Loading ...

Play interactive tourEdit tour

Analysis Report Notes Received gcgaming.com.html

Overview

General Information

Sample Name:Notes Received gcgaming.com.html
Analysis ID:404077
MD5:9ee4dcc0d2a1097277c46f9b11c60586
SHA1:018cb127487b5007462577deedb65149588f0cdb
SHA256:c1ee5eb5ec9fa1c44b2e02e1c05f669c096702494b2e793a940d24f15a3b9bdf
Infos:

Most interesting Screenshot:

Detection

HTMLPhisher
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Phishing site detected (based on favicon image match)
Yara detected HtmlPhish10
Phishing site detected (based on logo template match)
HTML body contains low number of good links
HTML title does not match URL
IP address seen in connection with other malware
Invalid T&C link found
JA3 SSL client fingerprint seen in connection with other malware
None HTTPS page querying sensitive user data (password, username or email)

Classification

Startup

  • System is w10x64
  • chrome.exe (PID: 6504 cmdline: 'C:\Program Files\Google\Chrome\Application\chrome.exe' --start-maximized 'C:\Users\user\Desktop\Notes Received gcgaming.com.html' MD5: C139654B5C1438A95B321BB01AD63EF6)
    • chrome.exe (PID: 6728 cmdline: 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1520,12644167979976499918,16360615135431647946,131072 --lang=en-GB --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1716 /prefetch:8 MD5: C139654B5C1438A95B321BB01AD63EF6)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Notes Received gcgaming.com.htmlJoeSecurity_HtmlPhish_10Yara detected HtmlPhish_10Joe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    Phishing:

    barindex
    Phishing site detected (based on favicon image match)Show sources
    Source: file:///C:/Users/user/Desktop/Notes%20Received%20gcgaming.com.htmlMatcher: Template: microsoft matched with high similarity
    Yara detected HtmlPhish10Show sources
    Source: Yara matchFile source: Notes Received gcgaming.com.html, type: SAMPLE
    Source: Yara matchFile source: 76766.pages.csv, type: HTML
    Phishing site detected (based on logo template match)Show sources
    Source: file:///C:/Users/user/Desktop/Notes%20Received%20gcgaming.com.htmlMatcher: Template: microsoft matched
    Source: file:///C:/Users/user/Desktop/Notes%20Received%20gcgaming.com.htmlHTTP Parser: Number of links: 0
    Source: file:///C:/Users/user/Desktop/Notes%20Received%20gcgaming.com.htmlHTTP Parser: Number of links: 0
    Source: file:///C:/Users/user/Desktop/Notes%20Received%20gcgaming.com.htmlHTTP Parser: Title: Microsoft | Login does not match URL
    Source: file:///C:/Users/user/Desktop/Notes%20Received%20gcgaming.com.htmlHTTP Parser: Title: Microsoft | Login does not match URL
    Source: file:///C:/Users/user/Desktop/Notes%20Received%20gcgaming.com.htmlHTTP Parser: Invalid link: Privacy & cookies
    Source: file:///C:/Users/user/Desktop/Notes%20Received%20gcgaming.com.htmlHTTP Parser: Invalid link: Privacy & cookies
    Source: file:///C:/Users/user/Desktop/Notes%20Received%20gcgaming.com.htmlHTTP Parser: Has password / email / username input fields
    Source: file:///C:/Users/user/Desktop/Notes%20Received%20gcgaming.com.htmlHTTP Parser: Has password / email / username input fields
    Source: file:///C:/Users/user/Desktop/Notes%20Received%20gcgaming.com.htmlHTTP Parser: No <meta name="author".. found
    Source: file:///C:/Users/user/Desktop/Notes%20Received%20gcgaming.com.htmlHTTP Parser: No <meta name="author".. found
    Source: file:///C:/Users/user/Desktop/Notes%20Received%20gcgaming.com.htmlHTTP Parser: No <meta name="copyright".. found
    Source: file:///C:/Users/user/Desktop/Notes%20Received%20gcgaming.com.htmlHTTP Parser: No <meta name="copyright".. found
    Source: unknownHTTPS traffic detected: 23.111.9.35:443 -> 192.168.2.4:49731 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.111.9.35:443 -> 192.168.2.4:49738 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 152.199.23.37:443 -> 192.168.2.4:49762 version: TLS 1.2
    Source: Joe Sandbox ViewIP Address: 23.111.9.35 23.111.9.35
    Source: Joe Sandbox ViewIP Address: 23.111.9.35 23.111.9.35
    Source: Joe Sandbox ViewJA3 fingerprint: b32309a26951912be7dba376398abc3b
    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
    Source: Ruleset Data.0.drString found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
    Source: Ruleset Data.0.drString found in binary or memory: www.facebook.com/ad.*^ajaxpipe^ equals www.facebook.com (Facebook)
    Source: Ruleset Data.0.drString found in binary or memory: www.facebook.com/ad.*^ajaxpipe^>- equals www.facebook.com (Facebook)
    Source: Ruleset Data.0.drString found in binary or memory: www.facebook.com/ajax/ads/ equals www.facebook.com (Facebook)
    Source: unknownDNS traffic detected: queries for: code.jquery.com
    Source: 77EC63BDA74BD0D0E0426DC8F8008506.1.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
    Source: Reporting and NEL.1.drString found in binary or memory: https://a.nel.cloudflare.com/report?s=eKkcKZGE4SLEjH4x47aVtZDCLIoIOuXNkDlS0qmI349vOtITazO3akcFcocWTU
    Source: bd75052c-cbdd-4a23-b472-308da9f828a6.tmp.1.drString found in binary or memory: https://aadcdn.msftauth.net
    Source: Notes Received gcgaming.com.html, Favicons.0.drString found in binary or memory: https://aadcdn.msftauth.net/ests/2.1/content/images/favicon_a_eupayfgghqiai7k9sol6lg2.ico
    Source: manifest.json0.0.dr, c688863d-9283-425e-9e93-741c5cb10b7f.tmp.1.dr, bd75052c-cbdd-4a23-b472-308da9f828a6.tmp.1.drString found in binary or memory: https://accounts.google.com
    Source: bd75052c-cbdd-4a23-b472-308da9f828a6.tmp.1.drString found in binary or memory: https://ajax.googleapis.com
    Source: Notes Received gcgaming.com.htmlString found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js
    Source: manifest.json0.0.dr, c688863d-9283-425e-9e93-741c5cb10b7f.tmp.1.dr, bd75052c-cbdd-4a23-b472-308da9f828a6.tmp.1.drString found in binary or memory: https://apis.google.com
    Source: bd75052c-cbdd-4a23-b472-308da9f828a6.tmp.1.drString found in binary or memory: https://cdnjs.cloudflare.com
    Source: Notes Received gcgaming.com.htmlString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js
    Source: c688863d-9283-425e-9e93-741c5cb10b7f.tmp.1.dr, bd75052c-cbdd-4a23-b472-308da9f828a6.tmp.1.drString found in binary or memory: https://clients2.google.com
    Source: manifest.json1.0.drString found in binary or memory: https://clients2.google.com/service/update2/crx
    Source: c688863d-9283-425e-9e93-741c5cb10b7f.tmp.1.dr, bd75052c-cbdd-4a23-b472-308da9f828a6.tmp.1.drString found in binary or memory: https://clients2.googleusercontent.com
    Source: bd75052c-cbdd-4a23-b472-308da9f828a6.tmp.1.drString found in binary or memory: https://code.jquery.com
    Source: Notes Received gcgaming.com.htmlString found in binary or memory: https://code.jquery.com/jquery-3.1.1.min.js
    Source: Notes Received gcgaming.com.htmlString found in binary or memory: https://code.jquery.com/jquery-3.2.1.slim.min.js
    Source: Notes Received gcgaming.com.htmlString found in binary or memory: https://code.jquery.com/jquery-3.3.1.js
    Source: manifest.json0.0.drString found in binary or memory: https://content.googleapis.com
    Source: 31d64b09-23e6-4832-8e95-3b4c6c2de016.tmp.1.dr, bb0a1b34-7c56-47f1-b172-3e7b38348b5a.tmp.1.dr, c688863d-9283-425e-9e93-741c5cb10b7f.tmp.1.dr, bd75052c-cbdd-4a23-b472-308da9f828a6.tmp.1.drString found in binary or memory: https://dns.google
    Source: manifest.json0.0.drString found in binary or memory: https://feedback.googleusercontent.com
    Source: c688863d-9283-425e-9e93-741c5cb10b7f.tmp.1.dr, bd75052c-cbdd-4a23-b472-308da9f828a6.tmp.1.drString found in binary or memory: https://fonts.googleapis.com
    Source: Notes Received gcgaming.com.htmlString found in binary or memory: https://fonts.googleapis.com/css?family=Archivo
    Source: manifest.json0.0.drString found in binary or memory: https://fonts.googleapis.com;
    Source: c688863d-9283-425e-9e93-741c5cb10b7f.tmp.1.dr, bd75052c-cbdd-4a23-b472-308da9f828a6.tmp.1.drString found in binary or memory: https://fonts.gstatic.com
    Source: manifest.json0.0.drString found in binary or memory: https://fonts.gstatic.com;
    Source: manifest.json0.0.drString found in binary or memory: https://hangouts.google.com/
    Source: bd75052c-cbdd-4a23-b472-308da9f828a6.tmp.1.drString found in binary or memory: https://maxcdn.bootstrapcdn.com
    Source: Notes Received gcgaming.com.htmlString found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css
    Source: Notes Received gcgaming.com.htmlString found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js
    Source: c688863d-9283-425e-9e93-741c5cb10b7f.tmp.1.dr, bd75052c-cbdd-4a23-b472-308da9f828a6.tmp.1.drString found in binary or memory: https://ogs.google.com
    Source: manifest.json1.0.drString found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
    Source: c688863d-9283-425e-9e93-741c5cb10b7f.tmp.1.dr, bd75052c-cbdd-4a23-b472-308da9f828a6.tmp.1.drString found in binary or memory: https://play.google.com
    Source: c688863d-9283-425e-9e93-741c5cb10b7f.tmp.1.drString found in binary or memory: https://r5---sn-h0jeln7l.gvt1.com
    Source: c688863d-9283-425e-9e93-741c5cb10b7f.tmp.1.dr, bd75052c-cbdd-4a23-b472-308da9f828a6.tmp.1.drString found in binary or memory: https://redirector.gvt1.com
    Source: manifest.json1.0.drString found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
    Source: c688863d-9283-425e-9e93-741c5cb10b7f.tmp.1.dr, bd75052c-cbdd-4a23-b472-308da9f828a6.tmp.1.drString found in binary or memory: https://ssl.gstatic.com
    Source: messages.json41.0.drString found in binary or memory: https://support.google.com/chromecast/answer/2998456
    Source: messages.json41.0.drString found in binary or memory: https://support.google.com/chromecast/troubleshooter/2995236
    Source: bd75052c-cbdd-4a23-b472-308da9f828a6.tmp.1.drString found in binary or memory: https://use.fontawesome.com
    Source: Notes Received gcgaming.com.htmlString found in binary or memory: https://use.fontawesome.com/releases/v5.7.0/css/all.css
    Source: manifest.json0.0.dr, c688863d-9283-425e-9e93-741c5cb10b7f.tmp.1.dr, bd75052c-cbdd-4a23-b472-308da9f828a6.tmp.1.drString found in binary or memory: https://www.google.com
    Source: manifest.json1.0.drString found in binary or memory: https://www.google.com/
    Source: manifest.json0.0.drString found in binary or memory: https://www.google.com;
    Source: c688863d-9283-425e-9e93-741c5cb10b7f.tmp.1.dr, bd75052c-cbdd-4a23-b472-308da9f828a6.tmp.1.drString found in binary or memory: https://www.googleapis.com
    Source: manifest.json1.0.drString found in binary or memory: https://www.googleapis.com/
    Source: manifest.json0.0.drString found in binary or memory: https://www.googleapis.com/auth/calendar.readonly
    Source: manifest.json0.0.drString found in binary or memory: https://www.googleapis.com/auth/cast-edu-messaging
    Source: manifest.json1.0.drString found in binary or memory: https://www.googleapis.com/auth/chromewebstore
    Source: manifest.json1.0.drString found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
    Source: manifest.json0.0.drString found in binary or memory: https://www.googleapis.com/auth/clouddevices
    Source: manifest.json0.0.drString found in binary or memory: https://www.googleapis.com/auth/hangouts
    Source: manifest.json0.0.drString found in binary or memory: https://www.googleapis.com/auth/hangouts.readonly
    Source: manifest.json0.0.drString found in binary or memory: https://www.googleapis.com/auth/meetings
    Source: manifest.json0.0.drString found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwrite
    Source: manifest.json1.0.drString found in binary or memory: https://www.googleapis.com/auth/sierra
    Source: manifest.json1.0.drString found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
    Source: manifest.json0.0.drString found in binary or memory: https://www.googleapis.com/auth/userinfo.email
    Source: c688863d-9283-425e-9e93-741c5cb10b7f.tmp.1.dr, bd75052c-cbdd-4a23-b472-308da9f828a6.tmp.1.drString found in binary or memory: https://www.gstatic.com
    Source: manifest.json0.0.drString found in binary or memory: https://www.gstatic.com;
    Source: Notes Received gcgaming.com.htmlString found in binary or memory: https://www.office.com/
    Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
    Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
    Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
    Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
    Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
    Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
    Source: unknownHTTPS traffic detected: 23.111.9.35:443 -> 192.168.2.4:49731 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 23.111.9.35:443 -> 192.168.2.4:49738 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 152.199.23.37:443 -> 192.168.2.4:49762 version: TLS 1.2
    Source: classification engineClassification label: mal60.phis.winHTML@45/243@7/8
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-6091691B-1968.pmaJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Local\Temp\a42773f2-21fc-4eb0-ba08-1efd58e67399.tmpJump to behavior
    Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --start-maximized 'C:\Users\user\Desktop\Notes Received gcgaming.com.html'
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1520,12644167979976499918,16360615135431647946,131072 --lang=en-GB --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1716 /prefetch:8
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1520,12644167979976499918,16360615135431647946,131072 --lang=en-GB --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1716 /prefetch:8Jump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeAutomated click: Next
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeAutomated click: Next
    Source: Window RecorderWindow detected: More than 3 window changes detected

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Masquerading1OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This s