440368688434b4af8b947308d55d4397d4f207b7dd625cf8c5356c30068e50f4

Analysis

max time kernel
146s
max time network
170s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
08-07-2024 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Better-CrewLink.exe
Size

120.6MB
MD5

c7436588c381984fbab948232fe36a60
SHA1

fa81b603b4fbc6bc0be7559b7ad3e1bb02b290b3
SHA256

42e6a6ea5db20fe0692be237bf16eb52faf1ea79935a6be401e1b30097136f24
SHA512

2285ec2f90c9541fb42e405bc567f20d7185b42fb7982df9cea51890f33366c17a5b59d63e698729b2e5395879bff231bcdf36f3b51aea08e3629a189380ac69
SSDEEP

1572864:X1f0+Sva7Hdp1Nhn+aCdrvdYrZ/7/lbg8udR8SnuSE49zi:qasulbg8yTnbEOzi

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Better-CrewLink.exeBetter-CrewLink.exeBetter-CrewLink.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\International\Geo\Nation	Better-CrewLink.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\International\Geo\Nation	Better-CrewLink.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\International\Geo\Nation	Better-CrewLink.exe

Loads dropped DLL 4 IoCs

Processes:

Better-CrewLink.exe

pid process

1368 Better-CrewLink.exe
1368 Better-CrewLink.exe
1368 Better-CrewLink.exe
1368 Better-CrewLink.exe

pid	process
1368	Better-CrewLink.exe
1368	Better-CrewLink.exe
1368	Better-CrewLink.exe
1368	Better-CrewLink.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Better-CrewLink.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Better-CrewLink.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Better-CrewLink.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Better-CrewLink.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

Better-CrewLink.exeBetter-CrewLink.exeBetter-CrewLink.exeBetter-CrewLink.exe

pid	process
1376	Better-CrewLink.exe
1640	Better-CrewLink.exe
1640	Better-CrewLink.exe
1640	Better-CrewLink.exe
1368	Better-CrewLink.exe
568	Better-CrewLink.exe
1368	Better-CrewLink.exe
1368	Better-CrewLink.exe
1368	Better-CrewLink.exe
1368	Better-CrewLink.exe
1368	Better-CrewLink.exe
1368	Better-CrewLink.exe
1368	Better-CrewLink.exe
1368	Better-CrewLink.exe
1368	Better-CrewLink.exe
1368	Better-CrewLink.exe
1368	Better-CrewLink.exe
1368	Better-CrewLink.exe
1368	Better-CrewLink.exe
1368	Better-CrewLink.exe
1368	Better-CrewLink.exe
1368	Better-CrewLink.exe
1368	Better-CrewLink.exe
1368	Better-CrewLink.exe
1368	Better-CrewLink.exe
1368	Better-CrewLink.exe
1368	Better-CrewLink.exe
1368	Better-CrewLink.exe
1368	Better-CrewLink.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Better-CrewLink.exe

pid process

1368 Better-CrewLink.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Better-CrewLink.exe

pid process

1368 Better-CrewLink.exe

pid	process
1368	Better-CrewLink.exe

pid	process
1368	Better-CrewLink.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Better-CrewLink.exe

description	pid	process	target process
PID 1368 wrote to memory of 2616	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 2616	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 2616	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 2616	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 2616	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 2616	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 2616	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 2616	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 2616	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 2616	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 2616	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 2616	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 2616	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 2616	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 2616	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 2616	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 2616	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 2616	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 2616	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 2616	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 2616	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 2616	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 2616	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 2616	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 2616	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 2616	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 2616	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 2616	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 2616	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 2616	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 2616	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 2616	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 2616	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 2616	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 2616	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 2616	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 2616	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 2616	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 2616	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 2616	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 2616	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 1376	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 1376	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 1376	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 1640	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 1640	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 1640	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 1028	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 1028	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 1028	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 1028	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 1028	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 1028	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 1028	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 1028	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 1028	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 1028	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 1028	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 1028	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 1028	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 1028	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 1028	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 1028	1368	Better-CrewLink.exe	Better-CrewLink.exe
PID 1368 wrote to memory of 1028	1368	Better-CrewLink.exe	Better-CrewLink.exe

C:\Users\Admin\AppData\Local\Temp\Better-CrewLink.exe
"C:\Users\Admin\AppData\Local\Temp\Better-CrewLink.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1368

C:\Users\Admin\AppData\Local\Temp\Better-CrewLink.exe
"C:\Users\Admin\AppData\Local\Temp\Better-CrewLink.exe" --type=gpu-process --field-trial-handle=940,4642992530258624176,8675563713787819621,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=932 /prefetch:2
2⤵
PID:2616

C:\Users\Admin\AppData\Local\Temp\Better-CrewLink.exe
"C:\Users\Admin\AppData\Local\Temp\Better-CrewLink.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=940,4642992530258624176,8675563713787819621,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1328 /prefetch:8
2⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:1376

C:\Users\Admin\AppData\Local\Temp\Better-CrewLink.exe
"C:\Users\Admin\AppData\Local\Temp\Better-CrewLink.exe" --type=renderer --field-trial-handle=940,4642992530258624176,8675563713787819621,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --node-integration --no-sandbox --no-zygote --background-color=#fff --enable-spellcheck --enable-websql --disable-electron-site-instance-overrides --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1476 /prefetch:1
2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:1640

C:\Users\Admin\AppData\Local\Temp\Better-CrewLink.exe
"C:\Users\Admin\AppData\Local\Temp\Better-CrewLink.exe" --type=gpu-process --field-trial-handle=940,4642992530258624176,8675563713787819621,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=932 /prefetch:2
2⤵
PID:1028

C:\Users\Admin\AppData\Local\Temp\Better-CrewLink.exe
"C:\Users\Admin\AppData\Local\Temp\Better-CrewLink.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=940,4642992530258624176,8675563713787819621,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=1596 /prefetch:8
2⤵
PID:1916

C:\Users\Admin\AppData\Local\Temp\Better-CrewLink.exe
"C:\Users\Admin\AppData\Local\Temp\Better-CrewLink.exe" --type=renderer --field-trial-handle=940,4642992530258624176,8675563713787819621,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --disable-gpu-compositing --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --node-integration --no-sandbox --no-zygote --background-color=#fff --enable-spellcheck --enable-websql --disable-electron-site-instance-overrides --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2044 /prefetch:1
2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
adf852762ef2eee71c642baec75ef439

SHA1
3a1cc3ff8175fa76a8af3a06b037f61bad840aba

SHA256
cfb1cb4321cad058a4dcea9bdb9cc22def898bc3d9f333e7e3385408b7173793

SHA512
68ed3d28fc235e689c310c96d33642764c6e5a4722673a4de42bbf578e27059eb1d2604b1712eebe499263f54d2dee73de0eec0928f0ecd2ea4ce28b7421827a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9C32.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9C83.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\bettercrewlink\Cache\f_000001

Filesize
441KB

MD5
a78ad14e77147e7de3647e61964c0335

SHA1
cecc3dd41f4cea0192b24300c71e1911bd4fce45

SHA256
0d6803758ff8f87081fafd62e90f0950dfb2dd7991e9607fe76a8f92d0e893fa

SHA512
dde24d5ad50d68fc91e9e325d31e66ef8f624b6bb3a07d14ffed1104d3ab5f4ef1d7969a5cde0dfbb19cb31c506f7de97af67c2f244f7e7e8e10648ea8321101

Download Submit
C:\Users\Admin\AppData\Roaming\bettercrewlink\config.json

Filesize
1KB

MD5
39e0ffad643551417ac5c8fdd9775dfb

SHA1
7aba2a6241b939d61a3668b2df8e4e5910321b8b

SHA256
68013684399d387c36c4c4eb88c12b69dec57d2d5c91223713a43f328d145992

SHA512
b4a496f570f5bbfe7aa75d66f691632a752d9d2e832e6353e9d20e0b6b29c62e0685631f5324c2da23c921f1d89ef3a317292fc4a52e5d99024898a98d2f847a

Download Submit
C:\Users\Admin\AppData\Roaming\bettercrewlink\config.json

Filesize
1KB

MD5
33162e760bccf2b99fca7c70ca2bcf69

SHA1
9fe46ba6cea79f5612794c74d7e87f75b14484d9

SHA256
b6ce600cd1f0d968e188475d81bb8014b71ac6e5e348fb578bc4a4392b47cdb0

SHA512
273bb468c9bd911bf0381613986c9cae18da2c98e130de8cafba697215f778dca2f95d24ad9627562a6e3a11160bf826ce176d0878da34f7ddd03b0cd11f0ee9

Download Submit
C:\Users\Admin\AppData\Roaming\bettercrewlink\config.json

Filesize
1KB

MD5
9c1ad788183c38dc77c0173201714532

SHA1
e4faa9ea3763dca2a6ea325e2389ba79ed9c2e79

SHA256
21fba93cffffa78e4b42f2f464506c6f665a93eafea0178c0abaadfd1e1be60e

SHA512
dabed66e0d6b8313cb84f7a61f9f6ead14e36d701b9afde4e28e200b70b39a3e521b7dd71cc2e2d2dd4b5e6b12ad9b23e9534ad251ce31fd26dd981500aa152d

Download Submit
C:\Users\Admin\AppData\Roaming\bettercrewlink\config.json

Filesize
1KB

MD5
e1350a4f733b66aec7d9efb4daf681af

SHA1
1126b48281388c3be273a8e2dc9fdf633b1dd901

SHA256
53a6445de9b3b28e8d070f8723883085e9288041f292b619dd14e853ed7437cc

SHA512
670166e2d43ae763891c8f7ae2590fd7e9fc746a144cc8414469fd763af7396db1379ba62604a60576e6dc1304d8a29e7e64bbcf6b374a45d68867967f1648fb

Download Submit
C:\Users\Admin\AppData\Roaming\bettercrewlink\config.json

Filesize
1KB

MD5
576ccedc2a52ce9fd68fcb81aa18df4b

SHA1
9290ca9d7d16bb8e6308f64cec835ec8a0d4811d

SHA256
40193224659f141f4dff7732c54c9467c538440e9ec9c6f66b1147483ac36add

SHA512
b787d427e3745a90f2473f021ea14f92f9fa169a089fb514aad19b72d0f8a15cb496cd32dbcd2a58f175356ef8c717d2bf7f009886934d7f9620b9330b824323

Download Submit
C:\Users\Admin\AppData\Roaming\bettercrewlink\config.json

Filesize
1KB

MD5
5d59cff9a99bb219f4fe7e1502f7b4c7

SHA1
b4a657a2158ca88449c30b37e38f4fd260c6e01d

SHA256
d166bc87a59ac38ef87d648efe813ff3befb889fb67a17e1b4cc3db757c7db64

SHA512
8cace5bfce0066a37e47f1a3d4a9f1382581c251d4b117b9bb48b7990fd6d9533a6f2d168fb214e7ef3ee287209058f43e3df1bdcdf0a4a3f044e2fdf15bbbcc

Download Submit
C:\Users\Admin\AppData\Roaming\bettercrewlink\config.json

Filesize
1KB

MD5
fa2991e2ed793246cce1a94b5f155421

SHA1
5d6c77338633f654dc65f78f393b0010c38a3aa0

SHA256
c7e234d099e6ace5de2165b9165084c64ae7963732e9fca73ccc114e24ac1f7f

SHA512
b7c7f17ff458a08c51e493b9fdff1bb10fee23b5b2e9e87e099686528961ee6d1b983876b0df39399751244a86d14ae5038c093a5fd1478718d118986569aac3

Download Submit
C:\Users\Admin\AppData\Roaming\bettercrewlink\config.json

Filesize
1KB

MD5
905dd129c4e0a781964c068a2abb5576

SHA1
d0dc3955734f4613fd9f551ba788ac24ddddb8da

SHA256
0c099805dadfb149f57a1e78893b3713661760df60475f4839be1e7f62615c31

SHA512
7db318d899da87655efcd4a269588f7f1d281b7bc894065c09bd5e10ed3650dd9224f64a23abcb855fb3df7e4670551029903141dd37af79dc18b85376d80ae8

Download Submit
C:\Users\Admin\AppData\Roaming\bettercrewlink\config.json

Filesize
1KB

MD5
9700b65b344b860b1532a5b1398cef6b

SHA1
41c4e559d7098f00cf9ae95be8a3972074277055

SHA256
9bb499604ed487237dc504cab68a515222b405776090bfee47f580f989c411c1

SHA512
a320ae9b316f8a0c10727df25b6f2595a25de02b7816f16786f70b56203ba273b8cea0933a1c75934d8a0d08a6088f83d1084ed6875742d409354e509d7d456e

Download Submit
C:\Users\Admin\AppData\Roaming\bettercrewlink\config.json

Filesize
1KB

MD5
ceccbd0db0f633f914f4bd0d3f1fcad6

SHA1
1bdf9ac94a8b497faa96b22badaf4d34e078e230

SHA256
82432fc263973ae16cc6e696aead429e69c4f5d89275fe0c4409b3a9616b0a3e

SHA512
fb2d02579abfd6d7f631cd518c4ec4ce847b9ef788b88b0a30016aae931448e6ddf8a3fddc2f4000968d5a5fa417882311f5e9ee8faef68b38f2d06039dac49e

Download Submit
C:\Users\Admin\AppData\Roaming\bettercrewlink\config.json

Filesize
1KB

MD5
6acaaff3489c490f13e686b1905d048f

SHA1
11aaa70670a81326dfb432ba36cedecbdf681532

SHA256
73acb1d8debfb09ad8d9cf5996b646548de8296a0ed11880990d05b3cbbd43a2

SHA512
226502b0d9b8e9f60a568e32636a1ccdf64969c897b1a5ef23f7e3f4501b2d2ee182099b10bb8a556a50692fa14e7562be47e9d8614a07258c312ca544a6e358

Download Submit
\Users\Admin\AppData\Local\Temp\01a9ff69-19f4-45f1-ac80-25095df50253.tmp.node

Filesize
208KB

MD5
d2767b1e91cd973aa138c61255a719bb

SHA1
96e58ec4f97ed9efbeb0b7f4141af7d1c1e7af2f

SHA256
809ce8be4eb58b91afcf4282c40bc0dcd02c6c919cc8b8fc99462f9212a97d58

SHA512
808f3232b1193b4094136af029b10ce0b5ff64fdadaf7a8e2aba6e1a50b8e6c1df1245be6e37ffc0b157d6921dfd7abf1a0c7ad31d35aa106e5f7e8fbcce8e4c

Download Submit
\Users\Admin\AppData\Local\Temp\3ec602b4-c04b-431b-a484-e5be3fe11065.tmp.node

Filesize
613KB

MD5
174c50bb9795f9d23b87158da5cfa977

SHA1
f5d963f733d9a82490bd828051b45c2b322b032b

SHA256
77ad8327ae7fb12e0d6b8f3d806311be07d2c34cca0da720cab2af4cb8c30435

SHA512
bf9bb12ac5b4a38fba44736ddefd48afb98ba3b5ce9ee262ea24ae7d41b8d4a41cb5a8c66336218e40cc20c2df75166b11587ea4c4a6764e5942a7cfa110b769

Download Submit
\Users\Admin\AppData\Local\Temp\57c0384d-c508-4db6-bbfb-a7e14e8e7901.tmp.node

Filesize
134KB

MD5
c371247c8046a18215758d750d9d5463

SHA1
5f1eeff39c4823abac3f265ef72baad37e439397

SHA256
d47a203cd3156725ef7462f2f989868b4f7b7a60ee0eaea22b86fbde2eff3884

SHA512
ca2446dd882cd048513d77451c452e816cdc1637e2b3cae9cc1041c227f50b77dccdf6e5b8393b8b9a7e138ee4b71b903e27a5bcd53822b4a1bd8a14fe273c07

Download Submit
\Users\Admin\AppData\Local\Temp\e06f445d-8d4a-440c-b833-65257a2cfc2c.tmp.node

Filesize
116KB

MD5
f788fa68d14fd58ae1fa6d16baa9210b

SHA1
4f260ab745bf93ea86801c15542bcecac1629e4a

SHA256
4a8518975d8494a69d959bbb4d3328ff2be9c6d91f35859c3db576940daa8c86

SHA512
e92a9ecc214e593e7d829d6a81213cc541ca33f9b4899ca7b5f7fe1507aa9cec665a2af4d490890db79d66a62863ecff74cb14c0f79e144f49fc304ad9abdcbc

Download Submit
memory/2616-49-0x00000000776A0000-0x00000000776A1000-memory.dmp

Filesize
4KB

Download
memory/2616-17-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download