63e4eb3003192f3d09925628609533472a2584737aa4cc906e498850f9d64153

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01/01/2024, 02:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63e4eb3003192f3d09925628609533472a2584737aa4cc906e498850f9d64153.exe
Size

1.1MB
MD5

77b1a7196ba7ff1e523dc798995430ea
SHA1

c03cf2a2f5061943f65b44f7554999e4f86c26bd
SHA256

63e4eb3003192f3d09925628609533472a2584737aa4cc906e498850f9d64153
SHA512

c17283e7e76df00d8eec88a4bcae201661a1574c4f9b4fbb90e85b2dada4fc866b453fe7fae9bb7c73c43f5a607f5368604f72a2ba42341bbfd1964ad726237d
SSDEEP

24576:gRW3N/0f/oAPoRBchI5anfOlAUAi1K6oElG4lBujFAvCyR/:g5ApamAUAQ/lG4lBmFAvZ/

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2792	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2792	svchcst.exe
2892	svchcst.exe
1972	svchcst.exe
1664	svchcst.exe
2204	svchcst.exe
652	svchcst.exe
1916	svchcst.exe
2964	svchcst.exe
2328	svchcst.exe
2680	svchcst.exe
2356	svchcst.exe
820	svchcst.exe
2072	svchcst.exe
2604	svchcst.exe
652	svchcst.exe
1352	svchcst.exe
2440	svchcst.exe
2224	svchcst.exe
2644	svchcst.exe
2680	svchcst.exe
3044	svchcst.exe
2276	svchcst.exe
2084	svchcst.exe

Loads dropped DLL 32 IoCs

pid	Process
2172	WScript.exe
2172	WScript.exe
2796	WScript.exe
780	WScript.exe
780	WScript.exe
2068	WScript.exe
1484	WScript.exe
2440	WScript.exe
1248	WScript.exe
2444	WScript.exe
2444	WScript.exe
2916	WScript.exe
2916	WScript.exe
1992	WScript.exe
996	WScript.exe
2284	WScript.exe
2580	WScript.exe
2580	WScript.exe
1880	WScript.exe
1880	WScript.exe
2148	WScript.exe
2148	WScript.exe
2880	WScript.exe
2880	WScript.exe
1800	WScript.exe
1800	WScript.exe
320	WScript.exe
320	WScript.exe
680	WScript.exe
680	WScript.exe
808	WScript.exe
808	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2532	63e4eb3003192f3d09925628609533472a2584737aa4cc906e498850f9d64153.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2532	63e4eb3003192f3d09925628609533472a2584737aa4cc906e498850f9d64153.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2532	63e4eb3003192f3d09925628609533472a2584737aa4cc906e498850f9d64153.exe
2532	63e4eb3003192f3d09925628609533472a2584737aa4cc906e498850f9d64153.exe
2792	svchcst.exe
2792	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
2204	svchcst.exe
2204	svchcst.exe
652	svchcst.exe
652	svchcst.exe
1916	svchcst.exe
1916	svchcst.exe
2964	svchcst.exe
2964	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
820	svchcst.exe
820	svchcst.exe
2072	svchcst.exe
2072	svchcst.exe
2604	svchcst.exe
2604	svchcst.exe
652	svchcst.exe
652	svchcst.exe
1352	svchcst.exe
1352	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
3044	svchcst.exe
3044	svchcst.exe
2276	svchcst.exe
2276	svchcst.exe
2084	svchcst.exe
2084	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2172	2532	63e4eb3003192f3d09925628609533472a2584737aa4cc906e498850f9d64153.exe	28
PID 2532 wrote to memory of 2172	2532	63e4eb3003192f3d09925628609533472a2584737aa4cc906e498850f9d64153.exe	28
PID 2532 wrote to memory of 2172	2532	63e4eb3003192f3d09925628609533472a2584737aa4cc906e498850f9d64153.exe	28
PID 2532 wrote to memory of 2172	2532	63e4eb3003192f3d09925628609533472a2584737aa4cc906e498850f9d64153.exe	28
PID 2172 wrote to memory of 2792	2172	WScript.exe	31
PID 2172 wrote to memory of 2792	2172	WScript.exe	31
PID 2172 wrote to memory of 2792	2172	WScript.exe	31
PID 2172 wrote to memory of 2792	2172	WScript.exe	31
PID 2792 wrote to memory of 2796	2792	svchcst.exe	30
PID 2792 wrote to memory of 2796	2792	svchcst.exe	30
PID 2792 wrote to memory of 2796	2792	svchcst.exe	30
PID 2792 wrote to memory of 2796	2792	svchcst.exe	30
PID 2796 wrote to memory of 2892	2796	WScript.exe	32
PID 2796 wrote to memory of 2892	2796	WScript.exe	32
PID 2796 wrote to memory of 2892	2796	WScript.exe	32
PID 2796 wrote to memory of 2892	2796	WScript.exe	32
PID 2892 wrote to memory of 780	2892	svchcst.exe	33
PID 2892 wrote to memory of 780	2892	svchcst.exe	33
PID 2892 wrote to memory of 780	2892	svchcst.exe	33
PID 2892 wrote to memory of 780	2892	svchcst.exe	33
PID 780 wrote to memory of 1972	780	WScript.exe	35
PID 780 wrote to memory of 1972	780	WScript.exe	35
PID 780 wrote to memory of 1972	780	WScript.exe	35
PID 780 wrote to memory of 1972	780	WScript.exe	35
PID 1972 wrote to memory of 2252	1972	svchcst.exe	34
PID 1972 wrote to memory of 2252	1972	svchcst.exe	34
PID 1972 wrote to memory of 2252	1972	svchcst.exe	34
PID 1972 wrote to memory of 2252	1972	svchcst.exe	34
PID 780 wrote to memory of 1664	780	WScript.exe	37
PID 780 wrote to memory of 1664	780	WScript.exe	37
PID 780 wrote to memory of 1664	780	WScript.exe	37
PID 780 wrote to memory of 1664	780	WScript.exe	37
PID 1664 wrote to memory of 2068	1664	svchcst.exe	36
PID 1664 wrote to memory of 2068	1664	svchcst.exe	36
PID 1664 wrote to memory of 2068	1664	svchcst.exe	36
PID 1664 wrote to memory of 2068	1664	svchcst.exe	36
PID 2068 wrote to memory of 2204	2068	WScript.exe	38
PID 2068 wrote to memory of 2204	2068	WScript.exe	38
PID 2068 wrote to memory of 2204	2068	WScript.exe	38
PID 2068 wrote to memory of 2204	2068	WScript.exe	38
PID 2204 wrote to memory of 1484	2204	svchcst.exe	39
PID 2204 wrote to memory of 1484	2204	svchcst.exe	39
PID 2204 wrote to memory of 1484	2204	svchcst.exe	39
PID 2204 wrote to memory of 1484	2204	svchcst.exe	39
PID 1484 wrote to memory of 652	1484	WScript.exe	40
PID 1484 wrote to memory of 652	1484	WScript.exe	40
PID 1484 wrote to memory of 652	1484	WScript.exe	40
PID 1484 wrote to memory of 652	1484	WScript.exe	40
PID 652 wrote to memory of 2440	652	svchcst.exe	41
PID 652 wrote to memory of 2440	652	svchcst.exe	41
PID 652 wrote to memory of 2440	652	svchcst.exe	41
PID 652 wrote to memory of 2440	652	svchcst.exe	41
PID 2440 wrote to memory of 1916	2440	WScript.exe	43
PID 2440 wrote to memory of 1916	2440	WScript.exe	43
PID 2440 wrote to memory of 1916	2440	WScript.exe	43
PID 2440 wrote to memory of 1916	2440	WScript.exe	43
PID 1916 wrote to memory of 1248	1916	svchcst.exe	42
PID 1916 wrote to memory of 1248	1916	svchcst.exe	42
PID 1916 wrote to memory of 1248	1916	svchcst.exe	42
PID 1916 wrote to memory of 1248	1916	svchcst.exe	42
PID 1248 wrote to memory of 2964	1248	WScript.exe	46
PID 1248 wrote to memory of 2964	1248	WScript.exe	46
PID 1248 wrote to memory of 2964	1248	WScript.exe	46
PID 1248 wrote to memory of 2964	1248	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\63e4eb3003192f3d09925628609533472a2584737aa4cc906e498850f9d64153.exe
"C:\Users\Admin\AppData\Local\Temp\63e4eb3003192f3d09925628609533472a2584737aa4cc906e498850f9d64153.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2792

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:780
  - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1972
  - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1664

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
1⤵
PID:2252

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1484
  - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:652
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2440
      - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1916

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2964
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
    3⤵
    - Loads dropped DLL
    PID:2444
  - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2328
  - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2680

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
1⤵
PID:2556

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
1⤵
- Loads dropped DLL
PID:2916
- C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2356
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
    3⤵
    PID:2228
- C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:820
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
    3⤵
    - Loads dropped DLL
    PID:1992
  - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2072
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        5⤵
        Loads dropped DLL
        
        PID:996
      - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2604
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        7⤵
        Loads dropped DLL
        
        PID:2284
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:652
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        9⤵
        Loads dropped DLL
        
        PID:2580
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1352
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        11⤵
        Loads dropped DLL
        
        PID:1880
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2440
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        13⤵
        Loads dropped DLL
        
        PID:2148
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2224
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        15⤵
        Loads dropped DLL
        
        PID:2880
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2644
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        17⤵
        Loads dropped DLL
        
        PID:1800
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2680
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        19⤵
        Loads dropped DLL
        
        PID:320
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3044
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        21⤵
        Loads dropped DLL
        
        PID:680
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2276
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        23⤵
        Loads dropped DLL
        
        PID:808
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2084
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        25⤵
        
        PID:1256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
d14c1cd53b56e907f01bd917f3b92ab4

SHA1
529a20673b07a33412d0fa58d72b6a67288c6425

SHA256
0ab2a00cc8f19f4df0e52d78ddf3631ef2dbba03b9333140744f977adcda64d7

SHA512
9ec8faf9d0545271898cdd7c40c84845b540c3f2869c46cfa31d90b7eb8516b112f41ede5ad476d889863dd82fbbed5bcf6b4dbad7459313dab20cf3cc451992

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
be85ce7bb02d959078db568ee3a8905d

SHA1
e3598468f1db49d961a98da4deda91a619b56985

SHA256
4d76969f7a746574f6be0eca7b1939230ca7607610f12f82b670f4b7bf829806

SHA512
8ffd0d9432c57b2a445afb0701de88903bee1df5295b7ec14042623bfd5d72d0d3cdf198bbdce55be06439c8ac594ddc9bcf53f425bf9e9c9ebb299f6d8150cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
80ebf5d44551af5680e6faa0b57e8c8b

SHA1
2e17219fbf9ac0ffaf25efb6a11dfe6e9e404798

SHA256
ca82157de4bf3edea1ce728fea480f64259153ea391b2be7b5f59864c0ae7a53

SHA512
a96c9d64087a4b9eccb235e9e1b19da6adfa1adc40ea11eca5cca69cc7b57eb4c3a299eb2103768398d99aee534c3eced7e76099917c52d1499ea9af07ba2ca8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
423a0fabd3a9fd2cbedc3aba67c69650

SHA1
880097557ac6718e93822ac7efc9a3e2986c51de

SHA256
d77f549afde3b88ac747c3d0dee3069f914fac77b572ae08737ffc05f696491b

SHA512
c65d3db8250c7885b05075ebc3485db4506dde6c435247ad6a86e9085d59b039f4629583b327662a2eb40c79bc135d5d17b5bfb01f63ee02726aa57ecd7ed139

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3be529c48598ce74c5871846d63ca15c

SHA1
93bb8e6882b776b47589ffa48116e17c98071383

SHA256
f9f80c033a3cb1e2e9a8aa108427d6985dd2a08c2bea70e4dda2309f03ab7b2a

SHA512
e848a532aa9acfddfb754e081353660af23f3d0ee7720f6162fc5e8a2104d98b7be8aa461ea274a311634ae3b5b0bd219731da7d6b43c3b381de56d03bb43608

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d5a26bd3b4366107ffbb4663050f6576

SHA1
09a5b81e452620340fcc2343a146ac5469576d44

SHA256
6e6abc76efb5447d4e9b20d07396db93d0368e6f81f558217f81a4dedc437eef

SHA512
527fe34594e983df77843639208f832c63f24a23e6e72fabc3e27eb1cce2e08e4306f3a5ebd288142f9684c6730431fe09f2c60f699a0825dc8270e961abbb10

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
bb73f45ba0ab8d0e25bc6dcd5900a0f1

SHA1
18dd20b311cabf033725cb71f00e22449f559963

SHA256
c5b311f8ce95c93ed51768b74c6765874352e5fc61641ab54034281a5206c3b5

SHA512
f2adbb4978b02ce150fc2f4a8f6d7734ca465351c502e5a425a9dc0f751be9a048df54dfff086b4b049a80cdc8127863ea704a3b6e1855f9d4406e5778b82e04

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8b412aa0b6687b4da946906a06c460fa

SHA1
180bb2d6f0645242e91d23e76043c0301916f7f5

SHA256
923ae6b14f6c2bebf34efcf9db8485390ca298cdb952df04bc457df9c45647b3

SHA512
73d949f5159a7c976e250d20b975fff6469d5c41b47488d9738a3466dfb372c7977846f6d8fbf676e07715a5fe284ca1597b74f090e0b55301314f71522ac143

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7e30bbf5f589f6ae6e5daf322f9f4c63

SHA1
4078c36ab68538c4d3aa3996b3a218fa786e5813

SHA256
9ed68f0cb63b2fca99956af2a550eb26ac99a883afef4ea6dc1236c14593266b

SHA512
63bb07bfbef6c96b50bbcb60d7f805930aaeefd6eadaa39dcb3e591c84636c670257a7f544bb0565174578a517d06de29a6c086812ef5cfb3039aea1917fb4b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
41bdc303960afcda8ebae4f3e29f0b52

SHA1
4cbf649fb04c836614138308a06ecd48dcb2882d

SHA256
da674cdbd4dd762cc32ce0bd2ec36929a626e0e87f7ab7a4a1b1e1ce0123d999

SHA512
800b5b01cc41e7633f203579e7f6ec0a9f6408f7af79dcfa74596be9264dbb8baade6b1439dedb5194496aa27b8b0e2680ce65ad91032138ea0ac2c8a0872cf1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
81da78e4c29b5abf222c1425d1b8da16

SHA1
c68fae858982c6217d14f0a94f1e424dc47e5abb

SHA256
e1c0bac8ec1a6de7acf76dbaae7862a630d01697c06843f75330f8be29261f38

SHA512
859ff4f8d8119e4a12c83c8aa7a7c392b9bde66358d189f67f0d44ae6777f75dd7f994536d812cb00f0612a9c4444a3775ff729512d50c1a6173f23b5866fdb0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0297693238c8d2753940dd61243ddfd8

SHA1
c5e61e727061ecb2475cfd052102d1ec3f837ad8

SHA256
2c553c736dbf82875ba83b712b4d0a0e5b63b0e4089f0882755bbf078c22c0a5

SHA512
042527b1ea8d7e3cc25f8cc72c357e39ef822e78eb9c5802613ff806f9869fff49e63ebd0d8e52754c5a918fd76640dd0bc7a1a1dfd5e82cecfcfcc13c8579cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1024KB

MD5
857233de70f02f88ee8608899219ab66

SHA1
2cc71518234c0009e340b29f31d9f33a2bc5386b

SHA256
4512ab87e976daef2331184255631eb755ef4fb4d89be9c710306e5ab4f16b9f

SHA512
e1a5ba96e6f52bc10accaded7a0306c62e5117eb5cd6c482112e92c4b941c4558b92211cbe4fcf830156c6ba20647511684b821bb1613b9ee6fe0211e46248a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
280KB

MD5
b4082974e3cd1e9ac84bbd34f49f6254

SHA1
0876830ac4a81a8a96529172b9082317273a5243

SHA256
abb596058eb6f13d0e218e75a86b92f302e120aa4e92e202a034aefc5d8a69b0

SHA512
edafa4825aab3588026c8b6454a4e663b75c7eceb183de68213596111201cfee55f9876dca00a828e047b89125744b6ac62348eb45998021da9c1aac96e7e93c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
21KB

MD5
2cef5a8c8fe33762978e99671d87a130

SHA1
21b159ff90f78ce48fc2190c6bf3598e09c8e46c

SHA256
c3695c95a960ec639dba2f8f3c05d0571b09b672e34daa2034a2118366d49ae8

SHA512
144535942d834cfb47d985234f3bbbc828aad4d4a21faa96a33f5625855ea9b7d732d90765e007587f9bcbc083abb4059d2a3154f024458e1c442b4ddf216c91

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c9418f258ffb60f60de9f8932419b31d

SHA1
4635b4ce5e961ccd701ed547a006697cbd09e1d9

SHA256
22982a7d5beeab5264810ed715d9c152922323625f5118e481c1ebbfee6a632f

SHA512
f8a82ed5445c7139a160b14db8a7ec8b8c0c7eebed711206eae58f614b8302518fb99eda46659c7ea92759e0f244b9735f44e80c620104cdf97e4b688de3ec7c

Download Submit
C:\Users\Admin\AppData\Roaming\svchcst.exe

Filesize
377KB

MD5
9b41244971956f2655eb5101b9b97e93

SHA1
5ffcacb12fe7b0f3dd86ba0f4be9fa8039828c77

SHA256
377ddcf57c9cdd15c357eb62e7ab7ed50d8a70c4e27d9733110eda254742e454

SHA512
42e7570d84ddccaefbd9138e4b6d4d6f5863dcc945e0d18373c6517d594b276c31fa54873070ae35a785c438a42ee56404771692404863bb951c557399766675

Download Submit
C:\Users\Admin\AppData\Roaming\svchcst.exe

Filesize
192KB

MD5
f8250cec818655c53ca40edd6da22823

SHA1
c5a848bb5e73ac19ac055f1ac411611bcfba2357

SHA256
78bc9449c95cb58286c867b8c800923837e2c11007075010bf4da7f2f1da21b7

SHA512
135473c3d937fb30866d83af155698a72b2c28a21f607f5e36d8034addfc64a3204b053b624c468d3599b571d2edbf5206b347073eeeb7c4274552a792308d4d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
389KB

MD5
ad3a897f757482b873b5afbc9bf70241

SHA1
096e15bf82d52dd35cf47cdcbb9dce7d79faafaa

SHA256
0492dc9a6e46717708a4b1a3df1765e71d1b4e893c513a3e22d47e07ed177019

SHA512
b02762be95dc2b79e4e661987831765116b27505ec1d4239792405b7d147b80550c81b4f716c18794573a87d790d3fd267ef37bac74e5bc0ac2b4541cfa94958

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
321KB

MD5
9d44171bc62bfd32cd03af6e668db7f2

SHA1
8b686a02412e69492a4da3329f5477d8971bb4da

SHA256
9eaf5883d3b6afdc02e533130bddb143a9cd905ae51aa42b50c5a3f728dc60c6

SHA512
e44a370b3c7c36daf230da2a92fe0252c85c5ce2d5a2aa8c2d6ac8cd6d229428e5c0ea7ab0f87427499892d90f031c33bec4ea7aaefa77073c9776835d481293

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
64KB

MD5
8a484a2ab53101b50078058ab709deb1

SHA1
b005d79c8b40d845213b5e671fcb895ac958e864

SHA256
e2e9e5c6559321b712bc02bd00f9e8235b8791d0ac966338ad7308aac1726610

SHA512
e12549277249b3867fe02a0dc06af1caba1f901d62dd4a616b3386e1af05e82cd8c8458bdf1cf3fb8fe679e9df8cd6a9276102cf971f9ea6832f5184b3d39342

Download Submit