Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
6Sy6PrInNl.exe

Overview

General Information

Sample Name:6Sy6PrInNl.exe
Analysis ID:708240
MD5:cd1ffe7c30311659ea1be07ed7923d65
SHA1:310fcf3a43286785eb88d742f5deeae150c661e9
SHA256:842342b4db7bbc84d8e4da35f8d79d8b76a52815b7a22272f331ba906d2dba6c
Tags:exemorpheuspwtorun
Infos:

Detection

Score:36
Range:0 - 100
Whitelisted:false
Confidence:40%

Signatures

Multi AV Scanner detection for submitted file
Uses 32bit PE files
Tries to load missing DLLs
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
File is packed with WinRar
Found evasive API chain (date check)
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to communicate with device drivers
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Program does not show much activity (idle)

Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample reads itself and does not show any behavior, likely it performs some host environment checks which are compared to an embedded key
  • System is w10x64
  • 6Sy6PrInNl.exe (PID: 1404 cmdline: "C:\Users\user\Desktop\6Sy6PrInNl.exe" -install MD5: CD1FFE7C30311659EA1BE07ED7923D65)
  • 6Sy6PrInNl.exe (PID: 5552 cmdline: "C:\Users\user\Desktop\6Sy6PrInNl.exe" /install MD5: CD1FFE7C30311659EA1BE07ED7923D65)
  • 6Sy6PrInNl.exe (PID: 5016 cmdline: "C:\Users\user\Desktop\6Sy6PrInNl.exe" /load MD5: CD1FFE7C30311659EA1BE07ED7923D65)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: 6Sy6PrInNl.exeReversingLabs: Detection: 27%
Source: 6Sy6PrInNl.exeVirustotal: Detection: 30%Perma Link
Source: 6Sy6PrInNl.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 6Sy6PrInNl.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 6Sy6PrInNl.exe
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_0098A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_0098A69B
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_0099C330 SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_0099C330
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_009AB348 FindFirstFileExA,0_2_009AB348
Source: 6Sy6PrInNl.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeSection loaded: dxgidebug.dllJump to behavior
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeSection loaded: dxgidebug.dllJump to behavior
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeSection loaded: dxgidebug.dllJump to behavior
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_0098848E0_2_0098848E
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_009940880_2_00994088
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_009900B70_2_009900B7
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_009840FE0_2_009840FE
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_009A51C90_2_009A51C9
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_009971530_2_00997153
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_009962CA0_2_009962CA
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_009832F70_2_009832F7
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_009943BF0_2_009943BF
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_0098C4260_2_0098C426
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_009AD4400_2_009AD440
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_0098F4610_2_0098F461
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_009977EF0_2_009977EF
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_009AD8EE0_2_009AD8EE
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_0098286B0_2_0098286B
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_0098E9B70_2_0098E9B7
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_009B19F40_2_009B19F4
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_00996CDC0_2_00996CDC
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_00993E0B0_2_00993E0B
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_009A4F9A0_2_009A4F9A
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_0098EFE20_2_0098EFE2
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: String function: 0099EC50 appears 55 times
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: String function: 0099F5F0 appears 31 times
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: String function: 0099EB78 appears 39 times
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_00986FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,0_2_00986FAA
Source: 6Sy6PrInNl.exeReversingLabs: Detection: 27%
Source: 6Sy6PrInNl.exeVirustotal: Detection: 30%
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeFile read: C:\Users\user\Desktop\6Sy6PrInNl.exeJump to behavior
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_00986C74 GetLastError,FormatMessageW,0_2_00986C74
Source: 6Sy6PrInNl.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\6Sy6PrInNl.exe "C:\Users\user\Desktop\6Sy6PrInNl.exe" -install
Source: unknownProcess created: C:\Users\user\Desktop\6Sy6PrInNl.exe "C:\Users\user\Desktop\6Sy6PrInNl.exe" /install
Source: unknownProcess created: C:\Users\user\Desktop\6Sy6PrInNl.exe "C:\Users\user\Desktop\6Sy6PrInNl.exe" /load
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_0099A6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_0099A6C2
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCommand line argument: sfxname0_2_0099DF1E
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCommand line argument: sfxstime0_2_0099DF1E
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCommand line argument: STARTDLG0_2_0099DF1E
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeFile created: C:\Users\user\Desktop\__tmp_rar_sfx_access_check_7126781Jump to behavior
Source: classification engineClassification label: sus36.winEXE@3/0@0/0
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeFile read: C:\Windows\win.iniJump to behavior
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: 6Sy6PrInNl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 6Sy6PrInNl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 6Sy6PrInNl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 6Sy6PrInNl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 6Sy6PrInNl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 6Sy6PrInNl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 6Sy6PrInNl.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: 6Sy6PrInNl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 6Sy6PrInNl.exe
Source: 6Sy6PrInNl.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 6Sy6PrInNl.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 6Sy6PrInNl.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 6Sy6PrInNl.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 6Sy6PrInNl.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_0099F640 push ecx; ret 0_2_0099F653
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_0099EB78 push eax; ret 0_2_0099EB96
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeFile created: C:\Users\user\Desktop\__tmp_rar_sfx_access_check_7126781Jump to behavior
Source: 6Sy6PrInNl.exeStatic PE information: section name: .didat
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_0-23808
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_0099E6A3 VirtualQuery,GetSystemInfo,0_2_0099E6A3
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_0098A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_0098A69B
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_0099C330 SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_0099C330
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_009AB348 FindFirstFileExA,0_2_009AB348
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeAPI call chain: ExitProcess graph end nodegraph_0-23945
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_0099F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0099F838
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_009A7DEE mov eax, dword ptr fs:[00000030h]0_2_009A7DEE
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_009AC030 GetProcessHeap,0_2_009AC030
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_0099F9D5 SetUnhandledExceptionFilter,0_2_0099F9D5
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_0099F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0099F838
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_0099FBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0099FBCA
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_009A8EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_009A8EBD
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_0099AF0F
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_0099F654 cpuid 0_2_0099F654
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_0098B146 GetVersionExW,0_2_0098B146
Source: C:\Users\user\Desktop\6Sy6PrInNl.exeCode function: 0_2_0099DF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,CloseHandle,0_2_0099DF1E
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts2
Command and Scripting Interpreter
1
DLL Side-Loading
1
Process Injection
1
Masquerading
OS Credential Dumping1
System Time Discovery
Remote Services1
Archive Collected Data
Exfiltration Over Other Network Medium1
Encrypted Channel
Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default Accounts1
Native API
Boot or Logon Initialization Scripts1
DLL Side-Loading
1
Process Injection
LSASS Memory2
Security Software Discovery
Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information
Security Account Manager2
File and Directory Discovery
SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)2
Obfuscated Files or Information
NTDS25
System Information Discovery
Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
Software Packing
LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.common1
DLL Side-Loading
Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet