Windows Analysis Report
mkcert.exe

Overview

General Information

Sample name: mkcert.exe
Analysis ID: 1411165
MD5: 7cc2b35154e9569269a8c5cd5c25f414
SHA1: ac6051394348ab5ff9d29c27a33750ead25493c3
SHA256: 3ed7944368bb86402333fc360415c763b7924179601db092cca8009b45cfe0b7
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.png Avira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: mkcert.exe ReversingLabs: Detection: 25%
Source: mkcert.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\multi-runner\builds\4N9zQf7c\0\emc\tools\mkcert\obj\Release\mkcert.pdb source: mkcert.exe
Source: mkcert.exe, 00000000.00000002.45465693897.0000000006542000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: mkcert.exe, 00000000.00000002.45465693897.0000000006542000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: mkcert.exe, 00000000.00000002.45470383068.00000000091C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/
Source: mkcert.exe, 00000000.00000002.45470383068.00000000091C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: mkcert.exe, 00000000.00000002.45465693897.0000000006542000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: mkcert.exe, 00000000.00000002.45458850665.0000000001451000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d8b920fd93066
Source: mkcert.exe, 00000000.00000002.45470383068.00000000091C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d8b920fd93
Source: mkcert.exe, 00000000.00000002.45462514529.0000000004177000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: mkcert.exe, 00000000.00000002.45459917591.000000000325B000.00000004.00000800.00020000.00000000.sdmp, mkcert.exe, 00000000.00000002.45458850665.0000000001451000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: mkcert.exe, 00000000.00000002.45459917591.000000000325B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: mkcert.exe, 00000000.00000002.45459917591.0000000003101000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: mkcert.exe, 00000000.00000002.45459917591.000000000325B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: mkcert.exe, 00000000.00000002.45459917591.000000000325B000.00000004.00000800.00020000.00000000.sdmp, mkcert.exe, 00000000.00000002.45458850665.0000000001451000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: mkcert.exe, 00000000.00000002.45471004196.0000000009281000.00000004.00000020.00020000.00000000.sdmp, mkcert.exe, 00000000.00000002.45465693897.0000000006542000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.quovadis.bm0
Source: mkcert.exe, 00000000.00000002.45462514529.0000000004177000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: mkcert.exe, 00000000.00000002.45462514529.0000000004177000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: mkcert.exe, 00000000.00000002.45462514529.0000000004177000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: mkcert.exe, 00000000.00000002.45459917591.000000000325B000.00000004.00000800.00020000.00000000.sdmp, mkcert.exe, 00000000.00000002.45458850665.0000000001451000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: mkcert.exe, 00000000.00000002.45462514529.0000000004177000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: mkcert.exe, 00000000.00000002.45471004196.0000000009281000.00000004.00000020.00020000.00000000.sdmp, mkcert.exe, 00000000.00000002.45465693897.0000000006542000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ocsp.quovadisoffshore.com0
Detected potential crypto function
Source: C:\Users\user\Desktop\mkcert.exe Code function: 0_2_016B8580 0_2_016B8580
Source: C:\Users\user\Desktop\mkcert.exe Code function: 0_2_016BECB8 0_2_016BECB8
Source: C:\Users\user\Desktop\mkcert.exe Code function: 0_2_016B5B60 0_2_016B5B60
Source: C:\Users\user\Desktop\mkcert.exe Code function: 0_2_016B8580 0_2_016B8580
Source: C:\Users\user\Desktop\mkcert.exe Code function: 0_2_07AC3C00 0_2_07AC3C00
Source: C:\Users\user\Desktop\mkcert.exe Code function: 0_2_07AC3C10 0_2_07AC3C10
Source: C:\Users\user\Desktop\mkcert.exe Code function: 0_2_07AEEE72 0_2_07AEEE72
Source: C:\Users\user\Desktop\mkcert.exe Code function: 0_2_07AED868 0_2_07AED868
Source: C:\Users\user\Desktop\mkcert.exe Code function: 0_2_07AE15A9 0_2_07AE15A9
Source: C:\Users\user\Desktop\mkcert.exe Code function: 0_2_07AE15B8 0_2_07AE15B8
Source: C:\Users\user\Desktop\mkcert.exe Code function: 0_2_07AF4098 0_2_07AF4098
Source: C:\Users\user\Desktop\mkcert.exe Code function: 0_2_07AF6FA8 0_2_07AF6FA8
Source: C:\Users\user\Desktop\mkcert.exe Code function: 0_2_07AF07C8 0_2_07AF07C8
Source: C:\Users\user\Desktop\mkcert.exe Code function: 0_2_07AF4E38 0_2_07AF4E38
Source: C:\Users\user\Desktop\mkcert.exe Code function: 0_2_07AF84A8 0_2_07AF84A8
Source: C:\Users\user\Desktop\mkcert.exe Code function: 0_2_07AF5CC0 0_2_07AF5CC0
Source: C:\Users\user\Desktop\mkcert.exe Code function: 0_2_07AF5388 0_2_07AF5388
Source: C:\Users\user\Desktop\mkcert.exe Code function: 0_2_07AF7AA8 0_2_07AF7AA8
Source: C:\Users\user\Desktop\mkcert.exe Code function: 0_2_07AF9A68 0_2_07AF9A68
Source: C:\Users\user\Desktop\mkcert.exe Code function: 0_2_07AF9240 0_2_07AF9240
Source: C:\Users\user\Desktop\mkcert.exe Code function: 0_2_07AF1000 0_2_07AF1000
Source: C:\Users\user\Desktop\mkcert.exe Code function: 0_2_07B877D8 0_2_07B877D8
Source: C:\Users\user\Desktop\mkcert.exe Code function: 0_2_07B8E738 0_2_07B8E738
Source: C:\Users\user\Desktop\mkcert.exe Code function: 0_2_07B8DF48 0_2_07B8DF48
Source: C:\Users\user\Desktop\mkcert.exe Code function: 0_2_07B8A612 0_2_07B8A612
Source: C:\Users\user\Desktop\mkcert.exe Code function: 0_2_07B89335 0_2_07B89335
Source: C:\Users\user\Desktop\mkcert.exe Code function: 0_2_07B87B70 0_2_07B87B70
Source: C:\Users\user\Desktop\mkcert.exe Code function: 0_2_07B88900 0_2_07B88900
Source: C:\Users\user\Desktop\mkcert.exe Code function: 0_2_07B88D04 0_2_07B88D04
Source: C:\Users\user\Desktop\mkcert.exe Code function: 0_2_07B88CFB 0_2_07B88CFB
Source: C:\Users\user\Desktop\mkcert.exe Code function: 0_2_07B8F1F0 0_2_07B8F1F0
Source: C:\Users\user\Desktop\mkcert.exe Code function: 0_2_07B888F1 0_2_07B888F1
Source: C:\Users\user\Desktop\mkcert.exe Code function: 0_2_07B90040 0_2_07B90040
Source: C:\Users\user\Desktop\mkcert.exe Code function: 0_2_07ACD580 0_2_07ACD580
Source: C:\Users\user\Desktop\mkcert.exe Code function: 0_2_07ACCE21 0_2_07ACCE21
Sample file is different than original file name gathered from version info
Source: mkcert.exe, 00000000.00000002.45458850665.000000000141E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs mkcert.exe
Source: mkcert.exe, 00000000.00000002.45459917591.0000000003101000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs mkcert.exe
Source: mkcert.exe, 00000000.00000002.45459917591.0000000003154000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs mkcert.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: kdscli.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: certca.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: certpkicmdlet.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: certenroll.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: dsparse.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: ncryptprov.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: ngcksp.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: pcpksp.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: tbs.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: scksp.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: credui.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: winscard.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: dssenh.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: basecsp.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: cryptnet.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Section loaded: cabinet.dll Jump to behavior
Source: classification engine Classification label: mal56.winEXE@2/8@0/0
Source: C:\Users\user\Desktop\mkcert.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\mkcert.exe.log Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2856:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2856:120:WilError_03
Source: C:\Users\user\Desktop\mkcert.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m4agtt0c.k02.ps1 Jump to behavior
Source: mkcert.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: mkcert.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\mkcert.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: mkcert.exe ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\mkcert.exe File read: C:\Users\user\Desktop\mkcert.exe:Zone.Identifier Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\mkcert.exe C:\Users\user\Desktop\mkcert.exe
Source: C:\Users\user\Desktop\mkcert.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\mkcert.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: mkcert.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: mkcert.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: mkcert.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\multi-runner\builds\4N9zQf7c\0\emc\tools\mkcert\obj\Release\mkcert.pdb source: mkcert.exe
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\mkcert.exe Code function: 0_2_07ACA790 pushfd ; iretd 0_2_07ACA799
Source: C:\Users\user\Desktop\mkcert.exe Code function: 0_2_07AC852B push esp; ret 0_2_07AC8531
Source: C:\Users\user\Desktop\mkcert.exe Code function: 0_2_07AC9CD0 pushfd ; retf 0_2_07AC9CD1
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\mkcert.exe Memory allocated: 1670000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Memory allocated: 3100000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Memory allocated: 5100000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\mkcert.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\mkcert.exe Window / User API: threadDelayed 9128 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\mkcert.exe TID: 8328 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\mkcert.exe Code function: 0_2_016BE398 GetSystemInfo, 0_2_016BE398
Source: C:\Users\user\Desktop\mkcert.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: mkcert.exe, 00000000.00000002.45459917591.000000000325B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: mkcert.exe, 00000000.00000002.45458850665.0000000001451000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FMSFT_NetEventVmNetworkAdatper.cdxml
Source: mkcert.exe, 00000000.00000002.45459917591.000000000325B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Add-NetEventVmNetworkAdapter
Source: mkcert.exe, 00000000.00000002.45470831762.0000000009259000.00000004.00000020.00020000.00000000.sdmp, mkcert.exe, 00000000.00000002.45471004196.00000000092AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: mkcert.exe, 00000000.00000002.45470831762.0000000009267000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWen-USn
Source: mkcert.exe, 00000000.00000002.45458850665.0000000001451000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMSFT_NetEventVmNetworkAdatper.format.ps1xml
Source: mkcert.exe, 00000000.00000002.45459917591.000000000325B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Get-NetEventVmNetworkAdapter
Source: C:\Users\user\Desktop\mkcert.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\mkcert.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Memory allocated: page read and write | page guard Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Users\user\Desktop\mkcert.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WSMan.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.CertificateServices.PKIClient.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.CertificateServices.PKIClient.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.CertificateServices.PKIClient.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.CertificateServices.PKIClient.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.CertificateServices.PKIClient.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.CertificateServices.PKIClient.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mkcert.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1411165 Sample: mkcert.exe Startdate: 18/03/2024 Architecture: WINDOWS Score: 56 10 Antivirus detection for URL or domain 2->10 12 Multi AV Scanner detection for submitted file 2->12 6 mkcert.exe 4 18 2->6         started        process3 process4 8 conhost.exe 6->8         started       
No contacted IP infos