Loading ...

Play interactive tourEdit tour

Analysis Report bxfomd2r.cjb.exe

Overview

General Information

Sample Name:bxfomd2r.cjb.exe
MD5:e45462327ac82abf12b65ffad6c9e0cb
SHA1:a072f1d825af90f7ab5ada5bbba4a4c75a4e26e9
SHA256:abdb53cf53c46e0ce06b1058847e47e3fbc0261eb86c3f005ee531c2a7e49397

Most interesting Screenshot:

Detection

AgentTesla
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
.NET source code contains potential unpacker
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Malware Configuration

Threatname: Agenttesla

{"Username: ": "rO7CcdDOXVvyo", "URL: ": "https://PMzyK1FluOAeH.net", "To: ": "mahmut@mkkarakosemobilya.com", "ByHost: ": "mail.mkkarakosemobilya.com:5878", "Password: ": "=0AcaQb8M4T9gMd", "From: ": "mahmut@mkkarakosemobilya.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1105971248.0000000003A4F000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000002.00000002.1497201629.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.1104120701.0000000002850000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.1106249809.0000000003ADD000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.1105206021.0000000003850000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.bxfomd2r.cjb.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: bxfomd2r.cjb.exe.5740.2.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "rO7CcdDOXVvyo", "URL: ": "https://PMzyK1FluOAeH.net", "To: ": "mahmut@mkkarakosemobilya.com", "ByHost: ": "mail.mkkarakosemobilya.com:5878", "Password: ": "=0AcaQb8M4T9gMd", "From: ": "mahmut@mkkarakosemobilya.com"}
              Multi AV Scanner detection for submitted fileShow sources
              Source: bxfomd2r.cjb.exeVirustotal: Detection: 25%Perma Link
              Source: bxfomd2r.cjb.exeReversingLabs: Detection: 67%
              Machine Learning detection for sampleShow sources
              Source: bxfomd2r.cjb.exeJoe Sandbox ML: detected
              Source: 2.2.bxfomd2r.cjb.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

              Source: global trafficTCP traffic: 192.168.2.6:49938 -> 94.101.95.8:587
              Source: Joe Sandbox ViewASN Name: unknown unknown
              Source: global trafficTCP traffic: 192.168.2.6:49938 -> 94.101.95.8:587
              Source: bxfomd2r.cjb.exe, 00000002.00000002.1499565451.0000000002DB0000.00000004.00000001.sdmpString found in binary or memory: :["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-java-bean","application/x-java-bean;jpi-version=1.7.0_05","application/x-java-bean;version=1.1","application/x-java-bean;version=1.1.1","application/x-java-bean;version=1.1.2","application/x-java-bean;version=1.1.3","application/x-java-bean;version=1.2","application/x-java-bean;version=1.2.1","application/x-java-bean;version=1.2.2","application/x-java-bean;version=1.3","application/x-java-bean;version=1.3.1","application/x-java-bean;version=1.4","application/x-java-bean;version=1.4.1","application/x-java-bean;version=1.4.2","application/x-java-bean;version=1.5","application/
              Source: unknownDNS traffic detected: queries for: mail.mkkarakosemobilya.com
              Source: bxfomd2r.cjb.exe, 00000002.00000002.1499565451.0000000002DB0000.00000004.00000001.sdmpString found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
              Source: bxfomd2r.cjb.exe, 00000002.00000002.1499565451.0000000002DB0000.00000004.00000001.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
              Source: bxfomd2r.cjb.exe, 00000002.00000002.1500028227.0000000002F21000.00000004.00000001.sdmpString found in binary or memory: http://mail.mkkarakosemobilya.com
              Source: bxfomd2r.cjb.exe, 00000002.00000002.1499565451.0000000002DB0000.00000004.00000001.sdmpString found in binary or memory: http://support.apple.com/kb/HT203092
              Source: bxfomd2r.cjb.exe, 00000002.00000002.1500028227.0000000002F21000.00000004.00000001.sdmpString found in binary or memory: https://PMzyK1FluOAeH.net
              Source: bxfomd2r.cjb.exe, 00000002.00000002.1499565451.0000000002DB0000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
              Source: bxfomd2r.cjb.exe, 00000002.00000002.1499565451.0000000002DB0000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
              Source: bxfomd2r.cjb.exe, 00000002.00000002.1499565451.0000000002DB0000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
              Source: bxfomd2r.cjb.exe, 00000002.00000002.1499565451.0000000002DB0000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784

              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeCode function: 0_2_003F6A250_2_003F6A25
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeCode function: 2_2_053CF4282_2_053CF428
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeCode function: 2_2_053CF7702_2_053CF770
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeCode function: 2_2_053CCD682_2_053CCD68
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeCode function: 2_2_053C0C502_2_053C0C50
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeCode function: 2_2_053C8EE02_2_053C8EE0
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeCode function: 2_2_053C48282_2_053C4828
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeCode function: 2_2_053C08102_2_053C0810
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeCode function: 2_2_053C3B602_2_053C3B60
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeCode function: 2_2_053CCD532_2_053CCD53
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeCode function: 2_2_053C4C502_2_053C4C50
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeCode function: 2_2_053C8ED02_2_053C8ED0
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeCode function: 2_2_053C080B2_2_053C080B
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeCode function: 2_2_053C3B522_2_053C3B52
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeCode function: 2_2_0610A2982_2_0610A298
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeCode function: 2_2_0610B9402_2_0610B940
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeCode function: 2_2_0610D5E02_2_0610D5E0
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeCode function: 2_2_0610CA702_2_0610CA70
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeCode function: 2_2_06109A782_2_06109A78
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeCode function: 2_2_0610CA612_2_0610CA61
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeCode function: 2_2_0610A2892_2_0610A289
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeCode function: 2_2_0610C7412_2_0610C741
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeCode function: 2_2_0610A3732_2_0610A373
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeCode function: 2_2_0610A3B72_2_0610A3B7
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeCode function: 2_2_0610A3DD2_2_0610A3DD
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeCode function: 2_2_0610A3C92_2_0610A3C9
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeCode function: 2_2_06100FF72_2_06100FF7
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeCode function: 2_2_061000402_2_06100040
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeCode function: 2_2_0610EC662_2_0610EC66
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeCode function: 2_2_0610ECBD2_2_0610ECBD
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeCode function: 2_2_061091402_2_06109140
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeCode function: 2_2_0610D1622_2_0610D162
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeCode function: 2_2_0610C5912_2_0610C591
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeCode function: 2_2_0610F1D02_2_0610F1D0
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeCode function: 2_2_0610F1E02_2_0610F1E0
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeCode function: 2_2_008E6A252_2_008E6A25
              Source: bxfomd2r.cjb.exeBinary or memory string: OriginalFilename vs bxfomd2r.cjb.exe
              Source: bxfomd2r.cjb.exe, 00000000.00000002.1104387122.00000000028DA000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUnhook.dll. vs bxfomd2r.cjb.exe
              Source: bxfomd2r.cjb.exe, 00000000.00000002.1104387122.00000000028DA000.00000004.00000001.sdmpBinary or memory string: OriginalFilename26.dll4 vs bxfomd2r.cjb.exe
              Source: bxfomd2r.cjb.exe, 00000000.00000002.1108675389.0000000004C50000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameZImBOZX.dll< vs bxfomd2r.cjb.exe
              Source: bxfomd2r.cjb.exe, 00000000.00000002.1105971248.0000000003A4F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamenFYNoPOVmwWmEYSCNQGYApoNSVocN.exe4 vs bxfomd2r.cjb.exe
              Source: bxfomd2r.cjb.exe, 00000000.00000002.1105206021.0000000003850000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMYDLLSTUBSHARED.dll4 vs bxfomd2r.cjb.exe
              Source: bxfomd2r.cjb.exe, 00000000.00000002.1108473105.0000000004BE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs bxfomd2r.cjb.exe
              Source: bxfomd2r.cjb.exe, 00000000.00000000.1074187738.0000000000402000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameas3o.exe* vs bxfomd2r.cjb.exe
              Source: bxfomd2r.cjb.exeBinary or memory string: OriginalFilename vs bxfomd2r.cjb.exe
              Source: bxfomd2r.cjb.exe, 00000002.00000002.1497493633.00000000008F2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameas3o.exe* vs bxfomd2r.cjb.exe
              Source: bxfomd2r.cjb.exe, 00000002.00000002.1499452773.0000000002C10000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs bxfomd2r.cjb.exe
              Source: bxfomd2r.cjb.exe, 00000002.00000002.1497321054.000000000044C000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamenFYNoPOVmwWmEYSCNQGYApoNSVocN.exe4 vs bxfomd2r.cjb.exe
              Source: bxfomd2r.cjb.exe, 00000002.00000002.1497359605.00000000008A2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameZImBOZX.dll< vs bxfomd2r.cjb.exe
              Source: bxfomd2r.cjb.exe, 00000002.00000002.1497560756.0000000000CF7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs bxfomd2r.cjb.exe
              Source: bxfomd2r.cjb.exeBinary or memory string: OriginalFilenameZImBOZX.dll< vs bxfomd2r.cjb.exe
              Source: bxfomd2r.cjb.exeBinary or memory string: OriginalFilenameas3o.exe* vs bxfomd2r.cjb.exe
              Source: bxfomd2r.cjb.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: classification engineClassification label: mal92.troj.spyw.evad.winEXE@3/1@1/1
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bxfomd2r.cjb.exe.logJump to behavior
              Source: bxfomd2r.cjb.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: bxfomd2r.cjb.exeVirustotal: Detection: 25%
              Source: bxfomd2r.cjb.exeReversingLabs: Detection: 67%
              Source: unknownProcess created: C:\Users\user\Desktop\bxfomd2r.cjb.exe 'C:\Users\user\Desktop\bxfomd2r.cjb.exe'
              Source: unknownProcess created: C:\Users\user\Desktop\bxfomd2r.cjb.exe C:\Users\user\Desktop\bxfomd2r.cjb.exe
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess created: C:\Users\user\Desktop\bxfomd2r.cjb.exe C:\Users\user\Desktop\bxfomd2r.cjb.exeJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: bxfomd2r.cjb.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: bxfomd2r.cjb.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: Unhook.pdb source: bxfomd2r.cjb.exe, 00000000.00000002.1104387122.00000000028DA000.00000004.00000001.sdmp
              Source: Binary string: 26.pdb source: bxfomd2r.cjb.exe, 00000000.00000002.1104387122.00000000028DA000.00000004.00000001.sdmp
              Source: Binary string: C:\Users\Raz\Documents\Visual Studio 2015\Projects\STUB214\ClassLibrary1\obj\Debug\ZImBOZX.pdb<2V2 H2_CorDllMainmscoree.dll source: bxfomd2r.cjb.exe
              Source: Binary string: 26.pdbx source: bxfomd2r.cjb.exe, 00000000.00000002.1104387122.00000000028DA000.00000004.00000001.sdmp
              Source: Binary string: C:\Users\Raz\Documents\Visual Studio 2015\Projects\STUB214\ClassLibrary1\obj\Debug\ZImBOZX.pdb source: bxfomd2r.cjb.exe

              Data Obfuscation:

              barindex
              .NET source code contains potential unpackerShow sources
              Source: bxfomd2r.cjb.exe, aTzA.cs.Net Code: eCRb System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.0.bxfomd2r.cjb.exe.3b0000.0.unpack, aTzA.cs.Net Code: eCRb System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.2.bxfomd2r.cjb.exe.3b0000.0.unpack, aTzA.cs.Net Code: eCRb System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 2.0.bxfomd2r.cjb.exe.8a0000.0.unpack, aTzA.cs.Net Code: eCRb System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 2.2.bxfomd2r.cjb.exe.8a0000.1.unpack, aTzA.cs.Net Code: eCRb System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeCode function: 2_2_053C286F push ebx; ret 2_2_053C287A
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeCode function: 2_2_06101298 push es; ret 2_2_061020AC
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeCode function: 2_2_06107FF1 push es; retf 2_2_06108020
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeCode function: 2_2_06107FF1 push es; iretd 2_2_0610809C
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeCode function: 2_2_06100040 push es; retf 2_2_06100FF4
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeCode function: 2_2_06108063 push es; iretd 2_2_0610809C
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeCode function: 2_2_061020AF push es; ret 2_2_061020B0
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeCode function: 2_2_061020FF push es; ret 2_2_06102144
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeCode function: 2_2_06102147 push es; ret 2_2_06102148
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeCode function: 2_2_0610214B push es; ret 2_2_061021D4
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeCode function: 2_2_061021D7 push es; ret 2_2_061021D8
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeCode function: 2_2_061021DB push es; ret 2_2_061021DC
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeCode function: 2_2_061021DF push es; ret 2_2_061021E0
              Source: initial sampleStatic PE information: section name: .text entropy: 7.82171886423

              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeWindow / User API: threadDelayed 449Jump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeWindow / User API: threadDelayed 9262Jump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exe TID: 4460Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exe TID: 5692Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exe TID: 1292Thread sleep time: -19369081277395017s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exe TID: 2652Thread sleep count: 449 > 30Jump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exe TID: 2652Thread sleep count: 9262 > 30Jump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess information queried: ProcessInformationJump to behavior

              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeMemory allocated: page read and write | page guardJump to behavior

              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeProcess created: C:\Users\user\Desktop\bxfomd2r.cjb.exe C:\Users\user\Desktop\bxfomd2r.cjb.exeJump to behavior
              Source: bxfomd2r.cjb.exe, 00000002.00000002.1498844817.00000000016B0000.00000002.00000001.sdmpBinary or memory string: Program Manager
              Source: bxfomd2r.cjb.exe, 00000002.00000002.1498844817.00000000016B0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: bxfomd2r.cjb.exe, 00000002.00000002.1498844817.00000000016B0000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: bxfomd2r.cjb.exe, 00000002.00000002.1498844817.00000000016B0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeQueries volume information: C:\Users\user\Desktop\bxfomd2r.cjb.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeQueries volume information: C:\Users\user\Desktop\bxfomd2r.cjb.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct

              Stealing of Sensitive Information:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000000.00000002.1105971248.0000000003A4F000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1497201629.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1104120701.0000000002850000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1106249809.0000000003ADD000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1105206021.0000000003850000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1500028227.0000000002F21000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: bxfomd2r.cjb.exe PID: 5740, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: bxfomd2r.cjb.exe PID: 6000, type: MEMORY
              Source: Yara matchFile source: 2.2.bxfomd2r.cjb.exe.400000.0.unpack, type: UNPACKEDPE
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
              Tries to harvest and steal browser information (history, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Tries to harvest and steal ftp login credentialsShow sources
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
              Tries to steal Mail credentials (via file access)Show sources
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: C:\Users\user\Desktop\bxfomd2r.cjb.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
              Source: Yara matchFile source: 00000002.00000002.1500028227.0000000002F21000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: bxfomd2r.cjb.exe PID: 5740, type: MEMORY

              Remote Access Functionality:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000000.00000002.1105971248.0000000003A4F000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1497201629.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1104120701.0000000002850000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1106249809.0000000003ADD000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1105206021.0000000003850000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1500028227.0000000002F21000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: bxfomd2r.cjb.exe PID: 5740, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: bxfomd2r.cjb.exe PID: 6000, type: MEMORY
              Source: Yara matchFile source: 2.2.bxfomd2r.cjb.exe.400000.0.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management Instrumentation121Winlogon Helper DLLProcess Injection12Masquerading1Credential Dumping2Virtualization/Sandbox Evasion3Application Deployment SoftwareEmail Collection1Data Encrypted1Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesSoftware Packing13Credentials in Registry1Process Discovery2Remote ServicesData from Local System2Exfiltration Over Other Network MediumUncommonly Used Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionDisabling Security Tools1Input CaptureApplication Window Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Non-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingVirtualization/Sandbox Evasion3Credentials in FilesSecurity Software Discovery2Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol11SIM Card SwapPremium SMS Toll Fraud
              Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessProcess Injection12Account ManipulationRemote System Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceObfuscated Files or Information2Brute ForceFile and Directory Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
              Spearphishing AttachmentScriptingPath InterceptionScheduled TaskSoftware PackingTwo-Factor Authentication InterceptionSystem Information Discovery114Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

              Behavior Graph

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.