Loading ...

Play interactive tourEdit tour

Windows Analysis Report Rats4dIOmA.exe

Overview

General Information

Sample Name:Rats4dIOmA.exe
Analysis ID:528071
MD5:76a29095e02a151adc1f42ec844a65bd
SHA1:afd4593a0e709a11296556d5b1fb1833bb394c4d
SHA256:c26838865c476704101363c16c535dfae494dedadae972c0377c4f67669578b5
Tags:exeGozi
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Detected unpacking (overwrites its own PE header)
Yara detected Ursnif
Detected unpacking (changes PE section rights)
Writes or reads registry keys via WMI
Machine Learning detection for sample
Writes registry values via WMI
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
PE file contains strange resources
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w10x64
  • Rats4dIOmA.exe (PID: 6456 cmdline: "C:\Users\user\Desktop\Rats4dIOmA.exe" MD5: 76A29095E02A151ADC1F42EC844A65BD)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "dm+RfNkITE5FceWriGPYkZaFfoP/k2XQ2jeLd8rNgFw6gJ6fNWsHd0U6akxsQHth/SBWm4/eMI9Y1qgwNJteasgQsUC7Ht20y96mIxH1hvPh9uvLSH5z2CNo+fcP8K+V0yoOOQzDln/qE7mMJHLu+rmogHE7S6lb7FVy/7xxrRe3zMDt5K9bDwOreWw0blGE", "c2_domain": ["yahoo.com", "soderunovos.website", "qoderunovos.website", "https://soderunovos.website", "https://qoderunovos.website"], "botnet": "4482", "server": "12", "serpent_key": "10291029JSJUYNHG", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "dga_base_url": "constitution.org/usdeclar.txt", "dga_tld": "com ru org", "DGA_count": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.310816150.0000000004758000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000003.310772228.0000000004758000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000000.00000003.310824742.0000000004758000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000000.00000002.518140305.00000000042B9000.00000004.00000040.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
          00000000.00000002.518183803.0000000004758000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 6 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.Rats4dIOmA.exe.42b94a0.3.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              0.2.Rats4dIOmA.exe.3c40000.2.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                0.2.Rats4dIOmA.exe.42b94a0.3.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

                  Sigma Overview

                  No Sigma rule has matched

                  Jbx Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: 00000000.00000002.517164137.0000000001FE0000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "dm+RfNkITE5FceWriGPYkZaFfoP/k2XQ2jeLd8rNgFw6gJ6fNWsHd0U6akxsQHth/SBWm4/eMI9Y1qgwNJteasgQsUC7Ht20y96mIxH1hvPh9uvLSH5z2CNo+fcP8K+V0yoOOQzDln/qE7mMJHLu+rmogHE7S6lb7FVy/7xxrRe3zMDt5K9bDwOreWw0blGE", "c2_domain": ["yahoo.com", "soderunovos.website", "qoderunovos.website", "https://soderunovos.website", "https://qoderunovos.website"], "botnet": "4482", "server": "12", "serpent_key": "10291029JSJUYNHG", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "dga_base_url": "constitution.org/usdeclar.txt", "dga_tld": "com ru org", "DGA_count": "10"}
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: Rats4dIOmA.exeMetadefender: Detection: 22%Perma Link
                  Source: Rats4dIOmA.exeReversingLabs: Detection: 45%
                  Machine Learning detection for sampleShow sources
                  Source: Rats4dIOmA.exeJoe Sandbox ML: detected
                  Source: 0.2.Rats4dIOmA.exe.1fe0e50.1.unpackAvira: Label: TR/Patched.Ren.Gen
                  Source: 0.2.Rats4dIOmA.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen7
                  Source: 0.3.Rats4dIOmA.exe.3bf0000.0.unpackAvira: Label: TR/Patched.Ren.Gen

                  Compliance:

                  barindex
                  Detected unpacking (overwrites its own PE header)Show sources
                  Source: C:\Users\user\Desktop\Rats4dIOmA.exeUnpacked PE file: 0.2.Rats4dIOmA.exe.400000.0.unpack
                  Source: Rats4dIOmA.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: C:\Users\user\Desktop\Rats4dIOmA.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                  Source: unknownHTTPS traffic detected: 74.6.143.26:443 -> 192.168.2.5:49762 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 87.248.100.216:443 -> 192.168.2.5:49763 version: TLS 1.2
                  Source: Binary string: C:\sax\w.pdb source: Rats4dIOmA.exe
                  Source: Binary string: C:\sax\w.pdbP+C source: Rats4dIOmA.exe
                  Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                  Source: Joe Sandbox ViewIP Address: 74.6.143.26 74.6.143.26
                  Source: Joe Sandbox ViewIP Address: 87.248.100.216 87.248.100.216
                  Source: global trafficHTTP traffic detected: GET /jdraw/hz1bq3PmtqtDPcpAxd/_2FGYs9V_/2BcaIfj8lzbe6dwp1S50/qnf1CtPsO2EGsTOGBt0/TpQo4OHaLh1DZAzOHIElg2/LmJhngmT2kJ_2/FHuNwneH/Olki6SGkOhEdHnRV6_2B266/I71jLcWlaJ/WAM1n0wLbM0TzOock/J5o_2ByTSV9y/SAhEyWB5DMB/4lW4ok5N/nAsrN2WO_/2Fjc4.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: yahoo.comConnection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /jdraw/hz1bq3PmtqtDPcpAxd/_2FGYs9V_/2BcaIfj8lzbe6dwp1S50/qnf1CtPsO2EGsTOGBt0/TpQo4OHaLh1DZAzOHIElg2/LmJhngmT2kJ_2/FHuNwneH/Olki6SGkOhEdHnRV6_2B266/I71jLcWlaJ/WAM1n0wLbM0TzOock/J5o_2ByTSV9y/SAhEyWB5DMB/4lW4ok5N/nAsrN2WO_/2Fjc4.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Connection: Keep-AliveCache-Control: no-cacheHost: www.yahoo.comCookie: B=b5jn619gpst97&b=3&s=c6
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Founddate: Wed, 24 Nov 2021 17:23:51 GMTp3p: policyref="https://policies.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"cache-control: privatex-content-type-options: nosniffcontent-type: text/html; charset=UTF-8x-envoy-upstream-service-time: 9server: ATSAge: 0Transfer-Encoding: chunkedConnection: closeStrict-Transport-Security: max-age=31536000Content-Security-Policy: frame-ancestors 'self' https://*.builtbygirls.com https://*.rivals.com https://*.engadget.com https://*.intheknow.com https://*.autoblog.com https://*.techcrunch.com https://*.yahoo.com https://*.aol.com https://*.huffingtonpost.com https://*.oath.com https://*.search.yahoo.com https://*.search.aol.com https://*.search.huffpost.com https://*.verizonmedia.com https://*.publishing.oath.com https://*.autoblog.com; sandbox allow-forms allow-same-origin allow-scripts allow-popups allow-popups-to-escape-sandbox allow-presentation; report-uri https://csp.yahoo.com/beacon/csp?src=ats&site=frontpage&region=US&lang=en-US&device=desktop&yrid=cc01o4tgpst97&partner=;X-Frame-Options: SAMEORIGINX-XSS-Protection: 1; mode=block
                  Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000003.309800668.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000003.309794637.00000000021A6000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000003.310611526.00000000021F3000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmpString found in binary or memory: *.www.yahoo.com equals www.yahoo.com (Yahoo)
                  Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000003.309800668.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000003.309794637.00000000021A6000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmpString found in binary or memory: *.www.yahoo.com0 equals www.yahoo.com (Yahoo)
                  Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmpString found in binary or memory: +www.yahoo.com=- equals www.yahoo.com (Yahoo)
                  Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmpString found in binary or memory: +www.yahoo.comS- equals www.yahoo.com (Yahoo)
                  Source: Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmpString found in binary or memory: <noscript><META http-equiv="refresh" content="0;URL='https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fjdraw%2fhz1bq3PmtqtDPcpAxd%2f_2FGYs9V_%2f2BcaIfj8lzbe6dwp1S50%2fqnf1CtPsO2EGsTOGBt0%2fTpQo4OHaLh1DZAzOHIElg2%2fLmJhngmT2kJ_2%2fFHuNwneH%2fOlki6SGkOhEdHnRV6_2B266%2fI71jLcWlaJ%2fWAM1n0wLbM0TzOock%2fJ5o_2ByTSV9y%2fSAhEyWB5DMB%2f4lW4ok5N%2fnAsrN2WO_%2f2Fjc4.crw'"></noscript> equals www.yahoo.com (Yahoo)
                  Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmpString found in binary or memory: Host: www.yahoo.com equals www.yahoo.com (Yahoo)
                  Source: Rats4dIOmA.exe, 00000000.00000003.309800668.00000000021A9000.00000004.00000001.sdmpString found in binary or memory: Location: https://www.yahoo.com/jdraw/hz1bq3PmtqtDPcpAxd/_2FGYs9V_/2BcaIfj8lzbe6dwp1S50/qnf1CtPsO2EGsTOGBt0/TpQo4OHaLh1DZAzOHIElg2/LmJhngmT2kJ_2/FHuNwneH/Olki6SGkOhEdHnRV6_2B266/I71jLcWlaJ/WAM1n0wLbM0TzOock/J5o_2ByTSV9y/SAhEyWB5DMB/4lW4ok5N/nAsrN2WO_/2Fjc4.crw equals www.yahoo.com (Yahoo)
                  Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmpString found in binary or memory: https://www.yahoo.com/ equals www.yahoo.com (Yahoo)
                  Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000003.310611526.00000000021F3000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmpString found in binary or memory: https://www.yahoo.com/jdraw/hz1bq3PmtqtDPcpAxd/_2FGYs9V_/2BcaIfj8lzbe6dwp1S50/qnf1CtPsO2EGsTOGBt0/TpQo4OHaLh1DZAzOHIElg2/LmJhngmT2kJ_2/FHuNwneH/Olki6SGkOhEdHnRV6_2B266/I71jLcWlaJ/WAM1n0wLbM0TzOock/J5o_2ByTSV9y/SAhEyWB5DMB/4lW4ok5N/nAsrN2WO_/2Fjc4.crw equals www.yahoo.com (Yahoo)
                  Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmpString found in binary or memory: https://www.yahoo.com/k=# equals www.yahoo.com (Yahoo)
                  Source: Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmpString found in binary or memory: var u='https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fjdraw%2fhz1bq3PmtqtDPcpAxd%2f_2FGYs9V_%2f2BcaIfj8lzbe6dwp1S50%2fqnf1CtPsO2EGsTOGBt0%2fTpQo4OHaLh1DZAzOHIElg2%2fLmJhngmT2kJ_2%2fFHuNwneH%2fOlki6SGkOhEdHnRV6_2B266%2fI71jLcWlaJ%2fWAM1n0wLbM0TzOock%2fJ5o_2ByTSV9y%2fSAhEyWB5DMB%2f4lW4ok5N%2fnAsrN2WO_%2f2Fjc4.crw'; equals www.yahoo.com (Yahoo)
                  Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000002.518270171.000000000502A000.00000004.00000010.sdmp, Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmpString found in binary or memory: www.yahoo.com equals www.yahoo.com (Yahoo)
                  Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmpString found in binary or memory: www.yahoo.com' equals www.yahoo.com (Yahoo)
                  Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmpString found in binary or memory: www.yahoo.com/jdraw/hz1bq3PmtqtDPcpAxd/_2FGYs9V_/2BcaIfj8lzbe6dwp1S50/qnf1CtPsO2EGsTOGBt0/TpQo4OHaLh1DZAzOHIElg2/LmJhngmT2kJ_2/FHuNwneH/Olki6SGkOhEdHnRV6_2B266/I71jLcWlaJ/WAM1n0wLbM0TzOock/J5o_2ByTSV9y/SAhEyWB5DMB/4lW4ok5N/nAsrN2WO_/2Fjc4.crw equals www.yahoo.com (Yahoo)
                  Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmpString found in binary or memory: www.yahoo.com7 equals www.yahoo.com (Yahoo)
                  Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmpString found in binary or memory: www.yahoo.comVB equals www.yahoo.com (Yahoo)
                  Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmpString found in binary or memory: www.yahoo.combA equals www.yahoo.com (Yahoo)
                  Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000003.309800668.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                  Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000003.310772228.0000000004758000.00000004.00000040.sdmp, Rats4dIOmA.exe, 00000000.00000003.310833541.000000000475B000.00000004.00000040.sdmp, Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmpString found in binary or memory: https://csp.yahoo.com/beacon/csp?src=ats&site=frontpage&region=US&lang=en-US&device=desktop&yrid=cc0
                  Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000003.310772228.0000000004758000.00000004.00000040.sdmp, Rats4dIOmA.exe, 00000000.00000003.310833541.000000000475B000.00000004.00000040.sdmp, Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmpString found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
                  Source: Rats4dIOmA.exe, 00000000.00000003.310772228.0000000004758000.00000004.00000040.sdmp, Rats4dIOmA.exe, 00000000.00000002.518183803.0000000004758000.00000004.00000040.sdmpString found in binary or memory: https://qoderunovos.website
                  Source: Rats4dIOmA.exe, 00000000.00000003.310772228.0000000004758000.00000004.00000040.sdmp, Rats4dIOmA.exe, 00000000.00000002.518183803.0000000004758000.00000004.00000040.sdmpString found in binary or memory: https://soderunovos.website
                  Source: Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmpString found in binary or memory: https://soderunovos.website/jdraw/ldez60nkcypupl/Y8k6P2TKljJ3iNZCDUKjs/bDzAl0Dd4aRnqW1G/ctGW3CyINNEj
                  Source: Rats4dIOmA.exe, 00000000.00000003.310772228.0000000004758000.00000004.00000040.sdmp, Rats4dIOmA.exe, 00000000.00000002.518183803.0000000004758000.00000004.00000040.sdmpString found in binary or memory: https://soderunovos.websitehttps://qoderunovos.websiten
                  Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmpString found in binary or memory: https://www.yahoo.com/
                  Source: Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmpString found in binary or memory: https://www.yahoo.com/?err=404&err_url=https%3a%2f%2fwww.yahoo.com%2fjdraw%2fhz1bq3PmtqtDPcpAxd%2f_2
                  Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000003.309800668.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000003.310611526.00000000021F3000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmpString found in binary or memory: https://www.yahoo.com/jdraw/hz1bq3PmtqtDPcpAxd/_2FGYs9V_/2BcaIfj8lzbe6dwp1S50/qnf1CtPsO2EGsTOGBt0/Tp
                  Source: Rats4dIOmA.exe, 00000000.00000003.310617078.00000000021A9000.00000004.00000001.sdmp, Rats4dIOmA.exe, 00000000.00000002.517602445.00000000021A4000.00000004.00000001.sdmpString found in binary or memory: https://www.yahoo.com/k=#
                  Source: unknownDNS traffic detected: queries for: yahoo.com
                  Source: C:\Users\user\Desktop\Rats4dIOmA.exeCode function: 0_2_03C45988 ResetEvent,ResetEvent,lstrcat,InternetReadFile,GetLastError,ResetEvent,InternetReadFile,GetLastError,0_2_03C45988
                  Source: global trafficHTTP traffic detected: GET /jdraw/hz1bq3PmtqtDPcpAxd/_2FGYs9V_/2BcaIfj8lzbe6dwp1S50/qnf1CtPsO2EGsTOGBt0/TpQo4OHaLh1DZAzOHIElg2/LmJhngmT2kJ_2/FHuNwneH/Olki6SGkOhEdHnRV6_2B266/I71jLcWlaJ/WAM1n0wLbM0TzOock/J5o_2ByTSV9y/SAhEyWB5DMB/4lW4ok5N/nAsrN2WO_/2Fjc4.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: yahoo.comConnection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /jdraw/hz1bq3PmtqtDPcpAxd/_2FGYs9V_/2BcaIfj8lzbe6dwp1S50/qnf1CtPsO2EGsTOGBt0/TpQo4OHaLh1DZAzOHIElg2/LmJhngmT2kJ_2/FHuNwneH/Olki6SGkOhEdHnRV6_2B266/I71jLcWlaJ/WAM1n0wLbM0TzOock/J5o_2ByTSV9y/SAhEyWB5DMB/4lW4ok5N/nAsrN2WO_/2Fjc4.crw HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Connection: Keep-AliveCache-Control: no-cacheHost: www.yahoo.comCookie: B=b5jn619gpst97&b=3&s=c6
                  Source: unknownHTTPS traffic detected: 74.6.143.26:443 -> 192.168.2.5:49762 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 87.248.100.216:443 -> 192.168.2.5:49763 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing:

                  barindex
                  Yara detected UrsnifShow sources
                  Source: Yara matchFile source: 00000000.00000003.310816150.0000000004758000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.310772228.0000000004758000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.310824742.0000000004758000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.518183803.0000000004758000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.310739841.0000000004758000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.310804717.0000000004758000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.310680440.0000000004758000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.310789542.0000000004758000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.310712356.0000000004758000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Rats4dIOmA.exe PID: 6456, type: MEMORYSTR
                  Source: Yara matchFile source: 0.2.Rats4dIOmA.exe.42b94a0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Rats4dIOmA.exe.3c40000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Rats4dIOmA.exe.42b94a0.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.518140305.00000000042B9000.00000004.00000040.sdmp, type: MEMORY

                  E-Banking Fraud:

                  barindex
                  Yara detected UrsnifShow sources
                  Source: Yara matchFile source: 00000000.00000003.310816150.0000000004758000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.310772228.0000000004758000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.310824742.0000000004758000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.518183803.0000000004758000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.310739841.0000000004758000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.310804717.0000000004758000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.310680440.0000000004758000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.310789542.0000000004758000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.310712356.0000000004758000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Rats4dIOmA.exe PID: 6456, type: MEMORYSTR
                  Source: Yara matchFile source: 0.2.Rats4dIOmA.exe.42b94a0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Rats4dIOmA.exe.3c40000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Rats4dIOmA.exe.42b94a0.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.518140305.00000000042B9000.00000004.00000040.sdmp, type: MEMORY

                  System Summary:

                  barindex
                  Writes or reads registry keys via WMIShow sources
                  Source: C:\Users\user\Desktop\Rats4dIOmA.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                  Source: C:\Users\user\Desktop\Rats4dIOmA.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                  Source: C:\Users\user\Desktop\Rats4dIOmA.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                  Source: C:\Users\user\Desktop\Rats4dIOmA.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                  Writes registry values via WMIShow sources
                  Source: C:\Users\user\Desktop\Rats4dIOmA.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                  Source: C:\Users\user\Desktop\Rats4dIOmA.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                  Source: C:\Users\user\Desktop\Rats4dIOmA.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                  Source: Rats4dIOmA.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: C:\Users\user\Desktop\Rats4dIOmA.exeCode function: 0_2_03C4AFC00_2_03C4AFC0
                  Source: C:\Users\user\Desktop\Rats4dIOmA.exeCode function: 0_2_03C47FBE0_2_03C47FBE
                  Source: C:\Users\user\Desktop\Rats4dIOmA.exeCode function: 0_2_03C4836E0_2_03C4836E
                  Source: C:\Users\user\Desktop\Rats4dIOmA.exeCode function: 0_2_00401703 NtMapViewOfSection,0_2_00401703
                  Source: C:\Users\user\Desktop\Rats4dIOmA.exeCode function: 0_2_00401C90 GetProcAddress,NtCreateSection,memset,0_2_00401C90
                  Source: C:\Users\user\Desktop\Rats4dIOmA.exeCode function: 0_2_004019A0 NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,GetLastError,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,0_2_004019A0
                  Source: C:\Users\user\Desktop\Rats4dIOmA.exeCode function: 0_2_03C49A0F NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,0_2_03C49A0F
                  Source: C:\Users\user\Desktop\Rats4dIOmA.exeCode function: 0_2_03C4B1E5 NtQueryVirtualMemory,0_2_03C4B1E5
                  Source: C:\Users\user\Desktop\Rats4dIOmA.exeCode function: 0_2_01FE1BF0 NtQuerySystemInformation,Sleep,CreateThread,QueueUserAPC,TerminateThread,SetLastError,WaitForSingleObject,GetExitCodeThread,0_2_01FE1BF0
                  Source: Rats4dIOmA.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: Rats4dIOmA.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: Rats4dIOmA.exeMetadefender: Detection: 22%
                  Source: Rats4dIOmA.exeReversingLabs: Detection: 45%
                  Source: Rats4dIOmA.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\Rats4dIOmA.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Users\user\Desktop\Rats4dIOmA.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
                  Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@4/2
                  Source: C:\Users\user\Desktop\Rats4dIOmA.exeCode function: 0_2_03C48F1B CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_03C48F1B
                  Source: C:\Users\user\Desktop\Rats4dIOmA.exeCommand line argument: pemahu0_2_0042F0A0
                  Source: C:\Users\user\Desktop\Rats4dIOmA.exeCommand line argument: Regefiri0_2_0042F0A0
                  Source: C:\Users\user\Desktop\Rats4dIOmA.exeCommand line argument: Hucet0_2_0042F0A0
                  Source: C:\Users\user\Desktop\Rats4dIOmA.exeCommand line argument: Xegixaze0_2_0042F0A0
                  Source: C:\Users\user\Desktop\Rats4dIOmA.exeCommand line argument: \H0_2_0042F0A0
                  Source: C:\Users\user\Desktop\Rats4dIOmA.exeCommand line argument: zijiwe0_2_0042F0A0
                  Source: C:\Users\user\Desktop\Rats4dIOmA.exeCommand line argument: 2Y?0_2_0042F0A0
                  Source: C:\Users\user\Desktop\Rats4dIOmA.exeCommand line argument: mecevituxe0_2_0042F0A0
                  Source: C:\Users\user\Desktop\Rats4dIOmA.exeCommand line argument: Petoco0_2_0042F0A0
                  Source: C:\Users\user\Desktop\Rats4dIOmA.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\Rats4dIOmA.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\Rats4dIOmA.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\Rats4dIOmA.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                  Source: Rats4dIOmA.exeStatic PE information: More than 200 imports for KERNEL32.dll
                  Source: Rats4dIOmA.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: Rats4dIOmA.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: Rats4dIOmA.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: Rats4dIOmA.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Rats4dIOmA.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: Rats4dIOmA.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: Rats4dIOmA.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: C:\sax\w.pdb source: Rats4dIOmA.exe
                  Source: Binary string: C:\sax\w.pdbP+C source: Rats4dIOmA.exe

                  Data Obfuscation:

                  barindex
                  Detected unpacking (overwrites its own PE header)Show sources
                  Source: C:\Users\user\Desktop\Rats4dIOmA.exeUnpacked PE file: 0.2.Rats4dIOmA.exe.400000.0.unpack
                  Detected unpacking (changes PE section rights)Show sources
                  Source: C:\Users\user\Desktop\Rats4dIOmA.exeUnpacked PE file: 0.2.Rats4dIOmA.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;
                  Source: C:\Users\user\Desktop\Rats4dIOmA.exeCode function: 0_2_03C4E9AC push 0B565A71h; ret 0_2_03C4E9B1
                  Source: C:\Users\user\Desktop\Rats4dIOmA.exeCode function: 0_2_03C4AFAF push ecx; ret 0_2_03C4AFBF
                  Source: C:\Users\user\Desktop\Rats4dIOmA.exeCode function: 0_2_03C4AC00 push ecx; ret 0_2_03C4AC09
                  Source: C:\Users\user\Desktop\Rats4dIOmA.exeCode function: 0_2_03C4E62F push edi; retf 0_2_03C4E630
                  Source: C:\Users\user\Desktop\Rats4dIOmA.exeCode function: 0_2_0042E7D0 push ecx; mov dword ptr [esp], 00000000h0_2_0042E7D1
                  Source: C:\Users\user\Desktop\Rats4dIOmA.exeCode function: 0_2_00401264 LoadLibraryA,GetProcAddress,0_2_00401264
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.04444899707

                  Hooking and other Techniques for Hiding and Protection:

                  barindex
                  Yara detected UrsnifShow sources
                  Source: Yara matchFile source: 00000000.00000003.310816150.0000000004758000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.310772228.0000000004758000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.310824742.0000000004758000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.518183803.0000000004758000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.310739841.0000000004758000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.310804717.0000000004758000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.310680440.0000000004758000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.310789542.0000000004758000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.310712356.0000000004758000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Rats4dIOmA.exe PID: 6456, type: MEMORYSTR
                  Source: Yara matchFile source: 0.2.Rats4dIOmA.exe.42b94a0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Rats4dIOmA.exe.3c40000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Rats4dIOmA.exe.42b94a0.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.518140305.00000000042B9000.00000004.00000040.sdmp, type: MEMORY
                  Source: C:\Users\user\Desktop\Rats4dIOmA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Rats4dIOmA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Rats4dIOmA.exe TID: 6852Thread sleep count: 33 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\Rats4dIOmA.exeCode function: 0_2_00401264 LoadLibraryA,GetProcAddress,0_2_00401264
                  Source: C:\Users\user\Desktop\Rats4dIOmA.exeCode function: 0_2_01FE0D90 mov eax, dword ptr fs:[00000030h]0_2_01FE0D90
                  Source: C:\Users\user\Desktop\Rats4dIOmA.exeCode function: 0_2_01FE092B mov eax, dword ptr fs:[00000030h]0_2_01FE092B
                  Source: Rats4dIOmA.exe, 00000000.00000002.517827409.00000000027E0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                  Source: Rats4dIOmA.exe, 00000000.00000002.517827409.00000000027E0000.00000002.00020000.sdmpBinary or memory string: Progman
                  Source: Rats4dIOmA.exe, 00000000.00000002.517827409.00000000027E0000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
                  Source: Rats4dIOmA.exe, 00000000.00000002.517827409.00000000027E0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
                  Source: Rats4dIOmA.exe, 00000000.00000002.517827409.00000000027E0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                  Source: C:\Users\user\Desktop\Rats4dIOmA.exeCode function: 0_2_03C47A2E cpuid 0_2_03C47A2E
                  Source: C:\Users\user\Desktop\Rats4dIOmA.exeCode function: 0_2_00401E22 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,0_2_00401E22
                  Source: C:\Users\user\Desktop\Rats4dIOmA.exeCode function: 0_2_00401752 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,0_2_00401752
                  Source: C:\Users\user\Desktop\Rats4dIOmA.exeCode function: 0_2_03C47A2E RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,0_2_03C47A2E

                  Stealing of Sensitive Information:

                  barindex
                  Yara detected UrsnifShow sources
                  Source: Yara matchFile source: 00000000.00000003.310816150.0000000004758000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.310772228.0000000004758000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.310824742.0000000004758000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.518183803.0000000004758000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.310739841.0000000004758000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.310804717.0000000004758000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.310680440.0000000004758000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.310789542.0000000004758000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.310712356.0000000004758000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Rats4dIOmA.exe PID: 6456, type: MEMORYSTR
                  Source: Yara matchFile source: 0.2.Rats4dIOmA.exe.42b94a0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Rats4dIOmA.exe.3c40000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Rats4dIOmA.exe.42b94a0.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.518140305.00000000042B9000.00000004.00000040.sdmp, type: MEMORY

                  Remote Access Functionality:

                  barindex
                  Yara detected UrsnifShow sources
                  Source: Yara matchFile source: 00000000.00000003.310816150.0000000004758000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.310772228.0000000004758000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.310824742.0000000004758000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.518183803.0000000004758000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.310739841.0000000004758000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.310804717.0000000004758000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.310680440.0000000004758000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.310789542.0000000004758000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.310712356.0000000004758000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Rats4dIOmA.exe PID: 6456, type: MEMORYSTR
                  Source: Yara matchFile source: 0.2.Rats4dIOmA.exe.42b94a0.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Rats4dIOmA.exe.3c40000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Rats4dIOmA.exe.42b94a0.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.518140305.00000000042B9000.00000004.00000040.sdmp, type: MEMORY

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid AccountsWindows Management Instrumentation2Path InterceptionProcess Injection1Virtualization/Sandbox Evasion1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsCommand and Scripting Interpreter2Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer4Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsNative API1Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information2Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing22NTDSAccount Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol14SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsSystem Owner/User Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery13Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi