64f33e938f228f7e6f711e9ac117c12b138b1db79fcea05c53fd774286d655b1

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 23:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64f33e938f228f7e6f711e9ac117c12b138b1db79fcea05c53fd774286d655b1.exe
Size

1.1MB
MD5

a10f57a3203ef88b679a655a716bfae2
SHA1

3ae3d9fbdd8aa5dcce5c1ac3a58d820434797359
SHA256

64f33e938f228f7e6f711e9ac117c12b138b1db79fcea05c53fd774286d655b1
SHA512

925bcb281c211ba221497ee0f3ec7c8239004283d0b8c710d8b9bb0de964f944190ad761a76e7fc1c6f1ea5e208ca242bc20002bce588733936b831c6ba05604
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Q6:CcaClSFlG4ZM7QzMp

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
840	svchcst.exe

Executes dropped EXE 22 IoCs

pid	Process
840	svchcst.exe
1952	svchcst.exe
344	svchcst.exe
2280	svchcst.exe
2948	svchcst.exe
2316	svchcst.exe
2336	svchcst.exe
2604	svchcst.exe
2864	svchcst.exe
1916	svchcst.exe
1380	svchcst.exe
988	svchcst.exe
1732	svchcst.exe
1692	svchcst.exe
2968	svchcst.exe
1500	svchcst.exe
2912	svchcst.exe
352	svchcst.exe
2916	svchcst.exe
1300	svchcst.exe
3028	svchcst.exe
1928	svchcst.exe

Loads dropped DLL 37 IoCs

pid	Process
2804	WScript.exe
2804	WScript.exe
572	WScript.exe
572	WScript.exe
1844	WScript.exe
1844	WScript.exe
1196	WScript.exe
660	WScript.exe
660	WScript.exe
660	WScript.exe
2968	WScript.exe
1200	WScript.exe
1200	WScript.exe
1576	WScript.exe
1576	WScript.exe
1576	WScript.exe
1484	WScript.exe
1484	WScript.exe
2936	WScript.exe
748	WScript.exe
748	WScript.exe
2232	WScript.exe
2232	WScript.exe
2836	WScript.exe
2836	WScript.exe
2188	WScript.exe
2188	WScript.exe
1872	WScript.exe
1872	WScript.exe
2624	WScript.exe
2624	WScript.exe
2644	WScript.exe
2644	WScript.exe
2844	WScript.exe
2844	WScript.exe
2072	WScript.exe
2072	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2276	64f33e938f228f7e6f711e9ac117c12b138b1db79fcea05c53fd774286d655b1.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe
840	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2276	64f33e938f228f7e6f711e9ac117c12b138b1db79fcea05c53fd774286d655b1.exe

Suspicious use of SetWindowsHookEx 46 IoCs

pid	Process
2276	64f33e938f228f7e6f711e9ac117c12b138b1db79fcea05c53fd774286d655b1.exe
2276	64f33e938f228f7e6f711e9ac117c12b138b1db79fcea05c53fd774286d655b1.exe
840	svchcst.exe
840	svchcst.exe
1952	svchcst.exe
1952	svchcst.exe
344	svchcst.exe
344	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2316	svchcst.exe
2316	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2604	svchcst.exe
2604	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
1916	svchcst.exe
1916	svchcst.exe
1380	svchcst.exe
1380	svchcst.exe
988	svchcst.exe
988	svchcst.exe
1732	svchcst.exe
1732	svchcst.exe
1692	svchcst.exe
1692	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
1016	svchcst.exe
1016	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
352	svchcst.exe
352	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
1300	svchcst.exe
1300	svchcst.exe
3028	svchcst.exe
3028	svchcst.exe
1928	svchcst.exe
1928	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2804	2276	64f33e938f228f7e6f711e9ac117c12b138b1db79fcea05c53fd774286d655b1.exe	30
PID 2276 wrote to memory of 2804	2276	64f33e938f228f7e6f711e9ac117c12b138b1db79fcea05c53fd774286d655b1.exe	30
PID 2276 wrote to memory of 2804	2276	64f33e938f228f7e6f711e9ac117c12b138b1db79fcea05c53fd774286d655b1.exe	30
PID 2276 wrote to memory of 2804	2276	64f33e938f228f7e6f711e9ac117c12b138b1db79fcea05c53fd774286d655b1.exe	30
PID 2804 wrote to memory of 840	2804	WScript.exe	32
PID 2804 wrote to memory of 840	2804	WScript.exe	32
PID 2804 wrote to memory of 840	2804	WScript.exe	32
PID 2804 wrote to memory of 840	2804	WScript.exe	32
PID 840 wrote to memory of 572	840	svchcst.exe	33
PID 840 wrote to memory of 572	840	svchcst.exe	33
PID 840 wrote to memory of 572	840	svchcst.exe	33
PID 840 wrote to memory of 572	840	svchcst.exe	33
PID 572 wrote to memory of 1952	572	WScript.exe	34
PID 572 wrote to memory of 1952	572	WScript.exe	34
PID 572 wrote to memory of 1952	572	WScript.exe	34
PID 572 wrote to memory of 1952	572	WScript.exe	34
PID 1952 wrote to memory of 1844	1952	svchcst.exe	35
PID 1952 wrote to memory of 1844	1952	svchcst.exe	35
PID 1952 wrote to memory of 1844	1952	svchcst.exe	35
PID 1952 wrote to memory of 1844	1952	svchcst.exe	35
PID 1844 wrote to memory of 344	1844	WScript.exe	36
PID 1844 wrote to memory of 344	1844	WScript.exe	36
PID 1844 wrote to memory of 344	1844	WScript.exe	36
PID 1844 wrote to memory of 344	1844	WScript.exe	36
PID 344 wrote to memory of 1196	344	svchcst.exe	37
PID 344 wrote to memory of 1196	344	svchcst.exe	37
PID 344 wrote to memory of 1196	344	svchcst.exe	37
PID 344 wrote to memory of 1196	344	svchcst.exe	37
PID 1196 wrote to memory of 2280	1196	WScript.exe	39
PID 1196 wrote to memory of 2280	1196	WScript.exe	39
PID 1196 wrote to memory of 2280	1196	WScript.exe	39
PID 1196 wrote to memory of 2280	1196	WScript.exe	39
PID 2280 wrote to memory of 660	2280	svchcst.exe	40
PID 2280 wrote to memory of 660	2280	svchcst.exe	40
PID 2280 wrote to memory of 660	2280	svchcst.exe	40
PID 2280 wrote to memory of 660	2280	svchcst.exe	40
PID 660 wrote to memory of 2948	660	WScript.exe	41
PID 660 wrote to memory of 2948	660	WScript.exe	41
PID 660 wrote to memory of 2948	660	WScript.exe	41
PID 660 wrote to memory of 2948	660	WScript.exe	41
PID 2948 wrote to memory of 1720	2948	svchcst.exe	42
PID 2948 wrote to memory of 1720	2948	svchcst.exe	42
PID 2948 wrote to memory of 1720	2948	svchcst.exe	42
PID 2948 wrote to memory of 1720	2948	svchcst.exe	42
PID 660 wrote to memory of 2316	660	WScript.exe	43
PID 660 wrote to memory of 2316	660	WScript.exe	43
PID 660 wrote to memory of 2316	660	WScript.exe	43
PID 660 wrote to memory of 2316	660	WScript.exe	43
PID 2316 wrote to memory of 2968	2316	svchcst.exe	44
PID 2316 wrote to memory of 2968	2316	svchcst.exe	44
PID 2316 wrote to memory of 2968	2316	svchcst.exe	44
PID 2316 wrote to memory of 2968	2316	svchcst.exe	44
PID 2968 wrote to memory of 2336	2968	WScript.exe	45
PID 2968 wrote to memory of 2336	2968	WScript.exe	45
PID 2968 wrote to memory of 2336	2968	WScript.exe	45
PID 2968 wrote to memory of 2336	2968	WScript.exe	45
PID 2336 wrote to memory of 1200	2336	svchcst.exe	46
PID 2336 wrote to memory of 1200	2336	svchcst.exe	46
PID 2336 wrote to memory of 1200	2336	svchcst.exe	46
PID 2336 wrote to memory of 1200	2336	svchcst.exe	46
PID 1200 wrote to memory of 2604	1200	WScript.exe	47
PID 1200 wrote to memory of 2604	1200	WScript.exe	47
PID 1200 wrote to memory of 2604	1200	WScript.exe	47
PID 1200 wrote to memory of 2604	1200	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\64f33e938f228f7e6f711e9ac117c12b138b1db79fcea05c53fd774286d655b1.exe
"C:\Users\Admin\AppData\Local\Temp\64f33e938f228f7e6f711e9ac117c12b138b1db79fcea05c53fd774286d655b1.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:840
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:572
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1952
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:344
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:660
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1200
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2604
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2864
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:1576
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1916
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1380
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:1484
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:988
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2936
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1732
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:748
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1692
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:2232
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2968
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:2836
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        
        PID:1500
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1016
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:2188
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2912
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:1872
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:352
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:2624
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2916
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:2644
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1300
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:2844
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3028
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:2072
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1928
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        
        PID:928
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        
        PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
0b3dd2301f0ba82deaa6f9ad3810d37d

SHA1
ee8ddbc5f075fe958a3f85e5e76f8ea4a8da4674

SHA256
4ef3b724d8bd7e5738c41f9ff12d935ebd4d1aac07e42a7fe4cc7301d7ed2326

SHA512
e9faf976b3ecc1bc37cf418aa9a05e6c9bdc698dc7687e73a3f7591eb5e81744f7e5cba0005cc961bab228454c1e68161c3f79632af17dfb68a72487d09907fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
298f56408ef5bfe14b938d85e57c843d

SHA1
691d78c4c4887333b4679d3e340a7a04caad13a3

SHA256
b5738b726b24c9d220bd7256e4abb2e97215d50416bf67983cc82dc83b46298a

SHA512
227bf6d7e70568144112dc142ef60fa38f2b5f39196e3d3377a120b78fa86382726021f024bf5413548df0ce1734bb905d28e56de4dd80c6f21c05ab2a5ef83e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
067a3458406fce1e0caec803b21a2c58

SHA1
1277d2a3236100a0758d4f4f279cd02d537e626b

SHA256
35c0d5d7757b50c61a708107c8e2ab5df872fdc25516f8003d9d58d3ae5ec9e3

SHA512
99918a35f93140231d63a17c97bb9ef66a5744dc044c7e48034c3d2fcc49c3b97fe0d37a32ae6307a7b7e772b8016a6727672d2844b5ed7dcf20c31dd01724e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
28167c064311357a30cc6de51b34120d

SHA1
cd6e8343bf5fa014ded5905fd8c6037eda277818

SHA256
e1a76a59c230fb740b85443e95d9db97f660e6d57f8f79060c51d3fb21f7af2a

SHA512
a8ca9a0804c9cb2c87148d82b2ffb169d766b6ea91b4106363b24d555c9a58594915364b6cb61a1757723e96f7095f06859ab83a6e1055d43c8e78e9b52c8b57

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
072a46f071251f08c67b3aba4c983435

SHA1
371837f885eac20c802901026d2e7aa1d4f6cd5c

SHA256
0d0a8daeceed64600e817a5a0437a39048c52e857868a35d9130d42fdfa896ed

SHA512
e3d35d428a29eec047b0cc43c87aa701eed81e9efe921b4ef13fa2e8e24ef11ce602bd67868b7ad1bdbd9f39eb681a8c95c715479238a2f17c17105ea4653c83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1a94fff9bade36e4d067e0fcefb1a8f5

SHA1
1713c3fc499a56cd97035e44405e0b5e1a0a586b

SHA256
1977a5ac15e88252efdd11b9aace6de92383e71132a94273b0e890e92ae91048

SHA512
89a7dd6811f9491a14bf49f1cbce3e869107d2e0d410fa3d3c867ce68d573d6f8e6ada98ac3635fc620c96c61676b5cef2563b5fbea14f617c1fa61bce4f3ac7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1af246ca0660faf0fa7da4b4c9c61316

SHA1
c050b0bd311f2e5240cd7e9df583e41b133e9521

SHA256
2b84bcefb62d7564e2e7d1be8105a26f798b4c73cca142c054da02262f61ede8

SHA512
3fadf6605620aea1f9c9e94d62193fc416af6d5272bc675d399ea1ea96a070b4de69cab61736cea89c744ce3b203f0790d617789d25811a6ca535fc9f6159793

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
bd0cc8385e2c94da465451e7bd8d4303

SHA1
6866d3d8d4bc37bbd976b44b74d4cef9b018da66

SHA256
099ad392a60ee09509cf2982deb126acb373115124e33c1c9d18931fa32af630

SHA512
5212403107457416b6b8e3c033c9521f744845edbf0c9bba5c962bea5946c2a24e1081cf472e907b3e16fb593b98c119802e3162e5260b30574f2c086af3d6b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1ef0f0b572c2f4293cad723d25d00c42

SHA1
21070aedce103ee5e41ef411b732699f04623804

SHA256
92f0114d24a1bf7f670197c1b6e8cecc445559bbf6b12e1a82538aa9213fe4a3

SHA512
0af8482f8df004ae0534ab1d23addd55149209ab50bfb1ecbfc4d9ee49c7cce91b53fd3ed3b155e020286772eaa8396c89b8f67befe3ca5d9804b7871add0c4c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7d2c3f227d42fae4a5b7fbcb491b74e3

SHA1
c1271bbd86747cc709b694ba9579a68b5e75a17c

SHA256
9353a2f27a61e571c5bc92ccc1046c1059c5fad8e1e2cafe63a9cc73e1169c33

SHA512
50330ad733975966b32fbedffb99a25cd13004d685e5788ef11f1f0fedfc62658e3e8f5ed0030fe60ecb02ba95ffa7d440c067a1e164cc3bc02ac5008b6a27d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1931659cf1a0b565c26fde26192e60ea

SHA1
290204916cf2bd320dd6af5de4fea33f4b987a23

SHA256
8d4ff60de30d55f81dda162ccf8ad556e3a1c9a9e20260d8a767def90595191a

SHA512
9a90635a350ecaf5d4f9c5787f4079e90d6e2983b87e8dc6db38a2d0121e68422d2fc8c7e322c0b6556cd92870713380edf55950260e9369350e96d4603f390e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
780c5b88f55c3463a252f361d53f98db

SHA1
244e739c7401ce41027d7786f4a48f4806a9939b

SHA256
d8b383df125f83a39c299a3134c88e981cf47755ddd6b44310f70231305c6bb0

SHA512
b12e3266edea4f9dff105ed8617c81a29f9873d646b6b326c5c29c0c590049dd85458b8ff7541957f9ab995896e7bfd08b171959e592ccc6edbedf998fdf1045

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
8c039c5d350b169e9d519d8931b35710

SHA1
86f580f5b30ae5a89e1b10e7671a63abaa144743

SHA256
89a4ef552ae584340bc3d372f6c32cad851ba73eef76e436fb07ad3e648b4e92

SHA512
1552698268c66a37a254fd8bfee0919eb57ea75963d7b78c77f5a47303ebd70b01beee4af251a94f41656254314dbf7f3d08be6bc605b10572270b131162d3c0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
12416bb37be1c600a78a8109ade633b3

SHA1
d261982063973b19354195d66c0903eafb34e9ba

SHA256
4ee2d9bbeb6d18f4e500cec10ddafe013fb1cb527c7598ea68cbb4b04777ce83

SHA512
12d69217b0904dabad3eb5226773c2b6e19e43b26aa76c856ec368dc35be429565d94482b071980d2f991c8a17a80f8935a4c072ae58e776ecdba44a3b370be8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
130074aaee01dd5683f4f3f6456da18a

SHA1
f3b8d4f4dfccaaf6506949ff66b5791064d6fdf5

SHA256
7821c6b282e76aa1adab94784d01686479f67829cd6046aada046a4700b666a0

SHA512
dbb95eebc1a62d97ec877cb5f9e5660cafdc19b456490dbbc781eb883e01377353df0aa74c422dcfb65f9519dd77e68e9746dafb5501d9c2b92f390613568132

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
bc1917ad3df251766d9f342654f6451f

SHA1
d56b0c073f2c2695129e3137a287a061242ad376

SHA256
a415d8aeff60473a689fd19b8f6d537d905bf317a7726f763af54c6c749021aa

SHA512
b046c14d130926a697128cc1393cccdb4db70b8b9651bb4f1fc6b7eab7591c7149404fd787e40dc99acb5b89aa8fa03e36bb1e0f9633ade8d9b45d6883d658b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
5eb3793997f1ed937a019d655f74a806

SHA1
498da82e27dcc5c26d70dbf7e99f5603fed2044a

SHA256
e2049213b7c087dfeb58b8d4f67eb48073f6f09652db241647f95651ace9971e

SHA512
5e7a8f641ce473768e8dd7a8be77b863b93d83eb58ebf7eb6488810771076f9ba394414abf91421c4655aeba627d4a315227b7ae83c7ed31b0f3eeb3672dabb2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
252a7be4940825f3f8f86c71d20682eb

SHA1
df63cabc855302122ae52c90f3d7bfd044bcbd6b

SHA256
ea908ef2e96508221e9a8a912e2dbfab8330a584b9c2f425794fe6c46194adc8

SHA512
2b004891f8a5a910c0227f0299a25d25425c4bb7ac28542cc9f5742535af4743837818a6fe7bb0a13e1c03cad4b26e317a11b80b33d02b85a7203d6957df07b3

Download Submit
memory/2276-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download