8deda3f9f857a91d1d9b3f420a3d9102a091849696a8f34b91e9413fc954a82f

Analysis

max time kernel
142s
max time network
128s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
06/08/2023, 07:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

737307862171267fd72a88c78c79ba14.exe
Size

382KB
MD5

737307862171267fd72a88c78c79ba14
SHA1

9576e06d485497f9aacb25fc6820281e50b82350
SHA256

8deda3f9f857a91d1d9b3f420a3d9102a091849696a8f34b91e9413fc954a82f
SHA512

12e9b8d7fa55d2c478988ce4cf5d9bd1ed91a36f2f76938e7edad8b540a1c3dab284b27baf68dec4c898db844d6dfc11132ec44c8c09efc8b5f0869b988fce69
SSDEEP

6144:tFwR799OIQPd+iXhq+RaoIPqg3oHBcw3v9IliGS16dSg:tFO7DOIQPd+iXhq+RPR9IY

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	737307862171267fd72a88c78c79ba14.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	737307862171267fd72a88c78c79ba14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	737307862171267fd72a88c78c79ba14.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	737307862171267fd72a88c78c79ba14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	737307862171267fd72a88c78c79ba14.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	737307862171267fd72a88c78c79ba14.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2304	powershell.exe
3044	powershell.exe
2532	powershell.exe
1536	powershell.exe
2332	powershell.exe
1772	powershell.exe
668	powershell.exe
1444	powershell.exe
1772	powershell.exe
1772	powershell.exe
2468	powershell.exe
2468	powershell.exe
2468	powershell.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2656	737307862171267fd72a88c78c79ba14.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	2532	powershell.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	668	powershell.exe
Token: SeDebugPrivilege	1444	powershell.exe
Token: SeDebugPrivilege	2468	powershell.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2304	2656	737307862171267fd72a88c78c79ba14.exe	28
PID 2656 wrote to memory of 2304	2656	737307862171267fd72a88c78c79ba14.exe	28
PID 2656 wrote to memory of 2304	2656	737307862171267fd72a88c78c79ba14.exe	28
PID 2656 wrote to memory of 2532	2656	737307862171267fd72a88c78c79ba14.exe	34
PID 2656 wrote to memory of 2532	2656	737307862171267fd72a88c78c79ba14.exe	34
PID 2656 wrote to memory of 2532	2656	737307862171267fd72a88c78c79ba14.exe	34
PID 2656 wrote to memory of 3044	2656	737307862171267fd72a88c78c79ba14.exe	35
PID 2656 wrote to memory of 3044	2656	737307862171267fd72a88c78c79ba14.exe	35
PID 2656 wrote to memory of 3044	2656	737307862171267fd72a88c78c79ba14.exe	35
PID 2656 wrote to memory of 2332	2656	737307862171267fd72a88c78c79ba14.exe	38
PID 2656 wrote to memory of 2332	2656	737307862171267fd72a88c78c79ba14.exe	38
PID 2656 wrote to memory of 2332	2656	737307862171267fd72a88c78c79ba14.exe	38
PID 2656 wrote to memory of 1536	2656	737307862171267fd72a88c78c79ba14.exe	39
PID 2656 wrote to memory of 1536	2656	737307862171267fd72a88c78c79ba14.exe	39
PID 2656 wrote to memory of 1536	2656	737307862171267fd72a88c78c79ba14.exe	39
PID 2656 wrote to memory of 1444	2656	737307862171267fd72a88c78c79ba14.exe	42
PID 2656 wrote to memory of 1444	2656	737307862171267fd72a88c78c79ba14.exe	42
PID 2656 wrote to memory of 1444	2656	737307862171267fd72a88c78c79ba14.exe	42
PID 2656 wrote to memory of 668	2656	737307862171267fd72a88c78c79ba14.exe	43
PID 2656 wrote to memory of 668	2656	737307862171267fd72a88c78c79ba14.exe	43
PID 2656 wrote to memory of 668	2656	737307862171267fd72a88c78c79ba14.exe	43
PID 2656 wrote to memory of 1772	2656	737307862171267fd72a88c78c79ba14.exe	44
PID 2656 wrote to memory of 1772	2656	737307862171267fd72a88c78c79ba14.exe	44
PID 2656 wrote to memory of 1772	2656	737307862171267fd72a88c78c79ba14.exe	44
PID 1772 wrote to memory of 2568	1772	powershell.exe	48
PID 1772 wrote to memory of 2568	1772	powershell.exe	48
PID 1772 wrote to memory of 2568	1772	powershell.exe	48
PID 2656 wrote to memory of 2468	2656	737307862171267fd72a88c78c79ba14.exe	49
PID 2656 wrote to memory of 2468	2656	737307862171267fd72a88c78c79ba14.exe	49
PID 2656 wrote to memory of 2468	2656	737307862171267fd72a88c78c79ba14.exe	49
PID 2468 wrote to memory of 2264	2468	powershell.exe	51
PID 2468 wrote to memory of 2264	2468	powershell.exe	51
PID 2468 wrote to memory of 2264	2468	powershell.exe	51

C:\Users\Admin\AppData\Local\Temp\737307862171267fd72a88c78c79ba14.exe
"C:\Users\Admin\AppData\Local\Temp\737307862171267fd72a88c78c79ba14.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell New-Item '\\?\C:\Windows \System32' -ItemType Directory
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Move-Item -Path 'C:\Users\Admin\AppData\Local\Temp\profapi.dll' -Destination '\\?\C:\Windows \System32\profapi.dll'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Move-Item -Path 'C:\Users\Admin\AppData\Local\Temp\ComputerDefaults.exe' -Destination '\\?\C:\Windows \System32\ComputerDefaults.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Move-Item -Path 'C:\Users\Admin\AppData\Local\Temp\profapi.dll' -Destination '\\?\C:\Windows \System32\profapi.dll'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Move-Item -Path 'C:\Users\Admin\AppData\Local\Temp\ComputerDefaults.exe' -Destination '\\?\C:\Windows \System32\ComputerDefaults.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Move-Item -Path 'C:\Users\Admin\AppData\Local\Temp\profapi.dll' -Destination '\\?\C:\Windows \System32\profapi.dll'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Move-Item -Path 'C:\Users\Admin\AppData\Local\Temp\ComputerDefaults.exe' -Destination '\\?\C:\Windows \System32\ComputerDefaults.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Start-Process -FilePath 'C:\Windows \System32\ComputerDefaults.exe' -Verb RunAs"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1772
- - C:\Windows\System32\ComputerDefaults.exe
    "C:\Windows\System32\ComputerDefaults.exe"
    3⤵
    PID:2568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Start-Process -FilePath 'C:\Windows \System32\ComputerDefaults.exe' -Verb RunAs"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\System32\ComputerDefaults.exe
    "C:\Windows\System32\ComputerDefaults.exe"
    3⤵
    PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
673700ba28263bf4f27ca654f7c206d9

SHA1
81e57b06a0c00e1ae154d3babfa62864d7582759

SHA256
6e0fa8f44be1eef94990c6bb4ac88a766284d7f6325f55464427830cab27bf2d

SHA512
6ca817b9dfcbd4d67ca2dcae56d09f38028cb7905b5dd494f5daa51772b427d32a1b48c5c96a600d516be738f7221f9c13be3173e638c4fd8c98e71ee2d7e8ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab823C.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar830A.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0SRR02A09OLISB1GW093.temp

Filesize
7KB

MD5
3d38034ff495eb84fde6257aa69a9b9c

SHA1
abc4076a008354560309857b081d9ab5fd6928fc

SHA256
c1cc48f4087cc389b59bb7743f6f93833e39d25a2141a08858393e30f008d680

SHA512
dc1643695558c33a68bb42ef39d847338d4abece0062a3b03ed26739a1e4847078d98c34d61390dc57bef87e5d6ecbe7686b80e60be1d4345e1d2434fd1236d2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3d38034ff495eb84fde6257aa69a9b9c

SHA1
abc4076a008354560309857b081d9ab5fd6928fc

SHA256
c1cc48f4087cc389b59bb7743f6f93833e39d25a2141a08858393e30f008d680

SHA512
dc1643695558c33a68bb42ef39d847338d4abece0062a3b03ed26739a1e4847078d98c34d61390dc57bef87e5d6ecbe7686b80e60be1d4345e1d2434fd1236d2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3d38034ff495eb84fde6257aa69a9b9c

SHA1
abc4076a008354560309857b081d9ab5fd6928fc

SHA256
c1cc48f4087cc389b59bb7743f6f93833e39d25a2141a08858393e30f008d680

SHA512
dc1643695558c33a68bb42ef39d847338d4abece0062a3b03ed26739a1e4847078d98c34d61390dc57bef87e5d6ecbe7686b80e60be1d4345e1d2434fd1236d2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3d38034ff495eb84fde6257aa69a9b9c

SHA1
abc4076a008354560309857b081d9ab5fd6928fc

SHA256
c1cc48f4087cc389b59bb7743f6f93833e39d25a2141a08858393e30f008d680

SHA512
dc1643695558c33a68bb42ef39d847338d4abece0062a3b03ed26739a1e4847078d98c34d61390dc57bef87e5d6ecbe7686b80e60be1d4345e1d2434fd1236d2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3d38034ff495eb84fde6257aa69a9b9c

SHA1
abc4076a008354560309857b081d9ab5fd6928fc

SHA256
c1cc48f4087cc389b59bb7743f6f93833e39d25a2141a08858393e30f008d680

SHA512
dc1643695558c33a68bb42ef39d847338d4abece0062a3b03ed26739a1e4847078d98c34d61390dc57bef87e5d6ecbe7686b80e60be1d4345e1d2434fd1236d2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
81950ef8261e178c6c829c66d2c80a26

SHA1
feefa9f803f88e6174df8f3eff2acbb9c9651e75

SHA256
a0bb157480c68a1f428009cb6f07a9c21c47a92e0f22b5cd7af00f63deb21f39

SHA512
73f345bc891803594893dc221fbac8629e9957188b69ce08d16d45ec474de4b45b31e5884b7b6e2147aeec88ed4fb71cf366d4bb5a23b90d86c448500e4cb272

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3d38034ff495eb84fde6257aa69a9b9c

SHA1
abc4076a008354560309857b081d9ab5fd6928fc

SHA256
c1cc48f4087cc389b59bb7743f6f93833e39d25a2141a08858393e30f008d680

SHA512
dc1643695558c33a68bb42ef39d847338d4abece0062a3b03ed26739a1e4847078d98c34d61390dc57bef87e5d6ecbe7686b80e60be1d4345e1d2434fd1236d2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3d38034ff495eb84fde6257aa69a9b9c

SHA1
abc4076a008354560309857b081d9ab5fd6928fc

SHA256
c1cc48f4087cc389b59bb7743f6f93833e39d25a2141a08858393e30f008d680

SHA512
dc1643695558c33a68bb42ef39d847338d4abece0062a3b03ed26739a1e4847078d98c34d61390dc57bef87e5d6ecbe7686b80e60be1d4345e1d2434fd1236d2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3d38034ff495eb84fde6257aa69a9b9c

SHA1
abc4076a008354560309857b081d9ab5fd6928fc

SHA256
c1cc48f4087cc389b59bb7743f6f93833e39d25a2141a08858393e30f008d680

SHA512
dc1643695558c33a68bb42ef39d847338d4abece0062a3b03ed26739a1e4847078d98c34d61390dc57bef87e5d6ecbe7686b80e60be1d4345e1d2434fd1236d2

Download Submit
memory/668-221-0x0000000002350000-0x00000000023D0000-memory.dmp

Filesize
512KB

Download
memory/668-222-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

Filesize
9.6MB

Download
memory/668-219-0x000000000235B000-0x00000000023C2000-memory.dmp

Filesize
412KB

Download
memory/668-223-0x0000000002354000-0x0000000002357000-memory.dmp

Filesize
12KB

Download
memory/1444-225-0x0000000002430000-0x00000000024B0000-memory.dmp

Filesize
512KB

Download
memory/1444-232-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

Filesize
9.6MB

Download
memory/1444-231-0x0000000002430000-0x00000000024B0000-memory.dmp

Filesize
512KB

Download
memory/1444-227-0x0000000002430000-0x00000000024B0000-memory.dmp

Filesize
512KB

Download
memory/1444-224-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

Filesize
9.6MB

Download
memory/1444-226-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

Filesize
9.6MB

Download
memory/1536-189-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download
memory/1536-195-0x000007FEF4C80000-0x000007FEF561D000-memory.dmp

Filesize
9.6MB

Download
memory/1536-188-0x000007FEF4C80000-0x000007FEF561D000-memory.dmp

Filesize
9.6MB

Download
memory/1536-190-0x000007FEF4C80000-0x000007FEF561D000-memory.dmp

Filesize
9.6MB

Download
memory/1536-191-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download
memory/1536-192-0x000000000295B000-0x00000000029C2000-memory.dmp

Filesize
412KB

Download
memory/1772-218-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

Filesize
9.6MB

Download
memory/1772-229-0x0000000002720000-0x00000000027A0000-memory.dmp

Filesize
512KB

Download
memory/1772-216-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

Filesize
9.6MB

Download
memory/1772-220-0x0000000002720000-0x00000000027A0000-memory.dmp

Filesize
512KB

Download
memory/1772-228-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

Filesize
9.6MB

Download
memory/1772-217-0x0000000002720000-0x00000000027A0000-memory.dmp

Filesize
512KB

Download
memory/2264-244-0x0000000001C80000-0x0000000001C81000-memory.dmp

Filesize
4KB

Download
memory/2304-65-0x00000000025C0000-0x0000000002640000-memory.dmp

Filesize
512KB

Download
memory/2304-58-0x000000001B080000-0x000000001B362000-memory.dmp

Filesize
2.9MB

Download
memory/2304-61-0x000007FEF5A20000-0x000007FEF63BD000-memory.dmp

Filesize
9.6MB

Download
memory/2304-62-0x00000000025C0000-0x0000000002640000-memory.dmp

Filesize
512KB

Download
memory/2304-63-0x00000000025C0000-0x0000000002640000-memory.dmp

Filesize
512KB

Download
memory/2304-64-0x00000000025C0000-0x0000000002640000-memory.dmp

Filesize
512KB

Download
memory/2304-66-0x000007FEF5A20000-0x000007FEF63BD000-memory.dmp

Filesize
9.6MB

Download
memory/2304-60-0x000007FEF5A20000-0x000007FEF63BD000-memory.dmp

Filesize
9.6MB

Download
memory/2304-59-0x0000000002490000-0x0000000002498000-memory.dmp

Filesize
32KB

Download
memory/2332-193-0x000007FEF4C80000-0x000007FEF561D000-memory.dmp

Filesize
9.6MB

Download
memory/2332-199-0x000007FEF4C80000-0x000007FEF561D000-memory.dmp

Filesize
9.6MB

Download
memory/2332-197-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/2332-198-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/2332-196-0x000007FEF4C80000-0x000007FEF561D000-memory.dmp

Filesize
9.6MB

Download
memory/2332-194-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/2468-245-0x000007FEF4C80000-0x000007FEF561D000-memory.dmp

Filesize
9.6MB

Download
memory/2468-243-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2468-242-0x000007FEF4C80000-0x000007FEF561D000-memory.dmp

Filesize
9.6MB

Download
memory/2468-241-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2468-240-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2468-239-0x000007FEF4C80000-0x000007FEF561D000-memory.dmp

Filesize
9.6MB

Download
memory/2532-170-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/2532-175-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

Filesize
9.6MB

Download
memory/2532-169-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

Filesize
9.6MB

Download
memory/2532-177-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

Filesize
9.6MB

Download
memory/2532-176-0x0000000002984000-0x0000000002987000-memory.dmp

Filesize
12KB

Download
memory/2532-174-0x000000000298B000-0x00000000029F2000-memory.dmp

Filesize
412KB

Download
memory/2568-230-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2568-233-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/3044-168-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

Filesize
9.6MB

Download
memory/3044-171-0x000000000288B000-0x00000000028F2000-memory.dmp

Filesize
412KB

Download
memory/3044-173-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

Filesize
9.6MB

Download
memory/3044-165-0x00000000024F0000-0x00000000024F8000-memory.dmp

Filesize
32KB

Download
memory/3044-167-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/3044-166-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

Filesize
9.6MB

Download
memory/3044-164-0x000000001B220000-0x000000001B502000-memory.dmp

Filesize
2.9MB

Download
memory/3044-172-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download