Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03/06/2024, 10:34
Static task
static1
Behavioral task
behavioral1
Sample
fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe
Resource
win10v2004-20240426-en
General
-
Target
fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe
-
Size
1.1MB
-
MD5
c0bf95517f48639bb739cb1570bd7205
-
SHA1
400d166d14afe3db5ad82b2608063f938a6a9865
-
SHA256
fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac
-
SHA512
bcadeee5091419c93ef96ee8475411c9f40f8ed691c76e62fa2417f3306ff682491a3b66801954cbf378f13b0c1cf8b9eed6ede8c71c8c4b447f7e0e31d6fcc3
-
SSDEEP
24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qk:acallSllG4ZM7QzMj
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2560 svchcst.exe -
Executes dropped EXE 23 IoCs
pid Process 2560 svchcst.exe 2652 svchcst.exe 2280 svchcst.exe 2068 svchcst.exe 576 svchcst.exe 344 svchcst.exe 2316 svchcst.exe 2512 svchcst.exe 2412 svchcst.exe 2724 svchcst.exe 1600 svchcst.exe 592 svchcst.exe 636 svchcst.exe 1472 svchcst.exe 2932 svchcst.exe 1952 svchcst.exe 2456 svchcst.exe 1660 svchcst.exe 2800 svchcst.exe 848 svchcst.exe 452 svchcst.exe 1656 svchcst.exe 344 svchcst.exe -
Loads dropped DLL 38 IoCs
pid Process 1648 WScript.exe 1648 WScript.exe 2944 WScript.exe 1348 WScript.exe 1348 WScript.exe 2616 WScript.exe 2364 WScript.exe 1540 WScript.exe 1540 WScript.exe 1540 WScript.exe 1864 WScript.exe 2464 WScript.exe 2464 WScript.exe 2464 WScript.exe 1552 WScript.exe 1552 WScript.exe 1768 WScript.exe 1768 WScript.exe 1692 WScript.exe 1692 WScript.exe 768 WScript.exe 768 WScript.exe 2472 WScript.exe 2472 WScript.exe 2312 WScript.exe 2312 WScript.exe 2636 WScript.exe 2636 WScript.exe 1992 WScript.exe 1992 WScript.exe 2728 WScript.exe 2728 WScript.exe 2876 WScript.exe 2876 WScript.exe 320 WScript.exe 320 WScript.exe 2088 WScript.exe 2088 WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1924 fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe 2560 svchcst.exe 2560 svchcst.exe 2560 svchcst.exe 2560 svchcst.exe 2560 svchcst.exe 2560 svchcst.exe 2560 svchcst.exe 2560 svchcst.exe 2560 svchcst.exe 2560 svchcst.exe 2560 svchcst.exe 2560 svchcst.exe 2560 svchcst.exe 2560 svchcst.exe 2560 svchcst.exe 2560 svchcst.exe 2560 svchcst.exe 2560 svchcst.exe 2560 svchcst.exe 2560 svchcst.exe 2560 svchcst.exe 2560 svchcst.exe 2560 svchcst.exe 2560 svchcst.exe 2560 svchcst.exe 2560 svchcst.exe 2560 svchcst.exe 2560 svchcst.exe 2560 svchcst.exe 2560 svchcst.exe 2560 svchcst.exe 2560 svchcst.exe 2560 svchcst.exe 2560 svchcst.exe 2560 svchcst.exe 2560 svchcst.exe 2560 svchcst.exe 2560 svchcst.exe 2560 svchcst.exe 2560 svchcst.exe 2560 svchcst.exe 2560 svchcst.exe 2560 svchcst.exe 2560 svchcst.exe 2560 svchcst.exe 2560 svchcst.exe 2560 svchcst.exe 2560 svchcst.exe 2560 svchcst.exe 2560 svchcst.exe 2560 svchcst.exe 2560 svchcst.exe 2560 svchcst.exe 2560 svchcst.exe 2560 svchcst.exe 2560 svchcst.exe 2560 svchcst.exe 2560 svchcst.exe 2652 svchcst.exe 2652 svchcst.exe 2652 svchcst.exe 2652 svchcst.exe 2652 svchcst.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1924 fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe -
Suspicious use of SetWindowsHookEx 48 IoCs
pid Process 1924 fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe 1924 fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe 2560 svchcst.exe 2560 svchcst.exe 2652 svchcst.exe 2652 svchcst.exe 2280 svchcst.exe 2280 svchcst.exe 2068 svchcst.exe 2068 svchcst.exe 576 svchcst.exe 576 svchcst.exe 344 svchcst.exe 344 svchcst.exe 2316 svchcst.exe 2316 svchcst.exe 2512 svchcst.exe 2512 svchcst.exe 2412 svchcst.exe 2412 svchcst.exe 2724 svchcst.exe 2724 svchcst.exe 1600 svchcst.exe 1600 svchcst.exe 592 svchcst.exe 592 svchcst.exe 636 svchcst.exe 636 svchcst.exe 1472 svchcst.exe 1472 svchcst.exe 2932 svchcst.exe 2932 svchcst.exe 1952 svchcst.exe 1952 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 1660 svchcst.exe 1660 svchcst.exe 2800 svchcst.exe 2800 svchcst.exe 848 svchcst.exe 848 svchcst.exe 452 svchcst.exe 452 svchcst.exe 1656 svchcst.exe 1656 svchcst.exe 344 svchcst.exe 344 svchcst.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1924 wrote to memory of 1648 1924 fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe 28 PID 1924 wrote to memory of 1648 1924 fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe 28 PID 1924 wrote to memory of 1648 1924 fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe 28 PID 1924 wrote to memory of 1648 1924 fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe 28 PID 1648 wrote to memory of 2560 1648 WScript.exe 30 PID 1648 wrote to memory of 2560 1648 WScript.exe 30 PID 1648 wrote to memory of 2560 1648 WScript.exe 30 PID 1648 wrote to memory of 2560 1648 WScript.exe 30 PID 2560 wrote to memory of 2944 2560 svchcst.exe 31 PID 2560 wrote to memory of 2944 2560 svchcst.exe 31 PID 2560 wrote to memory of 2944 2560 svchcst.exe 31 PID 2560 wrote to memory of 2944 2560 svchcst.exe 31 PID 2944 wrote to memory of 2652 2944 WScript.exe 32 PID 2944 wrote to memory of 2652 2944 WScript.exe 32 PID 2944 wrote to memory of 2652 2944 WScript.exe 32 PID 2944 wrote to memory of 2652 2944 WScript.exe 32 PID 2652 wrote to memory of 1348 2652 svchcst.exe 33 PID 2652 wrote to memory of 1348 2652 svchcst.exe 33 PID 2652 wrote to memory of 1348 2652 svchcst.exe 33 PID 2652 wrote to memory of 1348 2652 svchcst.exe 33 PID 1348 wrote to memory of 2280 1348 WScript.exe 34 PID 1348 wrote to memory of 2280 1348 WScript.exe 34 PID 1348 wrote to memory of 2280 1348 WScript.exe 34 PID 1348 wrote to memory of 2280 1348 WScript.exe 34 PID 2280 wrote to memory of 2368 2280 svchcst.exe 35 PID 2280 wrote to memory of 2368 2280 svchcst.exe 35 PID 2280 wrote to memory of 2368 2280 svchcst.exe 35 PID 2280 wrote to memory of 2368 2280 svchcst.exe 35 PID 1348 wrote to memory of 2068 1348 WScript.exe 36 PID 1348 wrote to memory of 2068 1348 WScript.exe 36 PID 1348 wrote to memory of 2068 1348 WScript.exe 36 PID 1348 wrote to memory of 2068 1348 WScript.exe 36 PID 2068 wrote to memory of 2616 2068 svchcst.exe 37 PID 2068 wrote to memory of 2616 2068 svchcst.exe 37 PID 2068 wrote to memory of 2616 2068 svchcst.exe 37 PID 2068 wrote to memory of 2616 2068 svchcst.exe 37 PID 2616 wrote to memory of 576 2616 WScript.exe 38 PID 2616 wrote to memory of 576 2616 WScript.exe 38 PID 2616 wrote to memory of 576 2616 WScript.exe 38 PID 2616 wrote to memory of 576 2616 WScript.exe 38 PID 576 wrote to memory of 2364 576 svchcst.exe 39 PID 576 wrote to memory of 2364 576 svchcst.exe 39 PID 576 wrote to memory of 2364 576 svchcst.exe 39 PID 576 wrote to memory of 2364 576 svchcst.exe 39 PID 2364 wrote to memory of 344 2364 WScript.exe 40 PID 2364 wrote to memory of 344 2364 WScript.exe 40 PID 2364 wrote to memory of 344 2364 WScript.exe 40 PID 2364 wrote to memory of 344 2364 WScript.exe 40 PID 344 wrote to memory of 1540 344 svchcst.exe 41 PID 344 wrote to memory of 1540 344 svchcst.exe 41 PID 344 wrote to memory of 1540 344 svchcst.exe 41 PID 344 wrote to memory of 1540 344 svchcst.exe 41 PID 1540 wrote to memory of 2316 1540 WScript.exe 42 PID 1540 wrote to memory of 2316 1540 WScript.exe 42 PID 1540 wrote to memory of 2316 1540 WScript.exe 42 PID 1540 wrote to memory of 2316 1540 WScript.exe 42 PID 2316 wrote to memory of 1864 2316 svchcst.exe 43 PID 2316 wrote to memory of 1864 2316 svchcst.exe 43 PID 2316 wrote to memory of 1864 2316 svchcst.exe 43 PID 2316 wrote to memory of 1864 2316 svchcst.exe 43 PID 1540 wrote to memory of 2512 1540 WScript.exe 46 PID 1540 wrote to memory of 2512 1540 WScript.exe 46 PID 1540 wrote to memory of 2512 1540 WScript.exe 46 PID 1540 wrote to memory of 2512 1540 WScript.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe"C:\Users\Admin\AppData\Local\Temp\fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"8⤵PID:2368
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"8⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"10⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:344 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"12⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"14⤵
- Loads dropped DLL
PID:1864 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"15⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2412 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"16⤵
- Loads dropped DLL
PID:2464 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2724 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"18⤵PID:2632
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1600 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"18⤵
- Loads dropped DLL
PID:1552 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:592 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"20⤵
- Loads dropped DLL
PID:1768 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"21⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:636 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"22⤵
- Loads dropped DLL
PID:1692 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"23⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1472 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"24⤵
- Loads dropped DLL
PID:768 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"25⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2932 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"26⤵
- Loads dropped DLL
PID:2472 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"27⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1952 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"28⤵
- Loads dropped DLL
PID:2312 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"29⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2456 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"30⤵
- Loads dropped DLL
PID:2636 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"31⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1660 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"32⤵
- Loads dropped DLL
PID:1992 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"33⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2800 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"34⤵
- Loads dropped DLL
PID:2728 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"35⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:848 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"36⤵
- Loads dropped DLL
PID:2876 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"37⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:452 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"38⤵
- Loads dropped DLL
PID:320 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"39⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1656 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"40⤵
- Loads dropped DLL
PID:2088 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"41⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:344 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"42⤵PID:1584
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2512 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"14⤵PID:2916
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92B
MD567b9b3e2ded7086f393ebbc36c5e7bca
SHA1e6299d0450b9a92a18cc23b5704a2b475652c790
SHA25644063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d
SHA512826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09
-
Filesize
696B
MD5024be950e07002e527b8dd1efbb0e4b4
SHA11a56034c6366027442be28a75bce7cdea55a8a98
SHA25651f47375c2a87dc9fe8cc958432adcc166d0faf75f7d1da1322e238fb5d72893
SHA51296864be4661feeef155d1816192852146e5d2aa3266ce5b732ec203d43a6098a5fa456a7decb9ab1bd66bc959ed85b485de32c11cea6ee6d1a48d0bea2349b6f
-
Filesize
753B
MD56a154fc5130990b62a51eeda3e8602d6
SHA1cf3edc8704db737e9508955510c2fd239d2dac0a
SHA256df53f1536ee7cdf3adb11ad3dc04c730bf75058178baf7f87199423743727695
SHA5127bc947908be0fc22a191fb19675bded9aef10414eedcdfb2b7ffad891099c93424fc45eb85b34a2cd8384e7ce3e77201d87b26cce6723f5d4f9ff97bdf58356d
-
Filesize
696B
MD5a4e2d4727487955ad59bf2d1a6661981
SHA1e52949b5d7226aaf75d3713ed2ff1283edab2259
SHA2564b2d44fd28dcc86d4f73784cea9ac601d2e69574ea0fc6214b3481b10687e0e2
SHA512f3c59196a57237caa7ad762e2e31bb3b95156eb33cdad7d7b28244842a733160a74c6568452252ce2add95980fe653dc5322a3d1722f9d798289557351b5ea55
-
Filesize
696B
MD54e9605159361f93230fef3cc5ad4301c
SHA164e6d5673487e049cc4e96650b507641062ca1bf
SHA2562abd0c0ae088f6c911f23add50e985c447f1c62c8a45f848698b08d6e6dd20e7
SHA5125cf02982826cc6e08ea33c4ce5d186ad4277493480cf08c2df56a7deea87e58a6df3a95097c96409a89317528933e0999d4ccddc2403024bd04b6e1c312f42fe
-
Filesize
696B
MD52af86d83545125b952334759f8554ae3
SHA1ddfef7be6fbd8d8185c772a9a78eb18617a9637b
SHA2567dd3660d7e87e64f451b4d1882d07c1733ce38d828770910453cc1b7f457d11d
SHA51238d2854f941ff77a2fec871ba6513df9862fe4f86778b22053b4c3e25995b192f4ab943051a2c613cc3e78d275bc543b0dff09149cb4620e307809d20beae17b
-
Filesize
696B
MD541bdc303960afcda8ebae4f3e29f0b52
SHA14cbf649fb04c836614138308a06ecd48dcb2882d
SHA256da674cdbd4dd762cc32ce0bd2ec36929a626e0e87f7ab7a4a1b1e1ce0123d999
SHA512800b5b01cc41e7633f203579e7f6ec0a9f6408f7af79dcfa74596be9264dbb8baade6b1439dedb5194496aa27b8b0e2680ce65ad91032138ea0ac2c8a0872cf1
-
Filesize
696B
MD503088ab16e4136b8d3a3366505b767ed
SHA1e1d73c9dc7e6009659519b33b3dd80f3011adad8
SHA256b31956814f1bc7c1e47a025622160df37664a3ee8e6d2016ce8919f1fba63a59
SHA5120c841cc8236b405951c5bdf0ea7c620ef32ab930077442e5c1f2eca9fe474c113e1377829e8072afdbfd9a0f0b2797cf156b2f861395d14b851abc7b365ec11a
-
Filesize
696B
MD5840853c0aa5a4d702a8110a0cb763b4b
SHA158d028e09818c3fd2a9d521c26772cf4d1a9072a
SHA2564438df44bf53668a332407b1c60d745bd1293a3f1acab9953b1d77e5131d2728
SHA512f2b044e4710dadb03164bc78519207bd8d39d2cf9d4568fc11c38271eabc3e57410083b1cf29e40b1f6119ffa33ed4784ef652f112e50b554c2983755a606b6a
-
Filesize
696B
MD52c3b5340da071ac89dded61dffd49fb5
SHA177a880658d0b70e5455379099427bfdae8cc0ae8
SHA256d7433fbea40ea3f87e991ce54c73436c110cfbb83748d554aea8d94051a5224e
SHA5127e69f14c55afec39149491531c2a499b6253aa71ad448e722912f239fde055826b34383bd8d14773af08ef475b5fe53451a0a93e0bcc46fbeba3872198200f3c
-
Filesize
696B
MD5780c5b88f55c3463a252f361d53f98db
SHA1244e739c7401ce41027d7786f4a48f4806a9939b
SHA256d8b383df125f83a39c299a3134c88e981cf47755ddd6b44310f70231305c6bb0
SHA512b12e3266edea4f9dff105ed8617c81a29f9873d646b6b326c5c29c0c590049dd85458b8ff7541957f9ab995896e7bfd08b171959e592ccc6edbedf998fdf1045
-
Filesize
696B
MD525741fab0bc335b1ed971b3134b0edd3
SHA19849046efa3f20662f73cefd0d090bef480c9835
SHA25605963c6d3a7cc5421377a784df6474456fcbd2f95c7190f2ddb4a9ccbfbe7f98
SHA5126e772baf90739a76c5c477780e2d158502b55d9c898e69402b0a3bfb840949959c6779f9b291c0503a4fcad95369be55b5f3233ded9329d49d5cde3f1a8369e1
-
Filesize
696B
MD5344b0286b823cd492e5ca9c83c00ba11
SHA1b76dbac9b5724f5b1e11a10ed7a2125edb16259b
SHA25604ea89515062031f99eb08fad07de798532e0adea7ff18c0c9a8b1e3a1d4dbbd
SHA5129aba17235e4f1bd62f45545cfa0e4f302c0471732b33a8398b462e334126c5a3e74fdcbe17db70029184cc1207f558efc46b868475fb607ad536288b0796bb80
-
Filesize
696B
MD5d6aef0b19d7d8dc2eda464cf358007b7
SHA1c271fa23eee2c534cc862f7575df47f660c94d27
SHA25670965d19e9afccec497ac21e98bfea9be46cf5df938982b3d19e6295aab3bb1d
SHA512c547f50069f9f97dd9877bdb529f4ed49f9761d5cab1ff703e5185a6071e7591b98237834c6bd386b68b9c6504b76bdc581bf17a6fcef94e74b1483d47cf764a
-
Filesize
696B
MD575b8f60cfe6895a93f2d8f1b5568af94
SHA1b80485bc82864b4e1bf0bcc44579eaa01776b1fb
SHA2566ff47f7681e8f497470bd11b2cfd8156c5d8f1b01f48bfd89037cc4bfe0f34cc
SHA512089e237c5309d36058e036f69d78deb4144749e91b3a8a8383f817af051a3452acfdf42227cc721517e93428cfd5d48b42e9750e9548762609e81917a4de29c2
-
Filesize
1.1MB
MD5d4f6d0f61e81dbe80925a32c43a12d9d
SHA16bd2ca39d54a6a0a16ed4ae3083d717cccfe6849
SHA256db15dd2eaae9716ac600a836a5a30b1dad591a7df047e26195d4e42497ac3759
SHA5129a18cb6c4d5b200fbc8978735c9e8e9c415149778ca938aa5e98cb73d8d30c7f16eaed84a9e59a131dd2da8eb1743f52340cdabc000025299c4a0d820df97e22
-
Filesize
1.1MB
MD56c4280727be4a7e4fdbd8f20b794ee79
SHA1a9f7293c14c944bbbd766a82424550a71e44ea4e
SHA25671778b9829b6968b317b825c52c0fc6905f18fb865550363368631108ad64c34
SHA512c560e22817ea93c8530484f50e7c7d9ee5f48f06be0c4adfdf3a38bb8ac37b351ccd8dcd789ad1bb9af2683fe307d05c355d04a914080106f68db282b44ffdb4
-
Filesize
1.1MB
MD5a9f725bd2094c4e214e1ac875eedc29d
SHA1da0659692a0ad01cf18cfd084f4384c9497345df
SHA2560aba1d19335f764131931152f9e26e4fe48d1933fae45f8c3ca2a7001287b68c
SHA512a8e7e3b4f5b11c0d2befd969d2a2fa23c19df0bc924e101652d2ef1e48fd6deebfd7fd9f806e2f43ac600b0cca307e10b56b9278166d73edf49cc7ded995bc0d
-
Filesize
1.1MB
MD5d47a42896e76864bbf55b5aa93f96b1e
SHA11fbc2c48390062c3063f58cb9d2062724887bea2
SHA25694d7ce3bd863d2aaee1bcab891900fe8ad13bc358457e7a102f409c1cdd54dd0
SHA512710429bcdfe81ec52020e6214dcb3e1539e65e62239a5566bcf32f349c6050938a80aac94850cbfc2c9fe995ae1aefb0170f4fadb01e786b1b6ed96f5e012401
-
Filesize
1.1MB
MD5773600b2ec8569408853efb186da4f5a
SHA1a531bcf5cf20c6b832e02f52eb9a21bbab6d03c0
SHA2562a319389c3a89f7f2c5dac6e9efc1c4c105cf9615dba98fec2661aef1dd0e962
SHA51298c1fbb9ab88fa7f090f8a7ee19c8c12dbe5bdf9eeb001e09ba9f9466d25a7064cfb11c51c6f26bcf022962cc1b96bf9fa31b6ceb621c6064d0e923976f823dc