Source: unknownTCP traffic detected without corresponding DNS query: 142.250.184.227
            Source: unknownTCP traffic detected without corresponding DNS query: 142.250.184.227
            Source: unknownTCP traffic detected without corresponding DNS query: 142.250.184.227
            Source: unknownTCP traffic detected without corresponding DNS query: 142.250.184.227
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
            Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.15
            Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.15
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
            Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.15
            Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.15
            Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.15
            Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.15
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
            Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.15
            Source: unknownTCP traffic detected without corresponding DNS query: 142.250.184.227
            Source: unknownTCP traffic detected without corresponding DNS query: 142.250.184.227
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlKHLAQiKo8sBCIWgzQEI9s/OAQiA1s4BCMnczgEIhODOAQii5M4BCK/kzgEI6eTOAQ==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /?lang=en HTTP/1.1Host: ipwho.isConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*Origin: https://tron2wq18ufc.z13.web.core.windows.netSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://tron2wq18ufc.z13.web.core.windows.net/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /?lang=en HTTP/1.1Host: ipwho.isConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /r/gsr1.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: */*If-Modified-Since: Tue, 07 Jan 2025 07:28:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
            Source: global trafficHTTP traffic detected: GET /r/r4.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: */*If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
            Source: chromecache_97.1.drString found in binary or memory: return f}rG.K="internal.enableAutoEventOnTimer";var cc=wa(["data-gtm-yt-inspected-"]),tG=["www.youtube.com","www.youtube-nocookie.com"],uG,vG=!1; equals www.youtube.com (Youtube)
            Source: global trafficDNS traffic detected: DNS query: www.google.com
            Source: global trafficDNS traffic detected: DNS query: ipwho.is
            Source: global trafficDNS traffic detected: DNS query: apiip.net
            Source: global trafficDNS traffic detected: DNS query: beacons.gcp.gvt2.com
            Source: global trafficDNS traffic detected: DNS query: beacons.gvt2.com
            Source: chromecache_93.1.drString found in binary or memory: http://fontawesome.io
            Source: chromecache_93.1.drString found in binary or memory: http://fontawesome.io/license
            Source: chromecache_96.1.drString found in binary or memory: https://ampcid.google.com/v1/publisher:getClientId
            Source: chromecache_71.1.drString found in binary or memory: https://apiip.net/api/check?accessKey=$
            Source: chromecache_97.1.drString found in binary or memory: https://cct.google/taggy/agent.js
            Source: chromecache_95.1.drString found in binary or memory: https://ezgif.com/optimize
            Source: chromecache_106.1.dr, chromecache_107.1.drString found in binary or memory: https://getbootstrap.com/)
            Source: chromecache_106.1.dr, chromecache_107.1.drString found in binary or memory: https://github.com/twbs/bootstrap/blob/main/LICENSE)
            Source: chromecache_106.1.drString found in binary or memory: https://github.com/twbs/bootstrap/graphs/contributors)
            Source: chromecache_85.1.drString found in binary or memory: https://ipwho.is/?lang=en
            Source: chromecache_97.1.drString found in binary or memory: https://pagead2.googlesyndication.com
            Source: chromecache_97.1.drString found in binary or memory: https://pagead2.googlesyndication.com/pagead/gen_204?id=tcfe
            Source: chromecache_71.1.drString found in binary or memory: https://plausible.io/script.js
            Source: chromecache_96.1.drString found in binary or memory: https://stats.g.doubleclick.net/j/collect
            Source: chromecache_96.1.drString found in binary or memory: https://tagassistant.google.com/
            Source: chromecache_97.1.drString found in binary or memory: https://td.doubleclick.net
            Source: chromecache_97.1.drString found in binary or memory: https://www.google-analytics.com/analytics.js
            Source: chromecache_96.1.drString found in binary or memory: https://www.google-analytics.com/debug/bootstrap?id=
            Source: chromecache_96.1.drString found in binary or memory: https://www.google-analytics.com/gtm/js?id=
            Source: chromecache_96.1.drString found in binary or memory: https://www.google.%/ads/ga-audiences
            Source: chromecache_97.1.drString found in binary or memory: https://www.google.com
            Source: chromecache_96.1.drString found in binary or memory: https://www.google.com/ads/ga-audiences
            Source: chromecache_97.1.drString found in binary or memory: https://www.googleadservices.com
            Source: chromecache_97.1.drString found in binary or memory: https://www.googletagmanager.com
            Source: chromecache_97.1.drString found in binary or memory: https://www.googletagmanager.com/a?
            Source: chromecache_96.1.drString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=
            Source: chromecache_71.1.drString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-xxx-x
            Source: chromecache_97.1.drString found in binary or memory: https://www.googletagmanager.com/static/service_worker/
            Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
            Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49677 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49672
            Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49692
            Source: unknownNetwork traffic detected: HTTP traffic on port 49692 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49671 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
            Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
            Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735

            Spam, unwanted Advertisements and Ransom Demands

            barindex
            Yara detected TechSupportScam
            Source: Yara matchFile source: 2.2.pages.csv, type: HTML
            Source: Yara matchFile source: 2.1.pages.csv, type: HTML
            Source: Yara matchFile source: 2.3.pages.csv, type: HTML
            Source: Yara matchFile source: 2.0.pages.csv, type: HTML
            Source: Yara matchFile source: dropped/chromecache_71, type: DROPPED
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\scoped_dir2372_467652406Jump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile deleted: C:\Windows\SystemTemp\scoped_dir2372_467652406Jump to behavior
            Source: classification engineClassification label: mal56.phis.win@21/74@22/6
            Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1952,i,13854107073325764673,16350697911316749083,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=1980 /prefetch:3
            Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://tron2wq18ufc.z13.web.core.windows.net/"
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1952,i,13854107073325764673,16350697911316749083,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=1980 /prefetch:3Jump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath Interception1
            Process Injection            		1
            Masquerading            		OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local System1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
            Process Injection            		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media2
            Non-Application Layer Protocol            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
            File Deletion            		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive3
            Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture1
            Ingress Tool Transfer            		Traffic DuplicationData Destruction

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.