Loading ...

Play interactive tourEdit tour

Windows Analysis Report SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll

Overview

General Information

Sample Name:SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll
Analysis ID:510686
MD5:e53a16bea7918b1f7d4c0e659febc766
SHA1:10d4d3d7fac35f6492cda2fb04aebf46903481f0
SHA256:212cae7b05ecbc938b3a1fda4753d119f69360165955937b836fdbc7a6d514eb
Tags:dll
Infos:

Most interesting Screenshot:

Detection

Dridex
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Found detection on Joe Sandbox Cloud Basic with higher score
Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Tries to delay execution (extensive OutputDebugStringW loop)
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Uses 32bit PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Antivirus or Machine Learning detection for unpacked file
Sample file is different than original file name gathered from version info
One or more processes crash
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Launches processes in debugging mode, may be used to hinder debugging
Creates a process in suspended mode (likely to inject code)
IP address seen in connection with other malware

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 1624 cmdline: loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll' MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 2940 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 3596 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 3712 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll,FFRgpmdlwwWde MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5596 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',CheckTrust MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5964 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',DllCanUnloadNow MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 2512 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5964 -s 664 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • WerFault.exe (PID: 736 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5964 -s 664 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 2212 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',DllGetClassObject MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 1760 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 664 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • WerFault.exe (PID: 1036 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 664 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 6120 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',DownloadFile MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 6096 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6120 -s 664 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 1112 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',GetICifFileFromFile MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

Threatname: Dridex

{"Version": 22201, "C2 list": ["149.202.179.100:443", "66.147.235.11:6891", "81.0.236.89:13786"], "RC4 keys": ["9fRysqcdPgZffBlroqJaZHyCvLvD6BUV", "ranVAwtYINZG8jFJSjh5rR8jx3HIZIvSCern79nVFUhfeb2NvJlOKPsGO1osGE0VchV9bFDjym"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.650424736.000000006ECF1000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
    00000013.00000000.633029380.000000006ECF1000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
      00000000.00000002.647984137.000000006ECF1000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
        00000012.00000000.639692678.000000006ECF1000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
          00000003.00000000.372154068.000000006ECF1000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
            Click to see the 10 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            17.0.rundll32.exe.6ecf0000.5.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
              19.0.rundll32.exe.6ecf0000.5.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
                4.2.rundll32.exe.6ecf0000.2.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
                  18.2.rundll32.exe.6ecf0000.2.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
                    19.2.rundll32.exe.6ecf0000.2.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
                      Click to see the 10 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 4.2.rundll32.exe.6ecf0000.2.unpackMalware Configuration Extractor: Dridex {"Version": 22201, "C2 list": ["149.202.179.100:443", "66.147.235.11:6891", "81.0.236.89:13786"], "RC4 keys": ["9fRysqcdPgZffBlroqJaZHyCvLvD6BUV", "ranVAwtYINZG8jFJSjh5rR8jx3HIZIvSCern79nVFUhfeb2NvJlOKPsGO1osGE0VchV9bFDjym"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dllVirustotal: Detection: 21%Perma Link
                      Source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dllReversingLabs: Detection: 31%
                      Machine Learning detection for sampleShow sources
                      Source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dllJoe Sandbox ML: detected
                      Source: 19.0.rundll32.exe.754756.4.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 18.0.rundll32.exe.4764756.4.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 19.2.rundll32.exe.5b0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: 19.0.rundll32.exe.5b0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: 17.0.rundll32.exe.4af4756.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 17.2.rundll32.exe.f70000.0.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: 3.0.rundll32.exe.4df4756.4.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 0.2.loaddll32.exe.1250000.0.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: 3.0.rundll32.exe.3300000.0.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: 14.2.rundll32.exe.3464756.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 19.0.rundll32.exe.754756.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 19.0.rundll32.exe.5b0000.3.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: 18.0.rundll32.exe.4764756.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 18.2.rundll32.exe.c00000.0.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: 17.0.rundll32.exe.f70000.3.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: 3.0.rundll32.exe.3300000.3.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: 19.2.rundll32.exe.754756.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 4.2.rundll32.exe.e94756.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 18.2.rundll32.exe.4764756.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 16.0.rundll32.exe.b20000.3.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: 17.0.rundll32.exe.f70000.0.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: 16.0.rundll32.exe.b20000.0.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: 4.2.rundll32.exe.bd0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: 0.2.loaddll32.exe.15e4756.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 16.0.rundll32.exe.1144756.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 17.2.rundll32.exe.4af4756.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 3.0.rundll32.exe.4df4756.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 18.0.rundll32.exe.c00000.3.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: 17.0.rundll32.exe.4af4756.4.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 18.0.rundll32.exe.c00000.0.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: 14.2.rundll32.exe.fc0000.0.unpackAvira: Label: TR/ATRAPS.Gen2
                      Source: 16.0.rundll32.exe.1144756.4.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: rpidebbfll.pdb source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll
                      Source: Binary string: wntdll.pdbUGP source: rundll32.exe, 00000004.00000003.352818755.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 0000000E.00000003.595500849.000000004B280000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: rundll32.exe, 00000004.00000003.352818755.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 0000000E.00000003.595500849.000000004B280000.00000004.00000001.sdmp

                      Networking:

                      barindex
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 149.202.179.100:443
                      Source: Malware configuration extractorIPs: 66.147.235.11:6891
                      Source: Malware configuration extractorIPs: 81.0.236.89:13786
                      Source: Joe Sandbox ViewASN Name: HOSTROCKETUS HOSTROCKETUS
                      Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
                      Source: Joe Sandbox ViewIP Address: 66.147.235.11 66.147.235.11
                      Source: Joe Sandbox ViewIP Address: 149.202.179.100 149.202.179.100
                      Source: Joe Sandbox ViewIP Address: 81.0.236.89 81.0.236.89
                      Source: loaddll32.exe, 00000000.00000002.648422509.000000006ED0F000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.372865791.000000006ED0F000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.649740233.000000006ED0F000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.650585460.000000006ED0F000.00000002.00020000.sdmp, rundll32.exe, 00000010.00000000.600585830.000000006ED0F000.00000002.00020000.sdmp, rundll32.exe, 00000011.00000000.614963241.000000006ED0F000.00000002.00020000.sdmp, rundll32.exe, 00000012.00000000.640010436.000000006ED0F000.00000002.00020000.sdmp, rundll32.exe, 00000013.00000000.640637691.000000006ED0F000.00000002.00020000.sdmpString found in binary or memory: http://www.vomfass.deDVarFileInfo$

                      E-Banking Fraud:

                      barindex
                      Yara detected Dridex unpacked fileShow sources
                      Source: Yara matchFile source: 17.0.rundll32.exe.6ecf0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.0.rundll32.exe.6ecf0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.6ecf0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.6ecf0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.rundll32.exe.6ecf0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.6ecf0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.0.rundll32.exe.6ecf0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6ecf0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.0.rundll32.exe.6ecf0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.0.rundll32.exe.6ecf0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.0.rundll32.exe.6ecf0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.6ecf0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.rundll32.exe.6ecf0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.0.rundll32.exe.6ecf0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.0.rundll32.exe.6ecf0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000E.00000002.650424736.000000006ECF1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000000.633029380.000000006ECF1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.647984137.000000006ECF1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000000.639692678.000000006ECF1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.372154068.000000006ECF1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000000.609752932.000000006ECF1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.647602284.000000006ECF1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000000.640582271.000000006ECF1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.648668483.000000006ECF1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.649606375.000000006ECF1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.646115407.000000006ECF1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000000.614518127.000000006ECF1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000000.600008382.000000006ECF1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000000.631903118.000000006ECF1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000000.600571038.000000006ECF1000.00000020.00020000.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Found detection on Joe Sandbox Cloud Basic with higher scoreShow sources
                      Source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dllJoe Sandbox Cloud Basic: Detection: malicious Score: 76 Threat Name: DridexPerma Link
                      Source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dllBinary or memory string: OriginalFilenameddlb.dll vs SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5964 -s 664
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6ED007540_2_6ED00754
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6ED093480_2_6ED09348
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6ECF14940_2_6ECF1494
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6ECF846C0_2_6ECF846C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6ED014600_2_6ED01460
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6ED01D580_2_6ED01D58
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6ECFA52C0_2_6ECFA52C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6ECF90CC0_2_6ECF90CC
                      Source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dllVirustotal: Detection: 21%
                      Source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dllReversingLabs: Detection: 31%
                      Source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll,FFRgpmdlwwWde
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll'
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll,FFRgpmdlwwWde
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',CheckTrust
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',DllCanUnloadNow
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',DllGetClassObject
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',DownloadFile
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',GetICifFileFromFile
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5964 -s 664
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 664
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5964 -s 664
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6120 -s 664
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 664
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',#1Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll,FFRgpmdlwwWdeJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',CheckTrustJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',DllCanUnloadNowJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',DllGetClassObjectJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',DownloadFileJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',GetICifFileFromFileJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',#1Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5964 -s 664Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 664Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6120 -s 664Jump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6120
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5964
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2212
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERA390.tmpJump to behavior
                      Source: classification engineClassification label: mal84.troj.evad.winDLL@28/11@0/3
                      Source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dllStatic file information: File size 1093632 > 1048576
                      Source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: rpidebbfll.pdb source: SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll
                      Source: Binary string: wntdll.pdbUGP source: rundll32.exe, 00000004.00000003.352818755.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 0000000E.00000003.595500849.000000004B280000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: rundll32.exe, 00000004.00000003.352818755.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 0000000E.00000003.595500849.000000004B280000.00000004.00000001.sdmp
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6ECFF6CC push esi; mov dword ptr [esp], 00000000h0_2_6ECFF6CD
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Tries to delay execution (extensive OutputDebugStringW loop)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: OutputDebugStringW count: 448
                      Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 426Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
                      Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
                      Source: WERD744.tmp.WERInternalMetadata.xml.29.drBinary or memory string: <SystemManufacturer>VMware, Inc.</SystemManufacturer>
                      Source: WERDCC3.tmp.xml.29.drBinary or memory string: <arg nm="syspro" val="VMware7,1" />
                      Source: WERD744.tmp.WERInternalMetadata.xml.29.drBinary or memory string: <SystemProductName>VMware7,1</SystemProductName>
                      Source: WERDCC3.tmp.xml.29.drBinary or memory string: <arg nm="sysmfg" val="VMware, Inc." />
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6ECF6D50 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,0_2_6ECF6D50
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5964 -s 664Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Drixed-FJXE53A16BEA791.13728.dll',#1Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5964 -s 664Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 664Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6120 -s 664Jump to behavior
                      Source: loaddll32.exe, 00000000.00000002.646808145.00000000019A0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.362283972.0000000003910000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.648957709.0000000003410000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.649564710.00000000039E0000.00000002.00020000.sdmp, rundll32.exe, 00000010.00000000.596800440.0000000003280000.00000002.00020000.sdmp, rundll32.exe, 00000011.00000000.590761143.0000000003610000.00000002.00020000.sdmp, rundll32.exe, 00000012.00000000.637219700.0000000003280000.00000002.00020000.sdmp, rundll32.exe, 00000013.00000000.632972734.0000000003280000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: loaddll32.exe, 00000000.00000002.646808145.00000000019A0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.362283972.0000000003910000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.648957709.0000000003410000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.649564710.00000000039E0000.00000002.00020000.sdmp, rundll32.exe, 00000010.00000000.596800440.0000000003280000.00000002.00020000.sdmp, rundll32.exe, 00000011.00000000.590761143.0000000003610000.00000002.00020000.sdmp, rundll32.exe, 00000012.00000000.637219700.0000000003280000.00000002.00020000.sdmp, rundll32.exe, 00000013.00000000.632972734.0000000003280000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: loaddll32.exe, 00000000.00000002.646808145.00000000019A0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.362283972.0000000003910000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.648957709.0000000003410000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.649564710.00000000039E0000.00000002.00020000.sdmp, rundll32.exe, 00000010.00000000.596800440.0000000003280000.00000002.00020000.sdmp, rundll32.exe, 00000011.00000000.590761143.0000000003610000.00000002.00020000.sdmp, rundll32.exe, 00000012.00000000.637219700.0000000003280000.00000002.00020000.sdmp, rundll32.exe, 00000013.00000000.632972734.0000000003280000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
                      Source: loaddll32.exe, 00000000.00000002.646808145.00000000019A0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.362283972.0000000003910000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.648957709.0000000003410000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.649564710.00000000039E0000.00000002.00020000.sdmp, rundll32.exe, 00000010.00000000.596800440.0000000003280000.00000002.00020000.sdmp, rundll32.exe, 00000011.00000000.590761143.0000000003610000.00000002.00020000.sdmp, rundll32.exe, 00000012.00000000.637219700.0000000003280000.00000002.00020000.sdmp, rundll32.exe, 00000013.00000000.632972734.0000000003280000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
                      Source: loaddll32.exe, 00000000.00000002.646808145.00000000019A0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.362283972.0000000003910000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.648957709.0000000003410000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.649564710.00000000039E0000.00000002.00020000.sdmp, rundll32.exe, 00000010.00000000.596800440.0000000003280000.00000002.00020000.sdmp, rundll32.exe, 00000011.00000000.590761143.0000000003610000.00000002.00020000.sdmp, rundll32.exe, 00000012.00000000.637219700.0000000003280000.00000002.00020000.sdmp, rundll32.exe, 00000013.00000000.632972734.0000000003280000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,0_2_6ECF6D50
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6ECF6D50 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,0_2_6ECF6D50

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection12Disable or Modify Tools1OS Credential DumpingSecurity Software Discovery11Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion11LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection12Security Account ManagerVirtualization/Sandbox Evasion11SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptRundll321LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing1Cached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery12Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet