c189b6ac65c28a587f58df19d61132c231896a43b3b33e681246c58bebad4139

Analysis

max time kernel
331s
max time network
347s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/04/2024, 20:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

roUI-win32-x64/roUI.exe
Size

129.8MB
MD5

f96c49e1edeafedab1d7f991500ab3b0
SHA1

355f8c54b90b9fb9edc9a71bd4b979baf77326c1
SHA256

e1254436ad4ff1c60ddb725b61f00090d181f83336e0317a59b432e4982397f6
SHA512

41f33a4368c1242cf9bf2c750236c39befa166ea96d0087c76badeea3a9b9bf4f9635fd171c465740e2bbf82543fce16d9ea81a82204e2a3174a14cb81b0dd6a
SSDEEP

1572864:d6ckQr2SGDlw8h9DxUPh9hHV9nItmuT+2ibiE9TNGrAym:jXulw8PDxUZI4Gg

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\Geo\Nation	roUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\Geo\Nation	roUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\Geo\Nation	roUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\Geo\Nation	roUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\Geo\Nation	roUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\Geo\Nation	roUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\Geo\Nation	roUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\Geo\Nation	roUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\Geo\Nation	roUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\Geo\Nation	roUI.exe

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	roUI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	roUI.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2300	roUI.exe
1516	roUI.exe
1268	roUI.exe
1752	roUI.exe
1752	roUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 2628	1752	roUI.exe	28
PID 1752 wrote to memory of 2628	1752	roUI.exe	28
PID 1752 wrote to memory of 2628	1752	roUI.exe	28
PID 1752 wrote to memory of 2628	1752	roUI.exe	28
PID 1752 wrote to memory of 2628	1752	roUI.exe	28
PID 1752 wrote to memory of 2628	1752	roUI.exe	28
PID 1752 wrote to memory of 2628	1752	roUI.exe	28
PID 1752 wrote to memory of 2628	1752	roUI.exe	28
PID 1752 wrote to memory of 2628	1752	roUI.exe	28
PID 1752 wrote to memory of 2628	1752	roUI.exe	28
PID 1752 wrote to memory of 2628	1752	roUI.exe	28
PID 1752 wrote to memory of 2628	1752	roUI.exe	28
PID 1752 wrote to memory of 2628	1752	roUI.exe	28
PID 1752 wrote to memory of 2628	1752	roUI.exe	28
PID 1752 wrote to memory of 2628	1752	roUI.exe	28
PID 1752 wrote to memory of 2628	1752	roUI.exe	28
PID 1752 wrote to memory of 2628	1752	roUI.exe	28
PID 1752 wrote to memory of 2628	1752	roUI.exe	28
PID 1752 wrote to memory of 2628	1752	roUI.exe	28
PID 1752 wrote to memory of 2628	1752	roUI.exe	28
PID 1752 wrote to memory of 2628	1752	roUI.exe	28
PID 1752 wrote to memory of 2628	1752	roUI.exe	28
PID 1752 wrote to memory of 2628	1752	roUI.exe	28
PID 1752 wrote to memory of 2628	1752	roUI.exe	28
PID 1752 wrote to memory of 2628	1752	roUI.exe	28
PID 1752 wrote to memory of 2628	1752	roUI.exe	28
PID 1752 wrote to memory of 2628	1752	roUI.exe	28
PID 1752 wrote to memory of 2628	1752	roUI.exe	28
PID 1752 wrote to memory of 2628	1752	roUI.exe	28
PID 1752 wrote to memory of 2628	1752	roUI.exe	28
PID 1752 wrote to memory of 2628	1752	roUI.exe	28
PID 1752 wrote to memory of 2628	1752	roUI.exe	28
PID 1752 wrote to memory of 2628	1752	roUI.exe	28
PID 1752 wrote to memory of 2628	1752	roUI.exe	28
PID 1752 wrote to memory of 2628	1752	roUI.exe	28
PID 1752 wrote to memory of 2628	1752	roUI.exe	28
PID 1752 wrote to memory of 2628	1752	roUI.exe	28
PID 1752 wrote to memory of 2628	1752	roUI.exe	28
PID 1752 wrote to memory of 2628	1752	roUI.exe	28
PID 1752 wrote to memory of 2628	1752	roUI.exe	28
PID 1752 wrote to memory of 2628	1752	roUI.exe	28
PID 1752 wrote to memory of 2300	1752	roUI.exe	29
PID 1752 wrote to memory of 2300	1752	roUI.exe	29
PID 1752 wrote to memory of 2300	1752	roUI.exe	29
PID 1752 wrote to memory of 1516	1752	roUI.exe	30
PID 1752 wrote to memory of 1516	1752	roUI.exe	30
PID 1752 wrote to memory of 1516	1752	roUI.exe	30
PID 1752 wrote to memory of 1856	1752	roUI.exe	31
PID 1752 wrote to memory of 1856	1752	roUI.exe	31
PID 1752 wrote to memory of 1856	1752	roUI.exe	31
PID 1752 wrote to memory of 1856	1752	roUI.exe	31
PID 1752 wrote to memory of 1856	1752	roUI.exe	31
PID 1752 wrote to memory of 1856	1752	roUI.exe	31
PID 1752 wrote to memory of 1856	1752	roUI.exe	31
PID 1752 wrote to memory of 1856	1752	roUI.exe	31
PID 1752 wrote to memory of 1856	1752	roUI.exe	31
PID 1752 wrote to memory of 1856	1752	roUI.exe	31
PID 1752 wrote to memory of 1856	1752	roUI.exe	31
PID 1752 wrote to memory of 1856	1752	roUI.exe	31
PID 1752 wrote to memory of 1856	1752	roUI.exe	31
PID 1752 wrote to memory of 1856	1752	roUI.exe	31
PID 1752 wrote to memory of 1856	1752	roUI.exe	31
PID 1752 wrote to memory of 1856	1752	roUI.exe	31
PID 1752 wrote to memory of 1856	1752	roUI.exe	31

C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\roUI.exe
"C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\roUI.exe"
1⤵
- Checks computer location settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\roUI.exe
  "C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\roUI.exe" --type=gpu-process --field-trial-handle=1280,5350881092563422871,15954446584714360596,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1300 /prefetch:2
  2⤵
  PID:2628
- C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\roUI.exe
  "C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\roUI.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1280,5350881092563422871,15954446584714360596,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1480 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2300
- C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\roUI.exe
  "C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\roUI.exe" --type=renderer --field-trial-handle=1280,5350881092563422871,15954446584714360596,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\resources\app" --no-sandbox --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1584 /prefetch:1
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  PID:1516
- C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\roUI.exe
  "C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\roUI.exe" --type=gpu-process --field-trial-handle=1280,5350881092563422871,15954446584714360596,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1424 /prefetch:2
  2⤵
  PID:1856
- C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\roUI.exe
  "C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\roUI.exe" --type=renderer --field-trial-handle=1280,5350881092563422871,15954446584714360596,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\resources\app" --no-sandbox --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2452 /prefetch:1
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  PID:1268
- C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\roUI.exe
  "C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\roUI.exe" --type=renderer --field-trial-handle=1280,5350881092563422871,15954446584714360596,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\resources\app" --enable-sandbox --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1584 /prefetch:1
  2⤵
  - Checks computer location settings
  PID:872
- C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\roUI.exe
  "C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\roUI.exe" --type=renderer --field-trial-handle=1280,5350881092563422871,15954446584714360596,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\resources\app" --enable-sandbox --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2708 /prefetch:1
  2⤵
  - Checks computer location settings
  PID:3004
- C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\roUI.exe
  "C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\roUI.exe" --type=renderer --field-trial-handle=1280,5350881092563422871,15954446584714360596,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\resources\app" --enable-sandbox --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2764 /prefetch:1
  2⤵
  - Checks computer location settings
  PID:1168
- C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\roUI.exe
  "C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\roUI.exe" --type=renderer --field-trial-handle=1280,5350881092563422871,15954446584714360596,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\resources\app" --enable-sandbox --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1368 /prefetch:1
  2⤵
  - Checks computer location settings
  PID:1868
- C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\roUI.exe
  "C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\roUI.exe" --type=renderer --field-trial-handle=1280,5350881092563422871,15954446584714360596,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\resources\app" --enable-sandbox --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2672 /prefetch:1
  2⤵
  - Checks computer location settings
  PID:2772
- C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\roUI.exe
  "C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\roUI.exe" --type=renderer --field-trial-handle=1280,5350881092563422871,15954446584714360596,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\resources\app" --enable-sandbox --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=424 /prefetch:1
  2⤵
  - Checks computer location settings
  PID:2732
- C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\roUI.exe
  "C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\roUI.exe" --type=renderer --field-trial-handle=1280,5350881092563422871,15954446584714360596,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Temp\roUI-win32-x64\resources\app" --enable-sandbox --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2684 /prefetch:1
  2⤵
  - Checks computer location settings
  PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9C46.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\roUI\Code Cache\js\6fd4556fb67383d4_0

Filesize
18KB

MD5
235329c9e96543e07e2e3b8c0df41b83

SHA1
39083746eb1ed5034f8c81b3dce0c68b2c88d74a

SHA256
9d67b2df31daa3d26d696e5c43bce647d34ca64b72099d893507f9c704e3a89d

SHA512
cabf285a6c481545ec7562089c1c9bd36ea57f915ae72cb7a8cd08b4acdf3e20a2a790f649ff17c877a100efb9935506796423242dbc2b9724237c1b8ee398f1

Download Submit
C:\Users\Admin\AppData\Roaming\roUI\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
7439d3f92b736e2f5e51b5d5195f6a66

SHA1
1cc503f19ba7c25a9416926dce0f3c3a2909aba4

SHA256
b07493562306e2a0fbe3743a061df16062c8897b38b1ed2d8116b7cbec76dcdc

SHA512
9ceb381b5ee717e0c9145cfbcc7e2571b26a8761eb6659c1fa67f777a1ae9119708c116130c2d6a44f1453880a046cb8908abc6f886ca15c7865f634ac9e2091

Download Submit
C:\Users\Admin\AppData\Roaming\roUI\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
acaf34695451038945e0d02dc84abe36

SHA1
d0de24d57fa0ebb8b98963ae51327e4b4a630e7f

SHA256
e19e51b7edf56a818733aa3e446d0568bfd39c3b6a3c907902b272f3058ea53a

SHA512
333f3f5737dc1b8efd14148c8da9dd65fc2ccdc1d73389cf92ba8f27c885ac5336de84cc074e3228a42879ae305b22608a4ddb13fa32a3b8a070ff4cf1ff5f65

Download Submit
C:\Users\Admin\AppData\Roaming\roUI\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
c488d85b56570735179c3788e4bcd473

SHA1
12533a6df12e318682dc744ecbe4e6d4e1207de9

SHA256
f301b0f60282432cc4bad29267060f9bb4a0f5b0eb73f7b431b0b24e57be9e69

SHA512
b94bdcc5dd7d1849bf78d408081e71ce497398d84e7f971c5ab26a1bc99797713e85f8405ead34119c952ed637995129257157b5f9a3132d586046cc2c3262a4

Download Submit
C:\Users\Admin\AppData\Roaming\roUI\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
4f616be751c66cdc29b4981ba65e154c

SHA1
e9dbaa2611d3f9a59d1f8c7cfbf222ea95d175de

SHA256
b81e62aaf5040313e84c0d39d7914edf0b019c737dddc5be32c9cc5a4fc69709

SHA512
a4fa38cb255c40c9e260127ad170937192473b16d871d43cc2ba7de9a49e3db7da3e0013c032c56f5cbbdf0bc69f0bf7e2754e5eb70b368a686a2004cf81502e

Download Submit
C:\Users\Admin\AppData\Roaming\roUI\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
1d3a5f00d10afb36d152a109bf128366

SHA1
837ad8623de0871de4f59d218b27a8f1ce41dd05

SHA256
4d5e521887b0ca8549b38f4a8b1fa6961b0fd0aba7f5d7f5b4536d27d669aa97

SHA512
604981f4fa35551acf2a6f7be468bbccfd20e44cb5a3ec76c6140a22e5ed3bff71ae468dfe8288e400772d37c0417ef8a882cf60aae421e6830d46859615d7fd

Download Submit
C:\Users\Admin\AppData\Roaming\roUI\Network Persistent State

Filesize
909B

MD5
3d29b1f372df31e4ad308ebebceddec1

SHA1
b56722fb188b2d918d5e52940dd9b807cc7b9add

SHA256
57c98c203263c9eae0a07571e137775e9fc2e2382209c6760b4922663c12edd3

SHA512
15343b3f1bae676121961274688c3c983fa770fddeae583972fdae2e9213ad38f8db5971c6e39e0036ab9de8ffddd9c8a9dd5923d75de28382b37903f8b70490

Download Submit
C:\Users\Admin\AppData\Roaming\roUI\Network Persistent State

Filesize
909B

MD5
99fa95c98af2c86081b3411c62f9eaab

SHA1
baa89d8f4c1e0d64720a1cee0d05f27fa2bafc21

SHA256
fe4386289e829771a47a3a51443e2266652c363d4552f5c10314e2b7e73fa495

SHA512
5e1f38414cb790d616ba5c684d6cc91d1cd5cfb733fc0826376d868612e1816b38910bdc49c014159f7ed6f30b30f34a27b36afe9273e1853c4115d2767aa772

Download Submit
C:\Users\Admin\AppData\Roaming\roUI\Network Persistent State

Filesize
909B

MD5
b4fde8cd89d9629b033742adde5a4961

SHA1
65019abf6301dca4f1997907a24484357cf22b85

SHA256
0501e61dbf37e4111a864af0a8fd48efbde20bbee38994cb9f022b54a1eaf894

SHA512
707c35113132233c18da34d5a2dc722f9d2de3f15370a6be4086939d708b62d4d335b4ff719eb1484193f3aa9e7e50b6732c5d9ed79e9caf4e0346cbb1dae77c

Download Submit
C:\Users\Admin\AppData\Roaming\roUI\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\roUI\af04947a-92ad-4d71-abb3-9f8cb7f442d3.tmp

Filesize
909B

MD5
e23374354e21a340fac24c47e0e287f9

SHA1
f7fe38e432aaeed648fe4f5b6fd2f7bd3e2eb519

SHA256
3a56008ffb3eb6c4f75a8585cd2c1a8c63b06072295eceb8a6399bdf0f936231

SHA512
968ac0bdba505296a07744fa99e515e95f78824d0cbf0eb16b620abfe8590e5d7fa41ecfdc71d3489d36d9a9a74a194edf96c9d4993984994d210f26cb553b60

Download Submit
memory/1752-145-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/1752-15-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/2628-50-0x0000000077A00000-0x0000000077A01000-memory.dmp

Filesize
4KB

Download
memory/2628-1-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download