oski | 8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48

Analysis

max time kernel
54s
max time network
47s
platform
windows7_x64
resource
win7-20220414-en
submitted
12-05-2022 11:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
Size

749KB
MD5

531c89746f1bb6333331ad28cee32f13
SHA1

4eb7657831ef51aa2e11b40be9f1ed8933e04f28
SHA256

8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48
SHA512

f687f7fb4fdce0df9c19e34f65bc89da2a32126882aa584b138aede3e2d4a6dbb6814d47b17a29e469550c3c3aa6d5fc612f78fbe2ad47b1bb3f50b330d4358a

Score

10^/10

oski infostealer

Malware Config

Extracted

Family

oski

nadia.ac.ug

Signatures

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski

Executes dropped EXE 3 IoCs

pid	Process
684	ooo.exe
1960	ooo.exe
612	aaa.exe

Loads dropped DLL 3 IoCs

pid	Process
1632	WScript.exe
684	ooo.exe
1656	WScript.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 684 set thread context of 1960	684	ooo.exe	61

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
684	ooo.exe
684	ooo.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
Token: SeDebugPrivilege	684	ooo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 1632	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	28
PID 1304 wrote to memory of 1632	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	28
PID 1304 wrote to memory of 1632	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	28
PID 1304 wrote to memory of 1632	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	28
PID 1304 wrote to memory of 1588	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	29
PID 1304 wrote to memory of 1588	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	29
PID 1304 wrote to memory of 1588	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	29
PID 1304 wrote to memory of 1588	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	29
PID 1304 wrote to memory of 1332	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	30
PID 1304 wrote to memory of 1332	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	30
PID 1304 wrote to memory of 1332	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	30
PID 1304 wrote to memory of 1332	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	30
PID 1304 wrote to memory of 2000	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	31
PID 1304 wrote to memory of 2000	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	31
PID 1304 wrote to memory of 2000	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	31
PID 1304 wrote to memory of 2000	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	31
PID 1304 wrote to memory of 1008	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	32
PID 1304 wrote to memory of 1008	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	32
PID 1304 wrote to memory of 1008	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	32
PID 1304 wrote to memory of 1008	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	32
PID 1304 wrote to memory of 1484	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	34
PID 1304 wrote to memory of 1484	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	34
PID 1304 wrote to memory of 1484	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	34
PID 1304 wrote to memory of 1484	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	34
PID 1304 wrote to memory of 472	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	33
PID 1304 wrote to memory of 472	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	33
PID 1304 wrote to memory of 472	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	33
PID 1304 wrote to memory of 472	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	33
PID 1304 wrote to memory of 772	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	35
PID 1304 wrote to memory of 772	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	35
PID 1304 wrote to memory of 772	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	35
PID 1304 wrote to memory of 772	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	35
PID 1304 wrote to memory of 580	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	36
PID 1304 wrote to memory of 580	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	36
PID 1304 wrote to memory of 580	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	36
PID 1304 wrote to memory of 580	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	36
PID 1304 wrote to memory of 268	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	37
PID 1304 wrote to memory of 268	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	37
PID 1304 wrote to memory of 268	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	37
PID 1304 wrote to memory of 268	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	37
PID 1304 wrote to memory of 1188	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	38
PID 1304 wrote to memory of 1188	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	38
PID 1304 wrote to memory of 1188	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	38
PID 1304 wrote to memory of 1188	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	38
PID 1304 wrote to memory of 384	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	39
PID 1304 wrote to memory of 384	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	39
PID 1304 wrote to memory of 384	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	39
PID 1304 wrote to memory of 384	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	39
PID 1304 wrote to memory of 608	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	40
PID 1304 wrote to memory of 608	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	40
PID 1304 wrote to memory of 608	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	40
PID 1304 wrote to memory of 608	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	40
PID 1304 wrote to memory of 1168	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	41
PID 1304 wrote to memory of 1168	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	41
PID 1304 wrote to memory of 1168	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	41
PID 1304 wrote to memory of 1168	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	41
PID 1304 wrote to memory of 432	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	42
PID 1304 wrote to memory of 432	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	42
PID 1304 wrote to memory of 432	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	42
PID 1304 wrote to memory of 432	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	42
PID 1304 wrote to memory of 1540	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	43
PID 1304 wrote to memory of 1540	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	43
PID 1304 wrote to memory of 1540	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	43
PID 1304 wrote to memory of 1540	1304	8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe	43

C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
"C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Jwoasxr.vbs"
  2⤵
  - Loads dropped DLL
  PID:1632
- - C:\Users\Admin\AppData\Local\Temp\ooo.exe
    "C:\Users\Admin\AppData\Local\Temp\ooo.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:684
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Gsgxeo.vbs"
      4⤵
      Loads dropped DLL
      PID:1656
    - - C:\Users\Admin\AppData\Local\Temp\aaa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\aaa.exe"
        5⤵
        Executes dropped EXE
        
        PID:612
  - - C:\Users\Admin\AppData\Local\Temp\ooo.exe
      "C:\Users\Admin\AppData\Local\Temp\ooo.exe"
      4⤵
      Executes dropped EXE
      PID:1960
- C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
  "C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe"
  2⤵
  PID:1588
- C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
  "C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe"
  2⤵
  PID:1332
- C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
  "C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe"
  2⤵
  PID:2000
- C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
  "C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe"
  2⤵
  PID:1008
- C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
  "C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe"
  2⤵
  PID:472
- C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
  "C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe"
  2⤵
  PID:1484
- C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
  "C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe"
  2⤵
  PID:772
- C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
  "C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe"
  2⤵
  PID:580
- C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
  "C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe"
  2⤵
  PID:268
- C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
  "C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe"
  2⤵
  PID:1188
- C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
  "C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe"
  2⤵
  PID:384
- C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
  "C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe"
  2⤵
  PID:608
- C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
  "C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe"
  2⤵
  PID:1168
- C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
  "C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe"
  2⤵
  PID:432
- C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
  "C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe"
  2⤵
  PID:1540
- C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
  "C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe"
  2⤵
  PID:1556
- C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
  "C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe"
  2⤵
  PID:1076
- C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
  "C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe"
  2⤵
  PID:836
- C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
  "C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe"
  2⤵
  PID:1944
- C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
  "C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe"
  2⤵
  PID:1388
- C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
  "C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe"
  2⤵
  PID:528
- C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
  "C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe"
  2⤵
  PID:960
- C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
  "C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe"
  2⤵
  PID:768
- C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
  "C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe"
  2⤵
  PID:804
- C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
  "C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe"
  2⤵
  PID:1068
- C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
  "C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe"
  2⤵
  PID:1504
- C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
  "C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe"
  2⤵
  PID:1132
- C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
  "C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe"
  2⤵
  PID:568
- C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
  "C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe"
  2⤵
  PID:1972
- C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe
  "C:\Users\Admin\AppData\Local\Temp\8f91c74180d8c1a5b3ae0cfc6f2b01304d4cf3fa29a78ccee0876f7b417cba48.exe"
  2⤵
  PID:1396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Gsgxeo.vbs

Filesize
91B

MD5
9e77c5f012c8e5ac0f5706f2a906ab6e

SHA1
900598d4cc26f03b37794e4b1f9de7e49cd94ee5

SHA256
d9f14c1c8a8aebed3afdfe07c1243d1b2b1ca4772ef66b902586691327944e38

SHA512
5ee472ea553af3c598f87db7ed1c8ebacd03b4b00c442ca50cb9f6e87488be5eb1e85aec0ea55cbe6c0234b21eddeb8a358bfc66e70be6d22603793ea99ee839

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jwoasxr.vbs

Filesize
91B

MD5
c0c64a797ebd363385bb9670d99054fe

SHA1
055d06d6d514bb5742f72829e5e1748282715094

SHA256
569e18bc2c6d7618e9c7e34e8b6ef116d543ec35b23414d2c2e5a4c84d471409

SHA512
39d4785622cdf99161792aa1cee81b42e4079a9d393906a6796854461a77428c016f624e031c1f3a4cf9d2a347bfcd9b70f709bb32a4d0ddb15027dacb084235

Download Submit
C:\Users\Admin\AppData\Local\Temp\aaa.exe

Filesize
171KB

MD5
01f2b5f6403530af79e6f321f4879da0

SHA1
f09790bdab30fd08c312d3b0d4f8ec309a1431bc

SHA256
dc2d40f77af7bd9f6a4d86baee6d1fb3332dc9f8953cfd73f39c914b4990e4e5

SHA512
07b1135e4a116b80d89aa69890c00febbb874cf22456366202a19517e359e3a0e69110fd3ea2246469420de03cbf8aaee08caa6a307283b08f7400c2fdb5fc76

Download Submit
C:\Users\Admin\AppData\Local\Temp\aaa.exe

Filesize
171KB

MD5
01f2b5f6403530af79e6f321f4879da0

SHA1
f09790bdab30fd08c312d3b0d4f8ec309a1431bc

SHA256
dc2d40f77af7bd9f6a4d86baee6d1fb3332dc9f8953cfd73f39c914b4990e4e5

SHA512
07b1135e4a116b80d89aa69890c00febbb874cf22456366202a19517e359e3a0e69110fd3ea2246469420de03cbf8aaee08caa6a307283b08f7400c2fdb5fc76

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooo.exe

Filesize
358KB

MD5
405a484a6f2777f0e4fc429ca05353a7

SHA1
895ae31fab9c5042ddc3f5912c55b81530a20163

SHA256
aba9f9d6904d1474f7a0693e80d182eff9cb8a1c185f0090876cf8eb83914cbb

SHA512
da5771598dcfa6b8fd82a34f8a1ae581b0bd7aa1a51bba978a9ceefdce8639462f182adf94eec70314b25dd6f0c6c7ba7b08bcde479ab8bb7ce4447e00e8a5c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooo.exe

Filesize
358KB

MD5
405a484a6f2777f0e4fc429ca05353a7

SHA1
895ae31fab9c5042ddc3f5912c55b81530a20163

SHA256
aba9f9d6904d1474f7a0693e80d182eff9cb8a1c185f0090876cf8eb83914cbb

SHA512
da5771598dcfa6b8fd82a34f8a1ae581b0bd7aa1a51bba978a9ceefdce8639462f182adf94eec70314b25dd6f0c6c7ba7b08bcde479ab8bb7ce4447e00e8a5c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooo.exe

Filesize
358KB

MD5
405a484a6f2777f0e4fc429ca05353a7

SHA1
895ae31fab9c5042ddc3f5912c55b81530a20163

SHA256
aba9f9d6904d1474f7a0693e80d182eff9cb8a1c185f0090876cf8eb83914cbb

SHA512
da5771598dcfa6b8fd82a34f8a1ae581b0bd7aa1a51bba978a9ceefdce8639462f182adf94eec70314b25dd6f0c6c7ba7b08bcde479ab8bb7ce4447e00e8a5c8

Download Submit
\Users\Admin\AppData\Local\Temp\aaa.exe

Filesize
171KB

MD5
01f2b5f6403530af79e6f321f4879da0

SHA1
f09790bdab30fd08c312d3b0d4f8ec309a1431bc

SHA256
dc2d40f77af7bd9f6a4d86baee6d1fb3332dc9f8953cfd73f39c914b4990e4e5

SHA512
07b1135e4a116b80d89aa69890c00febbb874cf22456366202a19517e359e3a0e69110fd3ea2246469420de03cbf8aaee08caa6a307283b08f7400c2fdb5fc76

Download Submit
\Users\Admin\AppData\Local\Temp\ooo.exe

Filesize
358KB

MD5
405a484a6f2777f0e4fc429ca05353a7

SHA1
895ae31fab9c5042ddc3f5912c55b81530a20163

SHA256
aba9f9d6904d1474f7a0693e80d182eff9cb8a1c185f0090876cf8eb83914cbb

SHA512
da5771598dcfa6b8fd82a34f8a1ae581b0bd7aa1a51bba978a9ceefdce8639462f182adf94eec70314b25dd6f0c6c7ba7b08bcde479ab8bb7ce4447e00e8a5c8

Download Submit
\Users\Admin\AppData\Local\Temp\ooo.exe

Filesize
358KB

MD5
405a484a6f2777f0e4fc429ca05353a7

SHA1
895ae31fab9c5042ddc3f5912c55b81530a20163

SHA256
aba9f9d6904d1474f7a0693e80d182eff9cb8a1c185f0090876cf8eb83914cbb

SHA512
da5771598dcfa6b8fd82a34f8a1ae581b0bd7aa1a51bba978a9ceefdce8639462f182adf94eec70314b25dd6f0c6c7ba7b08bcde479ab8bb7ce4447e00e8a5c8

Download Submit
memory/612-92-0x0000000000B70000-0x0000000000BA4000-memory.dmp

Filesize
208KB

Download
memory/684-71-0x0000000000610000-0x0000000000622000-memory.dmp

Filesize
72KB

Download
memory/684-68-0x0000000002130000-0x000000000218A000-memory.dmp

Filesize
360KB

Download
memory/684-67-0x0000000000260000-0x0000000000266000-memory.dmp

Filesize
24KB

Download
memory/684-66-0x0000000000820000-0x0000000000882000-memory.dmp

Filesize
392KB

Download
memory/1304-54-0x00000000003A0000-0x0000000000464000-memory.dmp

Filesize
784KB

Download
memory/1304-59-0x00000000007B0000-0x00000000007C2000-memory.dmp

Filesize
72KB

Download
memory/1304-57-0x0000000076531000-0x0000000076533000-memory.dmp

Filesize
8KB

Download
memory/1304-56-0x0000000002050000-0x000000000210A000-memory.dmp

Filesize
744KB

Download
memory/1304-55-0x0000000000380000-0x0000000000386000-memory.dmp

Filesize
24KB

Download
memory/1960-85-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1960-83-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1960-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1960-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1960-76-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1960-75-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download