Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.15787

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.15787 (renamed file extension from 15787 to exe)
Analysis ID:255522
MD5:efc40f34ce8f5f1398daa482829e36b5
SHA1:ac48362fde1e24677eee874075949e79ad5d1d0e
SHA256:8bbbbb12a3c24a9f9b5c9913a5279ca04d0e3c02e6a2b8e2988c26f72b3ca0ec

Most interesting Screenshot:

Detection

AgentTesla
Score:51
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected AgentTesla
.NET source code contains very large array initializations
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious names
Machine Learning detection for dropped file
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry

Classification

Startup

  • System is w10x64
  • SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exe (PID: 980 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exe' MD5: EFC40F34CE8F5F1398DAA482829E36B5)
    • cmd.exe (PID: 5796 cmdline: 'C:\Windows\System32\cmd.exe' /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v 123 /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\Desktop\123' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • reg.exe (PID: 4788 cmdline: REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v 123 /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\Desktop\123' MD5: CEE2A7E57DF2A159A065A34913A055C2)
  • pcalua.exe (PID: 6212 cmdline: 'C:\Windows\system32\pcalua.exe' -a C:\Users\user\Desktop\123 MD5: CEB78417C510515FDE2B7AAED78063B4)
  • pcalua.exe (PID: 6264 cmdline: 'C:\Windows\system32\pcalua.exe' -a C:\Users\user\Desktop\123 MD5: CEB78417C510515FDE2B7AAED78063B4)
  • OpenWith.exe (PID: 4272 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: D179D03728E95E040A889F760C1FC402)
  • OpenWith.exe (PID: 1428 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: D179D03728E95E040A889F760C1FC402)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.349823847.0000000006A91000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000003.351666691.0000000006B82000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.354360372.0000000003381000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000003.352778696.0000000006AC9000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.355261580.00000000044B5000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 10 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\Desktop\123Joe Sandbox ML: detected
            Machine Learning detection for sampleShow sources
            Source: SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeJoe Sandbox ML: detected
            Source: SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exe, 00000000.00000002.353952543.00000000016AB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            System Summary:

            barindex
            .NET source code contains very large array initializationsShow sources
            Source: SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exe, fRu007e8G_7eoZ/Mu0026r67Yu0025qDu002a.csLarge array initialization: A%y9xG4$8*: array initializer size 143872
            Source: 123.0.dr, fRu007e8G_7eoZ/Mu0026r67Yu0025qDu002a.csLarge array initialization: A%y9xG4$8*: array initializer size 143872
            Source: 0.2.SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exe.e60000.0.unpack, fRu007e8G_7eoZ/Mu0026r67Yu0025qDu002a.csLarge array initialization: A%y9xG4$8*: array initializer size 143872
            Source: 0.0.SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exe.e60000.0.unpack, fRu007e8G_7eoZ/Mu0026r67Yu0025qDu002a.csLarge array initialization: A%y9xG4$8*: array initializer size 143872
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeCode function: 0_2_0167E7400_2_0167E740
            Source: SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeBinary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exe
            Source: SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeBinary or memory string: originalFileName vs SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exe
            Source: SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeBinary or memory string: backupOfOriginalFileName vs SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exe
            Source: SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exe, 00000000.00000002.353952543.00000000016AB000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exe
            Source: SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exe, 00000000.00000003.349823847.0000000006A91000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameslAIWBuTLSEDnDWxPUaJ.exe4 vs SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exe
            Source: SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exe, 00000000.00000002.354360372.0000000003381000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamecvsdfr.dll4 vs SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exe
            Source: SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exe, 00000000.00000002.355141437.0000000004390000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamecheck.dll4 vs SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exe
            Source: SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exe, 00000000.00000003.332472078.0000000006F57000.00000004.00000001.sdmpBinary or memory string: -m@2G7Y|wF!8j&NP3i~e!6De$Gp#2r!3Pm_~2Wap#Qp4~|Kq67$3Gy#%m8AT$3Jm*|z6PZ%2b&TE5o@p%K^a92T%fJ&sF@4C9o|g&4g)XH8d|i&L_c8*2Spj&7Lc#!4Rxp&W@i6mD8^3(5Ho+n4/W8(Y*o8$7JdE(9i&C~2Qep(e!5H7tJ$x(Di8_x3$H6)j$7D2F/cs)3o|ZG2w(4*A%y9xG4$8*M&r67Y%qD*t+4F#9KmH*y)5F3A^zK*J@o2j7_WR*t%7E8K@np*9b@SE3i|8+D!c9fW7#4/zB^6@c9LG/Q&t9jF2_J/4Kk_@6HpL/f%3W7P&iX/Func`1IEnumerable`1IEnumerator`1List`1Int32x%8F9fP#B2Action`29Ht*T^5b(3dD%7@x4Kc37Tq#Wp&2d33n#Ay+P5%4tY&93)oLS4p_2H6X$w+54Mz_k~L3Q5yK(2R$8ka5Pk8)@Xb7q6Yo4#7)aMr6K|q65Q^m$78Wa)F~6i/760DB2DAAAE3BE4EB39680E79F2E6151946F1D20780067C9C8C1235240A718BE7cQ*53oG+R7sH~4!p6QX7N*a2bK5/~7get_UTF8M!m2+c7QG89k^SY!7ec8gZ^56~cNy8f(7N5bS@)9i!6GNo(5*97Fq$t!T6N92Kb~Y@5gz9K#k6*7BgL@2Ra&q6(LQ@f_2J%9Pd7A2y$DC)6c8AGg7|q8^J5CfB/4N%2c9CE|y2#9JsbCk^7Q2pA*aEXg7^8&bLcGW!s6+7Qm2HB+j9f6(T5H3Sk@^w2T8HtQ|38*cM%KfS_9~g5W6Ke^2WNz|97K4s@DR9d*aL8o~QX@4gmL6Zx+/j7J3M8c^TM3f&_Nx@4X3bD_sN4Mr~%i8WtNSystem.IONa2/m_J3#Py$3J)5ZjxPQ_a32fE@zPkE|3&2Wc8QtJ)8^3DokQZ!r9e6)G/Ri(5J!9Kw7RZz9+2*cWwR7Dc^s%L9|RdB(9M2t^~TEo7|/9TqgWjM+28#iJmW8n$H^5AygXc|6CG5o(~X7n@Rd+C4)Y6Px&m)X5^Yx|7Z)8CfjYfR~8G_7eoZoD%4G9a)tZ7De!/q5ES^bA%3~8MsX^J_o9nB5/Y^R@x27N+rk^6b!K/4Aan^nZ$6/g2HK_value__dC^6(3Mro_Hx3#$4Dry_j(3XF9z@4aqA$5S6z/8axG*2T7y(|amscorlibSystem.Collections.Generic2b%GB6s)$d3p(JkR6^*dpayloadChangedInterlockedpreparedIidiidAppidappidClsidclsidGuid<Appid>k__BackingFieldAppendGetMethodmethoddE&8S5f%6e4j$QP5c*6er|6M$Kt2QeCompareExchangeEndInvokeBeginInvokeICloneableIDisposableRuntimeFieldHandleRuntimeTypeHandleGetTypeFromHandleFilebackupOfOriginalFileNameoriginalFileNameGetRandomFileNametempFileNamefileNamebindingNameparamNameThunkFrameCombineserviceTypeValueTypebindingTypeTraceEventTypeeventTypetyperesourceCultureMethodBaseDisposeCreateDelegateMulticastDelegateEditorBrowsableStateSTAThreadAttributeCompilerGeneratedAttributeGuidAttributeDebuggerNonUserCodeAttributeEditorBrowsableAttributeComVisibleAttributeAssemblyTitleAttributeAssemblyTrademarkAttributeTargetFrameworkAttributeSecuritySafeCriticalAttributeAssemblyFileVersionAttributeAssemblyConfigurationAttributeAssemblyDescriptionAttributeCompilationRelaxationsAttributeReliabilityContractAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyCompanyAttributeRuntimeCompatibilityAttributeBytesetNewValuevalueRemove9Lc&T+7f4go(9MA3r*6gSystem.ThreadingEncodingencodingSystem.Runtime.VersioningFromBase64StringToStringGetStringPathLengthUri9a#Gn|F4NjGf8%x9!D$kd&5Z(4QaDkAsyncCallbackcallbackchunkPresentationFrameworkisEqualSystem.ComponentModelJ~y56K(f)m7Ha&/9Zw3m5Gq@a$T36mpG*9&4TfSmReleaseStreamGetStreamstreamSystemEnum7r!QA&8c5n5b%SY2s~6nresourceManApplicationSystem.GlobalizationActionSystem.ReflectionFormatExceptionexceptionSystem.Runtime.ConstrainedExecutionPb9|y8!M/oCc8)+3Tg7oy*5Y/Fx89oMethodInfoCultureInfoq@2P7J*i^pY_e9a8#G@qCharCerProviderproviderStringBuilderBufferbufferResourceManagerIEnumeratorGetEnumerator.ctor.cctorstr9n/FK6z@8sSystem.DiagnosticsmethodsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.Resou
            Source: SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exe, 00000000.00000003.332472078.0000000006F57000.00000004.00000001.sdmpBinary or memory string: OriginalFilename123.exe4 vs SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exe
            Source: SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exe, 00000000.00000002.358131027.0000000007550000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exe
            Source: SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exe, 00000000.00000002.357217107.0000000007200000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exe
            Source: SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeBinary or memory string: backupOfOriginalFileName vs SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exe
            Source: SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeBinary or memory string: originalFileName vs SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exe
            Source: SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeBinary or memory string: -m@2G7Y|wF!8j&NP3i~e!6De$Gp#2r!3Pm_~2Wap#Qp4~|Kq67$3Gy#%m8AT$3Jm*|z6PZ%2b&TE5o@p%K^a92T%fJ&sF@4C9o|g&4g)XH8d|i&L_c8*2Spj&7Lc#!4Rxp&W@i6mD8^3(5Ho+n4/W8(Y*o8$7JdE(9i&C~2Qep(e!5H7tJ$x(Di8_x3$H6)j$7D2F/cs)3o|ZG2w(4*A%y9xG4$8*M&r67Y%qD*t+4F#9KmH*y)5F3A^zK*J@o2j7_WR*t%7E8K@np*9b@SE3i|8+D!c9fW7#4/zB^6@c9LG/Q&t9jF2_J/4Kk_@6HpL/f%3W7P&iX/Func`1IEnumerable`1IEnumerator`1List`1Int32x%8F9fP#B2Action`29Ht*T^5b(3dD%7@x4Kc37Tq#Wp&2d33n#Ay+P5%4tY&93)oLS4p_2H6X$w+54Mz_k~L3Q5yK(2R$8ka5Pk8)@Xb7q6Yo4#7)aMr6K|q65Q^m$78Wa)F~6i/760DB2DAAAE3BE4EB39680E79F2E6151946F1D20780067C9C8C1235240A718BE7cQ*53oG+R7sH~4!p6QX7N*a2bK5/~7get_UTF8M!m2+c7QG89k^SY!7ec8gZ^56~cNy8f(7N5bS@)9i!6GNo(5*97Fq$t!T6N92Kb~Y@5gz9K#k6*7BgL@2Ra&q6(LQ@f_2J%9Pd7A2y$DC)6c8AGg7|q8^J5CfB/4N%2c9CE|y2#9JsbCk^7Q2pA*aEXg7^8&bLcGW!s6+7Qm2HB+j9f6(T5H3Sk@^w2T8HtQ|38*cM%KfS_9~g5W6Ke^2WNz|97K4s@DR9d*aL8o~QX@4gmL6Zx+/j7J3M8c^TM3f&_Nx@4X3bD_sN4Mr~%i8WtNSystem.IONa2/m_J3#Py$3J)5ZjxPQ_a32fE@zPkE|3&2Wc8QtJ)8^3DokQZ!r9e6)G/Ri(5J!9Kw7RZz9+2*cWwR7Dc^s%L9|RdB(9M2t^~TEo7|/9TqgWjM+28#iJmW8n$H^5AygXc|6CG5o(~X7n@Rd+C4)Y6Px&m)X5^Yx|7Z)8CfjYfR~8G_7eoZoD%4G9a)tZ7De!/q5ES^bA%3~8MsX^J_o9nB5/Y^R@x27N+rk^6b!K/4Aan^nZ$6/g2HK_value__dC^6(3Mro_Hx3#$4Dry_j(3XF9z@4aqA$5S6z/8axG*2T7y(|amscorlibSystem.Collections.Generic2b%GB6s)$d3p(JkR6^*dpayloadChangedInterlockedpreparedIidiidAppidappidClsidclsidGuid<Appid>k__BackingFieldAppendGetMethodmethoddE&8S5f%6e4j$QP5c*6er|6M$Kt2QeCompareExchangeEndInvokeBeginInvokeICloneableIDisposableRuntimeFieldHandleRuntimeTypeHandleGetTypeFromHandleFilebackupOfOriginalFileNameoriginalFileNameGetRandomFileNametempFileNamefileNamebindingNameparamNameThunkFrameCombineserviceTypeValueTypebindingTypeTraceEventTypeeventTypetyperesourceCultureMethodBaseDisposeCreateDelegateMulticastDelegateEditorBrowsableStateSTAThreadAttributeCompilerGeneratedAttributeGuidAttributeDebuggerNonUserCodeAttributeEditorBrowsableAttributeComVisibleAttributeAssemblyTitleAttributeAssemblyTrademarkAttributeTargetFrameworkAttributeSecuritySafeCriticalAttributeAssemblyFileVersionAttributeAssemblyConfigurationAttributeAssemblyDescriptionAttributeCompilationRelaxationsAttributeReliabilityContractAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyCompanyAttributeRuntimeCompatibilityAttributeBytesetNewValuevalueRemove9Lc&T+7f4go(9MA3r*6gSystem.ThreadingEncodingencodingSystem.Runtime.VersioningFromBase64StringToStringGetStringPathLengthUri9a#Gn|F4NjGf8%x9!D$kd&5Z(4QaDkAsyncCallbackcallbackchunkPresentationFrameworkisEqualSystem.ComponentModelJ~y56K(f)m7Ha&/9Zw3m5Gq@a$T36mpG*9&4TfSmReleaseStreamGetStreamstreamSystemEnum7r!QA&8c5n5b%SY2s~6nresourceManApplicationSystem.GlobalizationActionSystem.ReflectionFormatExceptionexceptionSystem.Runtime.ConstrainedExecutionPb9|y8!M/oCc8)+3Tg7oy*5Y/Fx89oMethodInfoCultureInfoq@2P7J*i^pY_e9a8#G@qCharCerProviderproviderStringBuilderBufferbufferResourceManagerIEnumeratorGetEnumerator.ctor.cctorstr9n/FK6z@8sSystem.DiagnosticsmethodsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.Resou
            Source: SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeBinary or memory string: OriginalFilename123.exe4 vs SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exe
            Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v 123 /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\Desktop\123'
            Source: classification engineClassification label: mal51.troj.winEXE@10/3@0/0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeFile created: C:\Users\user\Desktop\123Jump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5844:120:WilError_01
            Source: SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exe'
            Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v 123 /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\Desktop\123'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v 123 /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\Desktop\123'
            Source: unknownProcess created: C:\Windows\System32\pcalua.exe 'C:\Windows\system32\pcalua.exe' -a C:\Users\user\Desktop\123
            Source: unknownProcess created: C:\Windows\System32\pcalua.exe 'C:\Windows\system32\pcalua.exe' -a C:\Users\user\Desktop\123
            Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
            Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v 123 /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\Desktop\123'Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v 123 /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\Desktop\123'Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
            Source: C:\Windows\System32\pcalua.exeAutomated click: OK
            Source: C:\Windows\System32\pcalua.exeAutomated click: OK
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeCode function: 0_2_00E6232B push esp; retf 0_2_00E62340
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeFile created: C:\Users\user\Desktop\123Jump to dropped file
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeFile created: C:\Users\user\Desktop\123Jump to dropped file

            Boot Survival:

            barindex
            Creates an autostart registry key pointing to binary in C:\WindowsShow sources
            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 123Jump to behavior
            Creates autostart registry keys with suspicious namesShow sources
            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 123Jump to behavior
            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 123Jump to behavior
            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 123Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\pcalua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\pcalua.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Jump to behavior
            Source: C:\Windows\System32\pcalua.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeWindow / User API: threadDelayed 1177Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exe TID: 5840Thread sleep time: -1844674407370954s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exe TID: 6952Thread sleep count: 201 > 30Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exe TID: 6952Thread sleep count: 1177 > 30Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exe TID: 5812Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exe, 00000000.00000002.358131027.0000000007550000.00000002.00000001.sdmp, reg.exe, 0000000D.00000002.293580407.0000000000860000.00000002.00000001.sdmp, pcalua.exe, 00000011.00000002.348780628.000001F236F20000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
            Source: SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exe, 00000000.00000002.358131027.0000000007550000.00000002.00000001.sdmp, reg.exe, 0000000D.00000002.293580407.0000000000860000.00000002.00000001.sdmp, pcalua.exe, 00000011.00000002.348780628.000001F236F20000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
            Source: SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exe, 00000000.00000002.358131027.0000000007550000.00000002.00000001.sdmp, reg.exe, 0000000D.00000002.293580407.0000000000860000.00000002.00000001.sdmp, pcalua.exe, 00000011.00000002.348780628.000001F236F20000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
            Source: SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exe, 00000000.00000002.358131027.0000000007550000.00000002.00000001.sdmp, reg.exe, 0000000D.00000002.293580407.0000000000860000.00000002.00000001.sdmp, pcalua.exe, 00000011.00000002.348780628.000001F236F20000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v 123 /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\Desktop\123'Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v 123 /t REG_SZ /d C:\Windows\system32\pcalua.exe' -a C:\Users\user\Desktop\123'Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Utilities.v4.0\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.v4.0.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exeBinary or memory string: 123.exe

            Stealing of Sensitive Information:

            barindex
            Yara detected AgentTeslaShow sources
            Source: Yara matchFile source: 00000000.00000003.349823847.0000000006A91000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.351666691.0000000006B82000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.354360372.0000000003381000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.352778696.0000000006AC9000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.355261580.00000000044B5000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.349760863.0000000006A90000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.356623035.0000000006ACC000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.349054243.0000000006B3A000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.351195424.0000000006A92000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.349303187.0000000006B7E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.349667267.0000000006A90000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.352449237.0000000006A95000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.355187697.0000000004407000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.349184204.0000000006A89000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exe PID: 980, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected AgentTeslaShow sources
            Source: Yara matchFile source: 00000000.00000003.349823847.0000000006A91000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.351666691.0000000006B82000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.354360372.0000000003381000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.352778696.0000000006AC9000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.355261580.00000000044B5000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.349760863.0000000006A90000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.356623035.0000000006ACC000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.349054243.0000000006B3A000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.351195424.0000000006A92000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.349303187.0000000006B7E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.349667267.0000000006A90000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.352449237.0000000006A95000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.355187697.0000000004407000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.349184204.0000000006A89000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.PWS.Siggen2.52284.17854.exe PID: 980, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management InstrumentationRegistry Run Keys / Startup Folder21Process Injection11Masquerading11Input Capture1Security Software Discovery21Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder21Modify Registry1LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion3Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Disable or Modify Tools1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection11LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information1Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.