Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
McDQxpmcsx.exe

Overview

General Information

Sample Name:McDQxpmcsx.exe
Original Sample Name:Trojan.Win32.Yakes.abaep-a597d34bc2464c3ace48ac04f6653f65ac4822ea8e4a5717ba9e4909b8c62240.exe
Analysis ID:828210
MD5:de74e1eb8ca5494496632da478851ade
SHA1:99f22f4fa9a0619b9f09e15afc6446160ae6541e
SHA256:a597d34bc2464c3ace48ac04f6653f65ac4822ea8e4a5717ba9e4909b8c62240
Infos:

Detection

DBatLoader, Kovter
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Yara detected DBatLoader
Multi AV Scanner detection for submitted file
Yara detected Kovter
Malicious sample detected (through community Yara rule)
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Uses 32bit PE files
AV process strings found (often used to terminate AV products)
Yara signature match
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
Detected potential crypto function
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

  • System is w10x64
  • McDQxpmcsx.exe (PID: 5812 cmdline: C:\Users\user\Desktop\McDQxpmcsx.exe MD5: DE74E1EB8CA5494496632DA478851ADE)
    • WerFault.exe (PID: 5860 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5812 -s 548 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
DBatLoaderThis Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader
NameDescriptionAttributionBlogpost URLsLink
KovterKovter is a Police RansomwareFeb 2012 - Police RansomwareAug 2013 - Became AD FraudMar 2014 - Ransomware to AD Fraud malwareJune 2014 - Distributed from sweet orange exploit kitDec 2014 - Run affiliated nodeApr 2015 - Spread via fiesta and nuclear packMay 2015 - Kovter become fileless2016 - Malvertising campaign on Chrome and FirefoxJune 2016 - Change in persistenceJuly 2017 - Nemucod and Kovter was packed togetherJan 2018 - Cyclance report on PersistenceNo Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.kovter
{"C2 list": ["118.152.203.69:8080", "43.196.120.143:43769", "138.128.4.56:443", "204.154.86.52:80", "245.205.239.106:8080", "187.76.252.156:80", "114.52.244.183:80", "140.226.224.5:80", "160.143.241.163:80", "51.112.97.137:443", "52.126.114.36:443", "223.52.200.123:51937", "59.174.81.241:80", "221.212.169.225:443", "73.113.56.236:80", "107.93.151.243:80", "203.114.114.238:80", "63.205.142.8:80", "234.66.246.60:80", "192.25.8.106:80", "179.107.133.160:32063", "239.252.57.226:443", "84.112.242.173:20563", "191.60.181.8:443", "247.254.97.44:80", "122.51.41.116:443", "219.223.5.124:80", "243.120.185.214:80", "188.42.229.174:80", "147.110.19.73:8080", "57.64.116.154:80", "50.20.158.91:80", "31.55.103.36:80", "231.24.43.160:443", "93.23.133.12:44973", "121.1.97.238:23796", "161.98.211.13:80", "230.170.239.110:80", "38.213.236.215:443", "4.2.93.240:443", "185.8.39.196:443", "62.246.159.45:29777", "65.142.3.77:80", "233.246.19.88:80", "56.45.172.15:443", "17.70.160.177:47409", "215.195.157.23:46178", "147.182.45.195:80", "197.67.222.174:49289", "240.6.248.40:80", "165.55.28.84:80", "97.244.248.95:80", "208.34.57.230:443", "204.156.80.143:80", "11.84.212.233:80", "14.218.9.7:80", "59.171.57.86:80", "182.244.120.22:39922", "72.55.201.47:80", "149.202.169.37:80", "180.120.50.157:80", "64.119.131.70:80", "190.241.178.20:80", "202.229.169.223:27708", "241.23.63.32:80", "211.234.25.247:80", "205.112.120.107:80", "226.111.254.91:48729", "240.14.65.225:80", "11.199.231.233:80", "216.255.124.248:80", "80.226.136.72:80", "86.184.161.192:80", "90.162.18.88:443", "72.11.127.42:29763", "137.240.49.114:80", "9.113.170.2:80", "249.227.105.65:8080", "190.248.174.126:80", "8.32.174.96:443", "236.167.40.107:80", "112.243.193.160:8080", "239.169.215.153:80", "184.146.142.33:443", "155.222.204.74:8080", "104.82.125.22:80", "154.2.89.193:443", "41.50.97.234:80", "109.169.49.28:8080", "89.110.147.2:43937", "190.114.255.205:26337", "37.157.245.32:443", "107.173.46.207:80", "91.134.137.104:8080", "185.120.14.76:443", "142.58.189.80:8080", "186.201.26.27:443", "193.146.45.23:33617", "98.102.72.235:443", "198.217.124.158:8080", "39.86.4.181:80", "215.81.85.163:80", "177.11.236.47:443", "158.200.34.246:80", "143.32.188.239:80", "142.182.226.11:80", "85.50.170.89:80", "48.56.118.210:25083", "39.220.191.86:8080", "30.31.84.168:34611", "116.100.157.126:443", "96.253.168.180:33060", "82.14.22.115:80", "78.232.15.33:80", "235.223.101.232:80", "131.8.145.43:80", "6.143.82.131:443", "165.227.127.78:80", "173.160.165.195:80", "225.17.250.240:80", "10.220.17.111:80", "78.241.203.223:443", "128.229.171.210:80", "45.120.75.171:80", "226.88.102.136:443", "120.105.44.115:80", "93.125.54.109:80", "187.220.197.155:59041", "128.164.25.232:30918", "144.51.123.86:8080", "211.187.158.238:80", "8.27.166.97:80", "35.150.228.14:80", "160.234.86.59:80", "155.187.135.180:8080", "88.68.214.211:443", "236.167.86.138:80", "138.145.176.48:80", "83.136.12.97:26092", "171.75.110.230:80", "10.162.182.189:80", "14.2.28.225:80", "9.136.241.146:443", "123.36.205.171:80", "244.254.158.255:80", "182.171.170.36:80", "216.46.52.143:80", "156.235.148.126:38807", "156.6.121.47:80", "244.82.240.159:80", "228.157.6.228:80", "144.166.224.34:49354", "14.85.14.247:80", "170.226.97.40:443", "252.45.226.43:80"], "cp1cptm": "30", "cptmkey": "e086aa137fa19f67d27b39d0eca18610", "keypass": "65537::19522997575054907426554839772202893949064667436330012851486601573672578014023529616671665555927323094351879155591436487128820172552469735659517542751735426712295686609130477424093114196023150427769866831977132493325789625582690673761599383991535000872703053188107144540678963887449541977716556272360743912300213554790082676478081366256001689695367664109647204683040472995564506452532881927504362622488073259160546226002887661491089819185150097820082274803050015187526359970203832566435923214708589228221527050531432943671054442357162433286543257082235512170086631319042116775032280820629831168914542642499106397564761", "passdebug": "0", "debugelg": "1", "elgdl_sl": "0", "dl_slb_dll": "0", "b_dllnonul": "http://109.120.179.92/upload2.php", "nonuldnet32": "http://download.microsoft.com/download/0/8/c/08c19fa4-4c4f-4ffb-9d6c-150906578c9e/NetFx20SP1_x86.exe", "dnet32dnet64": "http://download.microsoft.com/download/9/8/6/98610406-c2b7-45a4-bdc3-9db1b1c5f7e2/NetFx20SP1_x64.exe", "dnet64pshellxp": "http://download.microsoft.com/download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG.exe", "pshellxppshellvistax32": "http://download.microsoft.com/download/A/7/5/A75BC017-63CE-47D6-8FA4-AFB5C21BAC54/Windows6.0-KB968930-x86.msu", "pshellvistax32pshellvistax64": "http://download.microsoft.com/download/3/C/8/3C8CF51E-1D9D-4DAA-AAEA-5C48D1CD055C/Windows6.0-KB968930-x64.msu", "pshellvistax64pshell2k3x32": "http://download.microsoft.com/download/1/1/7/117FB25C-BB2D-41E1-B01E-0FEB0BC72C30/WindowsServer2003-KB968930-x86-ENG.exe", "pshell2k3x32pshell2k3x64": "http://download.microsoft.com/download/B/D/9/BD9BB1FF-6609-4B10-9334-6D0C58066AA7/WindowsServer2003-KB968930-x64-ENG.exe", "pshell2k3x64cl_fv": "0", "cl_fvfl_fu": "https://fpdownload.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_24_active_x.exe", "fl_fumainanti": "DD1D:1:DD1DDD2D:1:DD2DDD3D:1:DD3DDD4D:1:DD4DDD5D:0:DD5DDD6D:1:DD6DDD7D:1:DD7DDD8D:1:DD8DDD9D:1:DD9DDD10D:1:DD10DDD11D:0:DD11DDD12D:1:DD12DDD13D:1:DD13DDD14D:1:DD14DDD15D:1:DD15DDD16D:1:DD16DDD17D:1:DD17Dal:http://109.120.179.92/upload.php:al::mainanti"}
SourceRuleDescriptionAuthorStrings
McDQxpmcsx.exeJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
    McDQxpmcsx.exeJoeSecurity_KovterYara detected KovterJoe Security
      McDQxpmcsx.exeWin32_Ransomware_KovterunknownReversingLabs
      • 0x45654:$remote_connection_1: 55 8B EC 81 C4 C0 FB FF FF 53 56 57 33 DB 89 9D C0 FB FF FF 89 9D C4 FB FF FF 89 9D C8 FB FF FF 89 9D CC FB FF FF 89 9D D0 FB FF FF 89 9D D4 FB FF FF 89 9D D8 FB FF FF 89 5D EC 89 5D E4 8B D9 ...
      • 0x45868:$remote_connection_2: 45 E0 50 6A 1F 8B 45 F4 50 E8 82 0A FC FF 85 C0 0F 84 B4 00 00 00 8B 45 E0 0D 00 01 00 00 0D 80 00 00 00 89 45 E0 8B 45 DC 50 8D 45 E0 50 6A 1F 8B 45 F4 50 E8 67 0A FC FF 85 C0 0F 84 89 00 00 ...
      • 0x45b78:$remote_connection_3: 45 F4 50 E8 80 07 FC FF 85 C0 74 46 83 7D F0 00 74 40 8D 45 E4 8B 55 F0 E8 03 D1 FB FF 8D 45 E4 E8 97 CF FB FF 8D 95 DC FB FF FF 8B 4D F0 E8 E5 FE FB FF 8B C6 8B 55 E4 E8 B7 CD FB FF 8B 45 F0 ...
      • 0x471e7:$find_files: 50 E8 C3 E5 FB FF 8B D8 83 FB FF 0F 84 06 01 00 00 33 F6 46 81 FE 10 27 00 00 0F 87 F7 00 00 00 83 FB FF 0F 84 EE 00 00 00 8D 45 F8 8D 57 2C B9 04 01 00 00 E8 48 BC FB FF 8B 45 F8 BA 10 81 44 ...
      • 0x22616:$decrypt_payload_script: FF 75 D8 FF 75 F4 68 A8 33 42 00 FF 75 FC 68 B4 33 42 00 8D 45 D4 E8 97 FC FF FF FF 75 D4 FF 75 F0 68 C0 33 42 00 FF 75 EC 68 D4 33 42 00 FF 75 EC 68 E0 33 42 00 FF 75 F4 68 EC 33 42 00 FF 75 ...
      SourceRuleDescriptionAuthorStrings
      00000000.00000000.244088396.00000000064C1000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
        00000000.00000000.244088396.00000000064C1000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_KovterYara detected KovterJoe Security
          00000000.00000002.251856680.00000000064C1000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
            00000000.00000002.251856680.00000000064C1000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_KovterYara detected KovterJoe Security
              SourceRuleDescriptionAuthorStrings
              0.2.McDQxpmcsx.exe.64c0000.0.unpackJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
                0.2.McDQxpmcsx.exe.64c0000.0.unpackJoeSecurity_KovterYara detected KovterJoe Security
                  0.2.McDQxpmcsx.exe.64c0000.0.unpackWin32_Ransomware_KovterunknownReversingLabs
                  • 0x45654:$remote_connection_1: 55 8B EC 81 C4 C0 FB FF FF 53 56 57 33 DB 89 9D C0 FB FF FF 89 9D C4 FB FF FF 89 9D C8 FB FF FF 89 9D CC FB FF FF 89 9D D0 FB FF FF 89 9D D4 FB FF FF 89 9D D8 FB FF FF 89 5D EC 89 5D E4 8B D9 ...
                  • 0x45868:$remote_connection_2: 45 E0 50 6A 1F 8B 45 F4 50 E8 82 0A FC FF 85 C0 0F 84 B4 00 00 00 8B 45 E0 0D 00 01 00 00 0D 80 00 00 00 89 45 E0 8B 45 DC 50 8D 45 E0 50 6A 1F 8B 45 F4 50 E8 67 0A FC FF 85 C0 0F 84 89 00 00 ...
                  • 0x45b78:$remote_connection_3: 45 F4 50 E8 80 07 FC FF 85 C0 74 46 83 7D F0 00 74 40 8D 45 E4 8B 55 F0 E8 03 D1 FB FF 8D 45 E4 E8 97 CF FB FF 8D 95 DC FB FF FF 8B 4D F0 E8 E5 FE FB FF 8B C6 8B 55 E4 E8 B7 CD FB FF 8B 45 F0 ...
                  • 0x471e7:$find_files: 50 E8 C3 E5 FB FF 8B D8 83 FB FF 0F 84 06 01 00 00 33 F6 46 81 FE 10 27 00 00 0F 87 F7 00 00 00 83 FB FF 0F 84 EE 00 00 00 8D 45 F8 8D 57 2C B9 04 01 00 00 E8 48 BC FB FF 8B 45 F8 BA 10 81 44 ...
                  • 0x22616:$decrypt_payload_script: FF 75 D8 FF 75 F4 68 A8 33 42 00 FF 75 FC 68 B4 33 42 00 8D 45 D4 E8 97 FC FF FF FF 75 D4 FF 75 F0 68 C0 33 42 00 FF 75 EC 68 D4 33 42 00 FF 75 EC 68 E0 33 42 00 FF 75 F4 68 EC 33 42 00 FF 75 ...
                  0.0.McDQxpmcsx.exe.64c0000.0.unpackJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
                    0.0.McDQxpmcsx.exe.64c0000.0.unpackJoeSecurity_KovterYara detected KovterJoe Security
                      Click to see the 1 entries
                      No Sigma rule has matched
                      No Snort rule has matched

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Source: McDQxpmcsx.exeAvira: detected
                      Source: McDQxpmcsx.exeReversingLabs: Detection: 71%
                      Source: McDQxpmcsx.exeVirustotal: Detection: 65%Perma Link
                      Source: McDQxpmcsx.exeJoe Sandbox ML: detected
                      Source: 0.2.McDQxpmcsx.exe.64c0000.0.unpackAvira: Label: TR/ATRAPS.Gen
                      Source: 0.0.McDQxpmcsx.exe.64c0000.0.unpackAvira: Label: DR/Delphi.Gen
                      Source: 0.2.McDQxpmcsx.exe.64c0000.0.unpackMalware Configuration Extractor: Kovter {"C2 list": ["118.152.203.69:8080", "43.196.120.143:43769", "138.128.4.56:443", "204.154.86.52:80", "245.205.239.106:8080", "187.76.252.156:80", "114.52.244.183:80", "140.226.224.5:80", "160.143.241.163:80", "51.112.97.137:443", "52.126.114.36:443", "223.52.200.123:51937", "59.174.81.241:80", "221.212.169.225:443", "73.113.56.236:80", "107.93.151.243:80", "203.114.114.238:80", "63.205.142.8:80", "234.66.246.60:80", "192.25.8.106:80", "179.107.133.160:32063", "239.252.57.226:443", "84.112.242.173:20563", "191.60.181.8:443", "247.254.97.44:80", "122.51.41.116:443", "219.223.5.124:80", "243.120.185.214:80", "188.42.229.174:80", "147.110.19.73:8080", "57.64.116.154:80", "50.20.158.91:80", "31.55.103.36:80", "231.24.43.160:443", "93.23.133.12:44973", "121.1.97.238:23796", "161.98.211.13:80", "230.170.239.110:80", "38.213.236.215:443", "4.2.93.240:443", "185.8.39.196:443", "62.246.159.45:29777", "65.142.3.77:80", "233.246.19.88:80", "56.45.172.15:443", "17.70.160.177:47409", "215.195.157.23:46178", "147.182.45.195:80", "197.67.222.174:49289", "240.6.248.40:80", "165.55.28.84:80", "97.244.248.95:80", "208.34.57.230:443", "204.156.80.143:80", "11.84.212.233:80", "14.218.9.7:80", "59.171.57.86:80", "182.244.120.22:39922", "72.55.201.47:80", "149.202.169.37:80", "180.120.50.157:80", "64.119.131.70:80", "190.241.178.20:80", "202.229.169.223:27708", "241.23.63.32:80", "211.234.25.247:80", "205.112.120.107:80", "226.111.254.91:48729", "240.14.65.225:80", "11.199.231.233:80", "216.255.124.248:80", "80.226.136.72:80", "86.184.161.192:80", "90.162.18.88:443", "72.11.127.42:29763", "137.240.49.114:80", "9.113.170.2:80", "249.227.105.65:8080", "190.248.174.126:80", "8.32.174.96:443", "236.167.40.107:80", "112.243.193.160:8080", "239.169.215.153:80", "184.146.142.33:443", "155.222.204.74:8080", "104.82.125.22:80", "154.2.89.193:443", "41.50.97.234:80", "109.169.49.28:8080", "89.110.147.2:43937", "190.114.255.205:26337", "37.157.245.32:443", "107.173.46.207:80", "91.134.137.104:8080", "185.120.14.76:443", "142.58.189.80:8080", "186.201.26.27:443", "193.146.45.23:33617", "98.102.72.235:443", "198.217.124.158:8080", "39.86.4.181:80", "215.81.85.163:80", "177.11.236.47:443", "158.200.34.246:80", "143.32.188.239:80", "142.182.226.11:80", "85.50.170.89:80", "48.56.118.210:25083", "39.220.191.86:8080", "30.31.84.168:34611", "116.100.157.126:443", "96.253.168.180:33060", "82.14.22.115:80", "78.232.15.33:80", "235.223.101.232:80", "131.8.145.43:80", "6.143.82.131:443", "165.227.127.78:80", "173.160.165.195:80", "225.17.250.240:80", "10.220.17.111:80", "78.241.203.223:443", "128.229.171.210:80", "45.120.75.171:80", "226.88.102.136:443", "120.105.44.115:80", "93.125.54.109:80", "187.220.197.155:59041", "128.164.25.232:30918", "144.51.123.86:8080", "211.187.158.238:80", "8.27.166.97:80", "35.150.228.14:80", "160.234.86.59:80", "155.187.135.180:8080", "88.68.214.211:443", "236.167.86.138:80", "138.145.176.48:80", "83.136.12.97:26092", "171.75.110.230:80", "10.162.182.189
                      Source: McDQxpmcsx.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

                      Networking

                      barindex
                      Source: Malware configuration extractorURLs: 118.152.203.69:8080
                      Source: Malware configuration extractorURLs: 43.196.120.143:43769
                      Source: Malware configuration extractorURLs: 138.128.4.56:443
                      Source: Malware configuration extractorURLs: 204.154.86.52:80
                      Source: Malware configuration extractorURLs: 245.205.239.106:8080
                      Source: Malware configuration extractorURLs: 187.76.252.156:80
                      Source: Malware configuration extractorURLs: 114.52.244.183:80
                      Source: Malware configuration extractorURLs: 140.226.224.5:80
                      Source: Malware configuration extractorURLs: 160.143.241.163:80
                      Source: Malware configuration extractorURLs: 51.112.97.137:443
                      Source: Malware configuration extractorURLs: 52.126.114.36:443
                      Source: Malware configuration extractorURLs: 223.52.200.123:51937
                      Source: Malware configuration extractorURLs: 59.174.81.241:80
                      Source: Malware configuration extractorURLs: 221.212.169.225:443
                      Source: Malware configuration extractorURLs: 73.113.56.236:80
                      Source: Malware configuration extractorURLs: 107.93.151.243:80
                      Source: Malware configuration extractorURLs: 203.114.114.238:80
                      Source: Malware configuration extractorURLs: 63.205.142.8:80
                      Source: Malware configuration extractorURLs: 234.66.246.60:80
                      Source: Malware configuration extractorURLs: 192.25.8.106:80
                      Source: Malware configuration extractorURLs: 179.107.133.160:32063
                      Source: Malware configuration extractorURLs: 239.252.57.226:443
                      Source: Malware configuration extractorURLs: 84.112.242.173:20563
                      Source: Malware configuration extractorURLs: 191.60.181.8:443
                      Source: Malware configuration extractorURLs: 247.254.97.44:80
                      Source: Malware configuration extractorURLs: 122.51.41.116:443
                      Source: Malware configuration extractorURLs: 219.223.5.124:80
                      Source: Malware configuration extractorURLs: 243.120.185.214:80
                      Source: Malware configuration extractorURLs: 188.42.229.174:80
                      Source: Malware configuration extractorURLs: 147.110.19.73:8080
                      Source: Malware configuration extractorURLs: 57.64.116.154:80
                      Source: Malware configuration extractorURLs: 50.20.158.91:80
                      Source: Malware configuration extractorURLs: 31.55.103.36:80
                      Source: Malware configuration extractorURLs: 231.24.43.160:443
                      Source: Malware configuration extractorURLs: 93.23.133.12:44973
                      Source: Malware configuration extractorURLs: 121.1.97.238:23796
                      Source: Malware configuration extractorURLs: 161.98.211.13:80
                      Source: Malware configuration extractorURLs: 230.170.239.110:80
                      Source: Malware configuration extractorURLs: 38.213.236.215:443
                      Source: Malware configuration extractorURLs: 4.2.93.240:443
                      Source: Malware configuration extractorURLs: 185.8.39.196:443
                      Source: Malware configuration extractorURLs: 62.246.159.45:29777
                      Source: Malware configuration extractorURLs: 65.142.3.77:80
                      Source: Malware configuration extractorURLs: 233.246.19.88:80
                      Source: Malware configuration extractorURLs: 56.45.172.15:443
                      Source: Malware configuration extractorURLs: 17.70.160.177:47409
                      Source: Malware configuration extractorURLs: 215.195.157.23:46178
                      Source: Malware configuration extractorURLs: 147.182.45.195:80
                      Source: Malware configuration extractorURLs: 197.67.222.174:49289
                      Source: Malware configuration extractorURLs: 240.6.248.40:80
                      Source: Malware configuration extractorURLs: 165.55.28.84:80
                      Source: Malware configuration extractorURLs: 97.244.248.95:80
                      Source: Malware configuration extractorURLs: 208.34.57.230:443
                      Source: Malware configuration extractorURLs: 204.156.80.143:80
                      Source: Malware configuration extractorURLs: 11.84.212.233:80
                      Source: Malware configuration extractorURLs: 14.218.9.7:80
                      Source: Malware configuration extractorURLs: 59.171.57.86:80
                      Source: Malware configuration extractorURLs: 182.244.120.22:39922
                      Source: Malware configuration extractorURLs: 72.55.201.47:80
                      Source: Malware configuration extractorURLs: 149.202.169.37:80
                      Source: Malware configuration extractorURLs: 180.120.50.157:80
                      Source: Malware configuration extractorURLs: 64.119.131.70:80
                      Source: Malware configuration extractorURLs: 190.241.178.20:80
                      Source: Malware configuration extractorURLs: 202.229.169.223:27708
                      Source: Malware configuration extractorURLs: 241.23.63.32:80
                      Source: Malware configuration extractorURLs: 211.234.25.247:80
                      Source: Malware configuration extractorURLs: 205.112.120.107:80
                      Source: Malware configuration extractorURLs: 226.111.254.91:48729
                      Source: Malware configuration extractorURLs: 240.14.65.225:80
                      Source: Malware configuration extractorURLs: 11.199.231.233:80
                      Source: Malware configuration extractorURLs: 216.255.124.248:80
                      Source: Malware configuration extractorURLs: 80.226.136.72:80
                      Source: Malware configuration extractorURLs: 86.184.161.192:80
                      Source: Malware configuration extractorURLs: 90.162.18.88:443
                      Source: Malware configuration extractorURLs: 72.11.127.42:29763
                      Source: Malware configuration extractorURLs: 137.240.49.114:80
                      Source: Malware configuration extractorURLs: 9.113.170.2:80
                      Source: Malware configuration extractorURLs: 249.227.105.65:8080
                      Source: Malware configuration extractorURLs: 190.248.174.126:80
                      Source: Malware configuration extractorURLs: 8.32.174.96:443
                      Source: Malware configuration extractorURLs: 236.167.40.107:80
                      Source: Malware configuration extractorURLs: 112.243.193.160:8080
                      Source: Malware configuration extractorURLs: 239.169.215.153:80
                      Source: Malware configuration extractorURLs: 184.146.142.33:443
                      Source: Malware configuration extractorURLs: 155.222.204.74:8080
                      Source: Malware configuration extractorURLs: 104.82.125.22:80
                      Source: Malware configuration extractorURLs: 154.2.89.193:443
                      Source: Malware configuration extractorURLs: 41.50.97.234:80
                      Source: Malware configuration extractorURLs: 109.169.49.28:8080
                      Source: Malware configuration extractorURLs: 89.110.147.2:43937
                      Source: Malware configuration extractorURLs: 190.114.255.205:26337
                      Source: Malware configuration extractorURLs: 37.157.245.32:443
                      Source: Malware configuration extractorURLs: 107.173.46.207:80
                      Source: Malware configuration extractorURLs: 91.134.137.104:8080
                      Source: Malware configuration extractorURLs: 185.120.14.76:443
                      Source: Malware configuration extractorURLs: 142.58.189.80:8080
                      Source: Malware configuration extractorURLs: 186.201.26.27:443
                      Source: Malware configuration extractorURLs: 193.146.45.23:33617
                      Source: Malware configuration extractorURLs: 98.102.72.235:443
                      Source: Malware configuration extractorURLs: 198.217.124.158:8080
                      Source: Malware configuration extractorURLs: 39.86.4.181:80
                      Source: Malware configuration extractorURLs: 215.81.85.163:80
                      Source: Malware configuration extractorURLs: 177.11.236.47:443
                      Source: Malware configuration extractorURLs: 158.200.34.246:80
                      Source: Malware configuration extractorURLs: 143.32.188.239:80
                      Source: Malware configuration extractorURLs: 142.182.226.11:80
                      Source: Malware configuration extractorURLs: 85.50.170.89:80
                      Source: Malware configuration extractorURLs: 48.56.118.210:25083
                      Source: Malware configuration extractorURLs: 39.220.191.86:8080
                      Source: Malware configuration extractorURLs: 30.31.84.168:34611
                      Source: Malware configuration extractorURLs: 116.100.157.126:443
                      Source: Malware configuration extractorURLs: 96.253.168.180:33060
                      Source: Malware configuration extractorURLs: 82.14.22.115:80
                      Source: Malware configuration extractorURLs: 78.232.15.33:80
                      Source: Malware configuration extractorURLs: 235.223.101.232:80
                      Source: Malware configuration extractorURLs: 131.8.145.43:80
                      Source: Malware configuration extractorURLs: 6.143.82.131:443
                      Source: Malware configuration extractorURLs: 165.227.127.78:80
                      Source: Malware configuration extractorURLs: 173.160.165.195:80
                      Source: Malware configuration extractorURLs: 225.17.250.240:80
                      Source: Malware configuration extractorURLs: 10.220.17.111:80
                      Source: Malware configuration extractorURLs: 78.241.203.223:443
                      Source: Malware configuration extractorURLs: 128.229.171.210:80
                      Source: Malware configuration extractorURLs: 45.120.75.171:80
                      Source: Malware configuration extractorURLs: 226.88.102.136:443
                      Source: Malware configuration extractorURLs: 120.105.44.115:80
                      Source: Malware configuration extractorURLs: 93.125.54.109:80
                      Source: Malware configuration extractorURLs: 187.220.197.155:59041
                      Source: Malware configuration extractorURLs: 128.164.25.232:30918
                      Source: Malware configuration extractorURLs: 144.51.123.86:8080
                      Source: Malware configuration extractorURLs: 211.187.158.238:80
                      Source: Malware configuration extractorURLs: 8.27.166.97:80
                      Source: Malware configuration extractorURLs: 35.150.228.14:80
                      Source: Malware configuration extractorURLs: 160.234.86.59:80
                      Source: Malware configuration extractorURLs: 155.187.135.180:8080
                      Source: Malware configuration extractorURLs: 88.68.214.211:443
                      Source: Malware configuration extractorURLs: 236.167.86.138:80
                      Source: Malware configuration extractorURLs: 138.145.176.48:80
                      Source: Malware configuration extractorURLs: 83.136.12.97:26092
                      Source: Malware configuration extractorURLs: 171.75.110.230:80
                      Source: Malware configuration extractorURLs: 10.162.182.189:80
                      Source: Malware configuration extractorURLs: 14.2.28.225:80
                      Source: Malware configuration extractorURLs: 9.136.241.146:443
                      Source: Malware configuration extractorURLs: 123.36.205.171:80
                      Source: Malware configuration extractorURLs: 244.254.158.255:80
                      Source: Malware configuration extractorURLs: 182.171.170.36:80
                      Source: Malware configuration extractorURLs: 216.46.52.143:80
                      Source: Malware configuration extractorURLs: 156.235.148.126:38807
                      Source: Malware configuration extractorURLs: 156.6.121.47:80
                      Source: Malware configuration extractorURLs: 244.82.240.159:80
                      Source: Malware configuration extractorURLs: 228.157.6.228:80
                      Source: Malware configuration extractorURLs: 144.166.224.34:49354
                      Source: Malware configuration extractorURLs: 14.85.14.247:80
                      Source: Malware configuration extractorURLs: 170.226.97.40:443
                      Source: Malware configuration extractorURLs: 252.45.226.43:80
                      Source: Amcache.hve.2.drString found in binary or memory: http://upx.sf.net

                      E-Banking Fraud

                      barindex
                      Source: Yara matchFile source: McDQxpmcsx.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.2.McDQxpmcsx.exe.64c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.McDQxpmcsx.exe.64c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.244088396.00000000064C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.251856680.00000000064C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

                      System Summary

                      barindex
                      Source: McDQxpmcsx.exe, type: SAMPLEMatched rule: Win32_Ransomware_Kovter Author: ReversingLabs
                      Source: 0.2.McDQxpmcsx.exe.64c0000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Kovter Author: ReversingLabs
                      Source: 0.0.McDQxpmcsx.exe.64c0000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Kovter Author: ReversingLabs
                      Source: McDQxpmcsx.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                      Source: McDQxpmcsx.exe, type: SAMPLEMatched rule: Win32_Ransomware_Kovter tc_detection_name = Kovter, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                      Source: 0.2.McDQxpmcsx.exe.64c0000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Kovter tc_detection_name = Kovter, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                      Source: 0.0.McDQxpmcsx.exe.64c0000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_Kovter tc_detection_name = Kovter, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                      Source: C:\Users\user\Desktop\McDQxpmcsx.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5812 -s 548
                      Source: C:\Users\user\Desktop\McDQxpmcsx.exeCode function: 0_2_064C6FDC0_2_064C6FDC
                      Source: C:\Users\user\Desktop\McDQxpmcsx.exeCode function: 0_2_064C6C140_2_064C6C14
                      Source: C:\Users\user\Desktop\McDQxpmcsx.exeCode function: 0_2_064D45240_2_064D4524
                      Source: C:\Users\user\Desktop\McDQxpmcsx.exeCode function: 0_2_064C6D300_2_064C6D30
                      Source: C:\Users\user\Desktop\McDQxpmcsx.exeCode function: 0_2_064C7DA80_2_064C7DA8
                      Source: C:\Users\user\Desktop\McDQxpmcsx.exeCode function: 0_2_064D6A300_2_064D6A30
                      Source: C:\Users\user\Desktop\McDQxpmcsx.exeCode function: 0_2_064D9AE00_2_064D9AE0
                      Source: C:\Users\user\Desktop\McDQxpmcsx.exeCode function: 0_2_064D98040_2_064D9804
                      Source: McDQxpmcsx.exeReversingLabs: Detection: 71%
                      Source: McDQxpmcsx.exeVirustotal: Detection: 65%
                      Source: C:\Users\user\Desktop\McDQxpmcsx.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\McDQxpmcsx.exe C:\Users\user\Desktop\McDQxpmcsx.exe
                      Source: C:\Users\user\Desktop\McDQxpmcsx.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5812 -s 548
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5812
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC5F.tmpJump to behavior
                      Source: classification engineClassification label: mal88.troj.winEXE@2/6@0/0
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      Data Obfuscation

                      barindex
                      Source: Yara matchFile source: McDQxpmcsx.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.2.McDQxpmcsx.exe.64c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.McDQxpmcsx.exe.64c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.244088396.00000000064C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.251856680.00000000064C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: C:\Users\user\Desktop\McDQxpmcsx.exeCode function: 0_2_06503E70 push ecx; mov dword ptr [esp], edx0_2_06503E75
                      Source: C:\Users\user\Desktop\McDQxpmcsx.exeCode function: 0_2_064C66D8 push 00406704h; ret 0_2_064C66FC
                      Source: C:\Users\user\Desktop\McDQxpmcsx.exeCode function: 0_2_06501EF0 push ecx; mov dword ptr [esp], FFFFFFFFh0_2_06501EF3
                      Source: C:\Users\user\Desktop\McDQxpmcsx.exeCode function: 0_2_064D86FC push 00418728h; ret 0_2_064D8720
                      Source: C:\Users\user\Desktop\McDQxpmcsx.exeCode function: 0_2_064C6E98 push 00406EC4h; ret 0_2_064C6EBC
                      Source: C:\Users\user\Desktop\McDQxpmcsx.exeCode function: 0_2_064F6E94 push 00436EF6h; ret 0_2_064F6EEE
                      Source: C:\Users\user\Desktop\McDQxpmcsx.exeCode function: 0_2_064CAEA8 push 0040AED4h; ret 0_2_064CAECC
                      Source: C:\Users\user\Desktop\McDQxpmcsx.exeCode function: 0_2_064C66A0 push 004066CCh; ret 0_2_064C66C4
                      Source: C:\Users\user\Desktop\McDQxpmcsx.exeCode function: 0_2_064D874C push 004187ACh; ret 0_2_064D87A4
                      Source: C:\Users\user\Desktop\McDQxpmcsx.exeCode function: 0_2_064CB754 push 0040B787h; ret 0_2_064CB77F
                      Source: C:\Users\user\Desktop\McDQxpmcsx.exeCode function: 0_2_064C6F10 push 00406F3Ch; ret 0_2_064C6F34
                      Source: C:\Users\user\Desktop\McDQxpmcsx.exeCode function: 0_2_064CAF80 push 0040AFACh; ret 0_2_064CAFA4
                      Source: C:\Users\user\Desktop\McDQxpmcsx.exeCode function: 0_2_064C5FA4 push 00406009h; ret 0_2_064C6001
                      Source: C:\Users\user\Desktop\McDQxpmcsx.exeCode function: 0_2_06512C74 push 00452CC6h; ret 0_2_06512CBE
                      Source: C:\Users\user\Desktop\McDQxpmcsx.exeCode function: 0_2_064CE42C push 0040E478h; ret 0_2_064CE470
                      Source: C:\Users\user\Desktop\McDQxpmcsx.exeCode function: 0_2_064CECEC push 0040ED18h; ret 0_2_064CED10
                      Source: C:\Users\user\Desktop\McDQxpmcsx.exeCode function: 0_2_064DADFC push 0041AE28h; ret 0_2_064DAE20
                      Source: C:\Users\user\Desktop\McDQxpmcsx.exeCode function: 0_2_064C7A4C push 00407A78h; ret 0_2_064C7A70
                      Source: C:\Users\user\Desktop\McDQxpmcsx.exeCode function: 0_2_064C6240 push 0040626Ch; ret 0_2_064C6264
                      Source: C:\Users\user\Desktop\McDQxpmcsx.exeCode function: 0_2_064CDA54 push 0040DA80h; ret 0_2_064CDA78
                      Source: C:\Users\user\Desktop\McDQxpmcsx.exeCode function: 0_2_064CE268 push 0040E294h; ret 0_2_064CE28C
                      Source: C:\Users\user\Desktop\McDQxpmcsx.exeCode function: 0_2_064CDA08 push 0040DA4Ah; ret 0_2_064CDA42
                      Source: C:\Users\user\Desktop\McDQxpmcsx.exeCode function: 0_2_064DC210 push 0041C23Ch; ret 0_2_064DC234
                      Source: C:\Users\user\Desktop\McDQxpmcsx.exeCode function: 0_2_064DB22C push 0041B258h; ret 0_2_064DB250
                      Source: C:\Users\user\Desktop\McDQxpmcsx.exeCode function: 0_2_064D6A30 push 00416B98h; ret 0_2_064D6B90
                      Source: C:\Users\user\Desktop\McDQxpmcsx.exeCode function: 0_2_064D62CC push 004162F8h; ret 0_2_064D62F0
                      Source: C:\Users\user\Desktop\McDQxpmcsx.exeCode function: 0_2_064C7AD4 push 00407B00h; ret 0_2_064C7AF8
                      Source: C:\Users\user\Desktop\McDQxpmcsx.exeCode function: 0_2_064CDA8C push 0040DAB8h; ret 0_2_064CDAB0
                      Source: C:\Users\user\Desktop\McDQxpmcsx.exeCode function: 0_2_064DE340 push 0041E382h; ret 0_2_064DE37A
                      Source: C:\Users\user\Desktop\McDQxpmcsx.exeCode function: 0_2_064C6B70 push 00406B9Ch; ret 0_2_064C6B94
                      Source: C:\Users\user\Desktop\McDQxpmcsx.exeCode function: 0_2_06502BF0 push 00442C35h; ret 0_2_06502C2D
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: Amcache.hve.2.drBinary or memory string: VMware
                      Source: Amcache.hve.2.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: Amcache.hve.2.drBinary or memory string: VMware-42 35 34 13 2a 07 0a 9c-ee 7f dd c3 60 c7 b9 af
                      Source: Amcache.hve.2.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: Amcache.hve.2.drBinary or memory string: VMware Virtual USB Mouse
                      Source: Amcache.hve.2.drBinary or memory string: VMware, Inc.
                      Source: Amcache.hve.2.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
                      Source: Amcache.hve.2.drBinary or memory string: Microsoft Hyper-V Generation Counter
                      Source: Amcache.hve.2.drBinary or memory string: VMware7,1
                      Source: Amcache.hve.2.drBinary or memory string: NECVMWar VMware SATA CD00
                      Source: Amcache.hve.2.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                      Source: Amcache.hve.2.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                      Source: Amcache.hve.2.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                      Source: Amcache.hve.2.drBinary or memory string: VMware, Inc.me
                      Source: Amcache.hve.2.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: Amcache.hve.2.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                      Source: Amcache.hve.2.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: C:\Users\user\Desktop\McDQxpmcsx.exeCode function: 0_2_064C98A4 mov eax, dword ptr fs:[00000030h]0_2_064C98A4
                      Source: C:\Users\user\Desktop\McDQxpmcsx.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\McDQxpmcsx.exeCode function: 0_2_064C620C LdrInitializeThunk,0_2_064C620C
                      Source: Amcache.hve.2.drBinary or memory string: c:\program files\windows defender\msmpeng.exe

                      Stealing of Sensitive Information

                      barindex
                      Source: Yara matchFile source: McDQxpmcsx.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.2.McDQxpmcsx.exe.64c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.McDQxpmcsx.exe.64c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.244088396.00000000064C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.251856680.00000000064C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management InstrumentationPath Interception1
                      Process Injection
                      1
                      Virtualization/Sandbox Evasion
                      OS Credential Dumping21
                      Security Software Discovery
                      Remote Services1
                      Archive Collected Data
                      Exfiltration Over Other Network Medium1
                      Encrypted Channel
                      Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                      Software Packing
                      LSASS Memory1
                      Virtualization/Sandbox Evasion
                      Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
                      Application Layer Protocol
                      Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
                      Process Injection
                      Security Account Manager1
                      System Information Discovery
                      SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                      Obfuscated Files or Information
                      NTDS1
                      Remote System Discovery
                      Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process