93f35fe1f86fc157f49900cbc3036f2b0feb69e395db09844247bb4d2f962eb9

Analysis

max time kernel
143s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
23/01/2024, 04:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

93f35fe1f86fc157f49900cbc3036f2b0feb69e395db09844247bb4d2f962eb9.exe
Size

1.1MB
MD5

48e5aec3ff12840562ae44aaec6b6719
SHA1

d65450ac2b4df154a56492c1dc6d908e801f4c30
SHA256

93f35fe1f86fc157f49900cbc3036f2b0feb69e395db09844247bb4d2f962eb9
SHA512

a55ebdb48d9f97ea8a7a023fba15e367e1e7b7209dbe859be7fa27f96499b4d9c752a75f7e9c0e719409ba0cfa4bc7f7e69935fe95435db57ccc90a30d531a4f
SSDEEP

24576:gRW3N/0f/oAPoRBchI5anfOlAUAi1K6oElG4lBujFAvCyRB:g5ApamAUAQ/lG4lBmFAvZB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3056	svchcst.exe

Executes dropped EXE 22 IoCs

pid	Process
3056	svchcst.exe
1768	svchcst.exe
784	svchcst.exe
2512	svchcst.exe
2084	svchcst.exe
2124	svchcst.exe
1552	svchcst.exe
1600	svchcst.exe
2712	svchcst.exe
2816	svchcst.exe
1136	svchcst.exe
1920	svchcst.exe
2672	svchcst.exe
820	svchcst.exe
1992	svchcst.exe
2320	svchcst.exe
1752	svchcst.exe
2636	svchcst.exe
812	svchcst.exe
1776	svchcst.exe
2488	svchcst.exe
2416	svchcst.exe

Loads dropped DLL 36 IoCs

pid	Process
2668	WScript.exe
2668	WScript.exe
2604	WScript.exe
2924	WScript.exe
1680	WScript.exe
2324	WScript.exe
1492	WScript.exe
1652	WScript.exe
1652	WScript.exe
1652	WScript.exe
1960	WScript.exe
1960	WScript.exe
2584	WScript.exe
2876	WScript.exe
2876	WScript.exe
2896	WScript.exe
2896	WScript.exe
964	WScript.exe
992	WScript.exe
992	WScript.exe
3028	WScript.exe
3028	WScript.exe
1552	WScript.exe
1552	WScript.exe
2156	WScript.exe
2156	WScript.exe
2708	WScript.exe
2708	WScript.exe
1708	WScript.exe
1708	WScript.exe
2368	WScript.exe
2368	WScript.exe
300	WScript.exe
300	WScript.exe
1592	WScript.exe
1592	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2156	93f35fe1f86fc157f49900cbc3036f2b0feb69e395db09844247bb4d2f962eb9.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
1768	svchcst.exe
1768	svchcst.exe
1768	svchcst.exe
1768	svchcst.exe
1768	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2156	93f35fe1f86fc157f49900cbc3036f2b0feb69e395db09844247bb4d2f962eb9.exe

Suspicious use of SetWindowsHookEx 46 IoCs

pid	Process
2156	93f35fe1f86fc157f49900cbc3036f2b0feb69e395db09844247bb4d2f962eb9.exe
2156	93f35fe1f86fc157f49900cbc3036f2b0feb69e395db09844247bb4d2f962eb9.exe
3056	svchcst.exe
3056	svchcst.exe
1768	svchcst.exe
1768	svchcst.exe
784	svchcst.exe
784	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2084	svchcst.exe
2084	svchcst.exe
2124	svchcst.exe
2124	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1920	svchcst.exe
1920	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
820	svchcst.exe
820	svchcst.exe
1992	svchcst.exe
1992	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
1752	svchcst.exe
1752	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
812	svchcst.exe
812	svchcst.exe
1776	svchcst.exe
1776	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2668	2156	93f35fe1f86fc157f49900cbc3036f2b0feb69e395db09844247bb4d2f962eb9.exe	28
PID 2156 wrote to memory of 2668	2156	93f35fe1f86fc157f49900cbc3036f2b0feb69e395db09844247bb4d2f962eb9.exe	28
PID 2156 wrote to memory of 2668	2156	93f35fe1f86fc157f49900cbc3036f2b0feb69e395db09844247bb4d2f962eb9.exe	28
PID 2156 wrote to memory of 2668	2156	93f35fe1f86fc157f49900cbc3036f2b0feb69e395db09844247bb4d2f962eb9.exe	28
PID 2668 wrote to memory of 3056	2668	WScript.exe	30
PID 2668 wrote to memory of 3056	2668	WScript.exe	30
PID 2668 wrote to memory of 3056	2668	WScript.exe	30
PID 2668 wrote to memory of 3056	2668	WScript.exe	30
PID 3056 wrote to memory of 2604	3056	svchcst.exe	31
PID 3056 wrote to memory of 2604	3056	svchcst.exe	31
PID 3056 wrote to memory of 2604	3056	svchcst.exe	31
PID 3056 wrote to memory of 2604	3056	svchcst.exe	31
PID 2604 wrote to memory of 1768	2604	WScript.exe	32
PID 2604 wrote to memory of 1768	2604	WScript.exe	32
PID 2604 wrote to memory of 1768	2604	WScript.exe	32
PID 2604 wrote to memory of 1768	2604	WScript.exe	32
PID 1768 wrote to memory of 2924	1768	svchcst.exe	33
PID 1768 wrote to memory of 2924	1768	svchcst.exe	33
PID 1768 wrote to memory of 2924	1768	svchcst.exe	33
PID 1768 wrote to memory of 2924	1768	svchcst.exe	33
PID 2924 wrote to memory of 784	2924	WScript.exe	34
PID 2924 wrote to memory of 784	2924	WScript.exe	34
PID 2924 wrote to memory of 784	2924	WScript.exe	34
PID 2924 wrote to memory of 784	2924	WScript.exe	34
PID 784 wrote to memory of 1680	784	svchcst.exe	35
PID 784 wrote to memory of 1680	784	svchcst.exe	35
PID 784 wrote to memory of 1680	784	svchcst.exe	35
PID 784 wrote to memory of 1680	784	svchcst.exe	35
PID 1680 wrote to memory of 2512	1680	WScript.exe	36
PID 1680 wrote to memory of 2512	1680	WScript.exe	36
PID 1680 wrote to memory of 2512	1680	WScript.exe	36
PID 1680 wrote to memory of 2512	1680	WScript.exe	36
PID 2512 wrote to memory of 2324	2512	svchcst.exe	37
PID 2512 wrote to memory of 2324	2512	svchcst.exe	37
PID 2512 wrote to memory of 2324	2512	svchcst.exe	37
PID 2512 wrote to memory of 2324	2512	svchcst.exe	37
PID 2324 wrote to memory of 2084	2324	WScript.exe	38
PID 2324 wrote to memory of 2084	2324	WScript.exe	38
PID 2324 wrote to memory of 2084	2324	WScript.exe	38
PID 2324 wrote to memory of 2084	2324	WScript.exe	38
PID 2084 wrote to memory of 1492	2084	svchcst.exe	39
PID 2084 wrote to memory of 1492	2084	svchcst.exe	39
PID 2084 wrote to memory of 1492	2084	svchcst.exe	39
PID 2084 wrote to memory of 1492	2084	svchcst.exe	39
PID 1492 wrote to memory of 2124	1492	WScript.exe	40
PID 1492 wrote to memory of 2124	1492	WScript.exe	40
PID 1492 wrote to memory of 2124	1492	WScript.exe	40
PID 1492 wrote to memory of 2124	1492	WScript.exe	40
PID 2124 wrote to memory of 1652	2124	svchcst.exe	42
PID 2124 wrote to memory of 1652	2124	svchcst.exe	42
PID 2124 wrote to memory of 1652	2124	svchcst.exe	42
PID 2124 wrote to memory of 1652	2124	svchcst.exe	42
PID 1652 wrote to memory of 1552	1652	WScript.exe	44
PID 1652 wrote to memory of 1552	1652	WScript.exe	44
PID 1652 wrote to memory of 1552	1652	WScript.exe	44
PID 1652 wrote to memory of 1552	1652	WScript.exe	44
PID 1552 wrote to memory of 1512	1552	svchcst.exe	45
PID 1552 wrote to memory of 1512	1552	svchcst.exe	45
PID 1552 wrote to memory of 1512	1552	svchcst.exe	45
PID 1552 wrote to memory of 1512	1552	svchcst.exe	45
PID 1652 wrote to memory of 1600	1652	WScript.exe	46
PID 1652 wrote to memory of 1600	1652	WScript.exe	46
PID 1652 wrote to memory of 1600	1652	WScript.exe	46
PID 1652 wrote to memory of 1600	1652	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\93f35fe1f86fc157f49900cbc3036f2b0feb69e395db09844247bb4d2f962eb9.exe
"C:\Users\Admin\AppData\Local\Temp\93f35fe1f86fc157f49900cbc3036f2b0feb69e395db09844247bb4d2f962eb9.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2604
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1768
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:784
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1600
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:1960
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2712
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2584
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2816
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2876
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1136
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:2896
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1920
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:964
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2672
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:992
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:820
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:3028
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1992
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:1552
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2320
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:2156
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1752
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:2708
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2636
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:1708
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:812
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:2368
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1776
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:300
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2488
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:1592
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2416
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        
        PID:964
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        
        PID:992
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        
        PID:1768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
85fa416be0b995c6e53ce5e2df106d8a

SHA1
bcffe6d0eb7594897fb6c1c1e6e409bacd04f009

SHA256
f08a191ea7850c2d2e0fa0cd1f40254eecb8dcb63a9dfa94cc8a97f609c49293

SHA512
5d92938d833d0555e94027148d0d9fc064274885bb4992f4e5840e7be03b629a3d2dc3703f9a7aa7614cb46ee19f9cfe26c69cc2e3a162f4be9045e5da18efbf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
9627e3850f4f7495f6d36ebae56aa594

SHA1
001694633bc632a7ae2812ed74828335bec77531

SHA256
0aeaf02fb74a0799c8eccaa37e1586435318608e7945b8084fe87f956822cb25

SHA512
03986ee3b4faf96fdb2bdeb1c41e216c81e1c0f7d4403b69c7e7e39baa45e2806d57fad32904bdf04728eb9db7570d94341e73bf8a1f6ba1964072a65de4e894

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
24e4a44b907089d788280d647e33c77e

SHA1
ac5a4e397dea243c0022c55319e7c7035d013905

SHA256
7fcd076a55f0b7c8e9407217aee7e68893461d15cb8d2946ac5250af35137211

SHA512
c4a8dac1c1d5dfa976cc3e8fd299e423ab620463983b8c602be8a83ecc6598eb3f1d60a7370806e1f85a52dd91e4f1337a6dff2e99459f9a1e429a1ffb65a00b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
774844b08b364b32d1209ef0d962d2fd

SHA1
967a30d076aa269a5cef321d36ac1f5c1eb180cb

SHA256
c9beda5ae7965cd968f1e6b1e11f17b1b443b8fc6dddb9ad0fe830aafe35ae3a

SHA512
2bab1d82f2cf484029722e64dd75516645e3f2dc6028153b65479757a3d33bbe883a1ac97771f1a9dfff1927cbfc58b5460f0c21a3ce01a4eae32b205772c4ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
66d254895344cb23a2998d88a76408e0

SHA1
134a8a33e8b5ddd8829dc6cb6ef9b787c9f7a027

SHA256
d2aeab36d13bc23570944ca4bb80586251548e9ab1c29b076665e22be8dbfe4a

SHA512
42e990ce67d01e5d057f2204409b029be01510d73e0e07f1c908f4192df6f43615ad6d4686b24bc9c64c37f8bc2860f480c4b22ed61979776b6bdf175a78da08

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
840853c0aa5a4d702a8110a0cb763b4b

SHA1
58d028e09818c3fd2a9d521c26772cf4d1a9072a

SHA256
4438df44bf53668a332407b1c60d745bd1293a3f1acab9953b1d77e5131d2728

SHA512
f2b044e4710dadb03164bc78519207bd8d39d2cf9d4568fc11c38271eabc3e57410083b1cf29e40b1f6119ffa33ed4784ef652f112e50b554c2983755a606b6a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5d0d203da02edb604545d3d826c88b42

SHA1
9be0cfd40b48d4e6041e00827047a8b0d877d4a1

SHA256
5f341c2f1ff381eecedbf6fcbe549724323c30c05728132a98ea55f607bc3e81

SHA512
a3e01552a9576ba8dd9aa9f65211f74a69588a316d984b8887e740c6c174e19df2056dc0138d5af26bd927e192ec2c7d355fc8b4092e30d55de910e932fbd49f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6e11da1c8a05db963ff0dda7c43866e0

SHA1
e1343d4a94a629047631b0c53a0501eace14d2a9

SHA256
2605d23ba5b4a9fc117704a99d9351dfffc81f22681becb9aa59d72a64a6a8f6

SHA512
74be18fd41e091762e317fd4565c13d36832ca7d8fbcb60631c8e818c25f447db2ed4b3bc20e4a97da5efeb3ab66dbe815f34776b3db338a1e7d41abc57c99ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c5ae655707a21f6473c5f382a787e100

SHA1
1d2078ebfae286212eb90e60c9dbce5e70ac24f1

SHA256
baf83e476c96ab1af7a7482de26dae9909744fad6d12c6ae818f51b834cecb50

SHA512
af80731f380d75a643ab885ba152cb7118297ab4e70ff44dd96b7bae8542881f0d06cdbe0ac524cdc30ddca970c2b27adf6398f8efc6e510cea6cc0b2a59b34f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f988db0382571319f9b0af53097c2376

SHA1
fd83936b61f5d4256a899610d5c13c5a9b24e625

SHA256
8557443470cff4b30c533603a8e73dd9b9c55af2bae1ed0a7ce86d860fe4953c

SHA512
8f0df896cf7432ac5248f1149a79cc721e40e80dc1ced770f830725c00e64bb96944bbdd375aa25587e0574dba32375934cbf99bf99f33267296c1e605ac8703

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a28791ebea83786bb5889ef857a9e493

SHA1
0c7cc3d05c844d5edd4535fbd48d2c73b2764630

SHA256
ad8607d9518b14cf6e9f567194700afa64c424bbe7da5b1819babbc7678a98bf

SHA512
d357643579f32de1c3f28b9d717d4d82a91d2ae25014a2ab52c0b6340ea577c31386cfa7901694f47889e5966ab11ff6888ae19a8602f812d2484827295d12ce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0297693238c8d2753940dd61243ddfd8

SHA1
c5e61e727061ecb2475cfd052102d1ec3f837ad8

SHA256
2c553c736dbf82875ba83b712b4d0a0e5b63b0e4089f0882755bbf078c22c0a5

SHA512
042527b1ea8d7e3cc25f8cc72c357e39ef822e78eb9c5802613ff806f9869fff49e63ebd0d8e52754c5a918fd76640dd0bc7a1a1dfd5e82cecfcfcc13c8579cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1c4a20bad462e2ead31b207cd4b0dd1b

SHA1
e6037559a47f711d0e930c907b6c33269cb8ecb9

SHA256
7cbf5f523fb2c8a62f6308bc56b5ff19556c167b7ce2c9e2d74329835c79d29e

SHA512
78e63943987dbb5fa66f2b9865002911c5225dbcba3e89ea0de4ed94dbd211e965e766073e19205a55a7d83cc631e87c50b9f6815d83fced9f41a72c842c145b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
90bc2d765472dd061eb294eb6d7e8dfc

SHA1
19ad6dc9c606412cb2de37711c812527b6e19df0

SHA256
c9ac99b789cf360f19869363ba70a42b9438f52c09315a574e80d48812990af2

SHA512
d92d59a3515797216c5496aab4fa7c0779b18f87a6330293161b77088566d39bd2d97a446e14b67d47732659a028af210593c912c25b6aa8adb736c9b6aa2ad1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d81954671eb0695fdb0929a8b96731c2

SHA1
1386124a39ecf82b2bad8e9b85b55dc3bb5e145a

SHA256
089ebbf3b4ab3ba716f7137c6b057830f0bc9f6d14390087dd0b80b8469ddaef

SHA512
c85b2364371e4cad12e58644c72c9e2b681274296493418167a38003af75cd87e3968b065210b51e991a06cb65b9a96db0b9d239c4827759a2f33766e59eebd8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
918KB

MD5
e3adad7c7b82feada1a9b855c59219a5

SHA1
4a20dd0bc0c14ef346f6be0a60dc37fca07f8a58

SHA256
e5df781777fc55d9b4f617ac211c98b1e6e85c9cae046aea27fdfbba60755c68

SHA512
00561180a02bfbda2845645650ef4d6e89c13e5d9a3e289583c89411123de4155426ba8b602822142bb8126d5169d34e952cdd6f113316ed46cebfbd47041078

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
157KB

MD5
754962c0d4a710167dce5093e156f512

SHA1
5320ebc8a93f2080f085482f99f0b8e90649273c

SHA256
a97dbbe878bd05904ebcb290977cb17cafd4ca786a9cc89ddad6080ddf283a94

SHA512
6a8265fba41b7ec8da7d22dcb4578c73219c8d744de6609526ff1ad1d3f7d034132ad997d71cfbafcdec2f73ccccdf08d0f02d86c0792677efe87c5666836548

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
42b084bc57b4ee36bd69b1ad927559c1

SHA1
1b0c37469706886566267a2020cb9d2bf3da1ef3

SHA256
addbc940eb4a32fd7f0c6f135aaab865629b0bdcc4f696b280abe2e217876770

SHA512
8ec21c7e10c9bb089f7f336788e7b32af0c7051392134b14bcfeb2a13c0ce5b0ec8eeaba9697ac702f831f515af42c125a152f006669008a04daf01e6906070d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1024KB

MD5
857233de70f02f88ee8608899219ab66

SHA1
2cc71518234c0009e340b29f31d9f33a2bc5386b

SHA256
4512ab87e976daef2331184255631eb755ef4fb4d89be9c710306e5ab4f16b9f

SHA512
e1a5ba96e6f52bc10accaded7a0306c62e5117eb5cd6c482112e92c4b941c4558b92211cbe4fcf830156c6ba20647511684b821bb1613b9ee6fe0211e46248a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
108KB

MD5
480a70c8ff38008f9839885a8cc04e44

SHA1
4960565731b1d28697ca0019eb2fb2eac3633c74

SHA256
3ed2100da2cb9e4cd708e6f82fe438665bed3eaf895829c033ee0f895c1d302a

SHA512
f7476b8df534243bbdbb7318e5ca4485913d53c5ab6267258a2e54e9d6b633b71247f177fa68f81dda18e7efbc50279e498859f00a4a76f9754ead57ef69b903

Download Submit
C:\Users\Admin\AppData\Roaming\svchcst.exe

Filesize
539KB

MD5
0bbd67ae450e043e64e8ce7fa97d609e

SHA1
02718062ebad828d21e41b035186965bba97e49e

SHA256
f747eff2a1adf9e51d980e18c578845a282d9d78fec2095b3d085b8c035e964c

SHA512
09665000409a4c27d1c19a5e3678c983a6a08f788037ad3c856c73592729702e556e43b6d7337df70e5122d2499d252ffa9ac6c669bb37a948c2ad728ccaf0c9

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1019KB

MD5
563d551509423f6b5dbcf7ea24626927

SHA1
429791e03e74ed0afc6b1162be81d3aad4be3988

SHA256
d64cb9934b1c54a3e666161267e8d009cff7596aaabbd9927f44f582b282c5a8

SHA512
d368907ea020190043897816c8158771a06db55c61ba8003e0fe33f8639f96523aaeae289cdf96f992befdd9313b8a12771b34f4e7a033be6107f881897f36ce

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
182KB

MD5
aeb7f092d866a11e6536a1005ba4e3c2

SHA1
a55ea6732382849d8b86c8b6a180045ec4ad75b3

SHA256
e6ab76027f70b18a2ac02d9c41b852af4de171f86c06a3d212b30bfcefe9e4bd

SHA512
a5e27bf00f46f02633a8081959cb8ac396f3099d5098a79ac991fa1a29c2a8143b4ab4b20b16d89152538868dcfd006236f3a1181918a7edcf173f60fd24b848

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
880KB

MD5
60b6e6ae2f8204b3120d12728d4ad63e

SHA1
e2ebdd05a56498b7ed0df7d2f30e1744eb759770

SHA256
2de5e7433dcc80fa7836bf5ef4ad6ae8ef62b180dab89cf697adc6fb92fa08e2

SHA512
24dfbbd963a7254d06ad610bcebb0f13ccac3ebd065ee300efa2e34b5ef12f75a02ff928fcff28e220e6fb710b230be7f44c93e3676e69a9b4e0cbfb8d0881d8

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
122KB

MD5
dd06fb73e8b916efdd36d944492962f4

SHA1
0afc3601bf8b2094106d158c249fe21740934cfc

SHA256
5312657f761dff60e8c8f8b8cf21fd1bf264eea7909f13129958ccd96df52aff

SHA512
089bcf8100071182782529f8747750b6df608bbf8dff6f94057af750d002f1f71b898e51aa0a5f45e5cf467ddc930cb2e4a11da016708faba62fce0f65ae574d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
69824772cb0a3df4abfab76ff3aa9537

SHA1
60a3088ecfc9d40009d1faeb1941a88e6e34f187

SHA256
9523d22e2117be98b11fc8c347a345e68487e01a5e9a403414e8bdc2c4947460

SHA512
63f7aa6a9a3f791c306b38a22ee846ddf9264ab8c646c5b6bfbfbb872a48f69ebbfa0215cb07cdc775a667eea07ee47125a34fb7aa838ad43e8c01e2f343efac

Download Submit