e7b7e1196063e2ee21b049f5a18a86892949a86a810cba6b06ba72ac23dd1207

Analysis

max time kernel
103s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
23/01/2024, 01:32 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7b7e1196063e2ee21b049f5a18a86892949a86a810cba6b06ba72ac23dd1207.exe
Size

1.1MB
MD5

038e3876a3bc0768ebe5e78606cf590e
SHA1

dd727d94729385f6450e048f86d3ab4622652a9f
SHA256

e7b7e1196063e2ee21b049f5a18a86892949a86a810cba6b06ba72ac23dd1207
SHA512

97cfd6a5785c820c79e1c8aa6d01653746447c21fb1c853c0156638a562daf7354a51cff8a9aa75a604d6a0a1267129d7a928eee312acc7946ec9120ae10a8e2
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QI:CcaClSFlG4ZM7QzMv

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1320	svchcst.exe

Executes dropped EXE 22 IoCs

pid	Process
1320	svchcst.exe
2908	svchcst.exe
2940	svchcst.exe
1688	svchcst.exe
2428	svchcst.exe
2996	svchcst.exe
2248	svchcst.exe
1648	svchcst.exe
272	svchcst.exe
2092	svchcst.exe
2392	svchcst.exe
2212	svchcst.exe
3064	svchcst.exe
2476	svchcst.exe
2236	svchcst.exe
2992	svchcst.exe
972	svchcst.exe
2288	svchcst.exe
1100	svchcst.exe
2696	svchcst.exe
2492	svchcst.exe
2868	svchcst.exe

Loads dropped DLL 32 IoCs

pid	Process
2680	WScript.exe
2680	WScript.exe
2124	WScript.exe
2124	WScript.exe
2548	WScript.exe
2548	WScript.exe
1968	WScript.exe
2456	WScript.exe
1284	WScript.exe
2456	WScript.exe
2456	WScript.exe
1044	WScript.exe
1044	WScript.exe
1284	WScript.exe
1284	WScript.exe
1284	WScript.exe
2108	WScript.exe
2108	WScript.exe
1012	WScript.exe
2940	WScript.exe
2004	WScript.exe
1844	WScript.exe
1844	WScript.exe
1844	WScript.exe
272	WScript.exe
272	WScript.exe
544	WScript.exe
544	WScript.exe
2184	WScript.exe
2184	WScript.exe
2756	WScript.exe
2756	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2760	e7b7e1196063e2ee21b049f5a18a86892949a86a810cba6b06ba72ac23dd1207.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
2908	svchcst.exe
2908	svchcst.exe
2908	svchcst.exe
2908	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2760	e7b7e1196063e2ee21b049f5a18a86892949a86a810cba6b06ba72ac23dd1207.exe

Suspicious use of SetWindowsHookEx 44 IoCs

pid	Process
2760	e7b7e1196063e2ee21b049f5a18a86892949a86a810cba6b06ba72ac23dd1207.exe
2760	e7b7e1196063e2ee21b049f5a18a86892949a86a810cba6b06ba72ac23dd1207.exe
1320	svchcst.exe
1320	svchcst.exe
2908	svchcst.exe
2908	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2248	svchcst.exe
2248	svchcst.exe
1648	svchcst.exe
1648	svchcst.exe
272	svchcst.exe
272	svchcst.exe
2092	svchcst.exe
2092	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
3064	svchcst.exe
3064	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2236	svchcst.exe
2236	svchcst.exe
2992	svchcst.exe
2992	svchcst.exe
972	svchcst.exe
972	svchcst.exe
2288	svchcst.exe
2288	svchcst.exe
1100	svchcst.exe
1100	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 2680	2760	e7b7e1196063e2ee21b049f5a18a86892949a86a810cba6b06ba72ac23dd1207.exe	28
PID 2760 wrote to memory of 2680	2760	e7b7e1196063e2ee21b049f5a18a86892949a86a810cba6b06ba72ac23dd1207.exe	28
PID 2760 wrote to memory of 2680	2760	e7b7e1196063e2ee21b049f5a18a86892949a86a810cba6b06ba72ac23dd1207.exe	28
PID 2760 wrote to memory of 2680	2760	e7b7e1196063e2ee21b049f5a18a86892949a86a810cba6b06ba72ac23dd1207.exe	28
PID 2680 wrote to memory of 1320	2680	WScript.exe	30
PID 2680 wrote to memory of 1320	2680	WScript.exe	30
PID 2680 wrote to memory of 1320	2680	WScript.exe	30
PID 2680 wrote to memory of 1320	2680	WScript.exe	30
PID 1320 wrote to memory of 2124	1320	svchcst.exe	32
PID 1320 wrote to memory of 2124	1320	svchcst.exe	32
PID 1320 wrote to memory of 2124	1320	svchcst.exe	32
PID 1320 wrote to memory of 2124	1320	svchcst.exe	32
PID 1320 wrote to memory of 2548	1320	svchcst.exe	31
PID 1320 wrote to memory of 2548	1320	svchcst.exe	31
PID 1320 wrote to memory of 2548	1320	svchcst.exe	31
PID 1320 wrote to memory of 2548	1320	svchcst.exe	31
PID 2124 wrote to memory of 2908	2124	WScript.exe	34
PID 2124 wrote to memory of 2908	2124	WScript.exe	34
PID 2124 wrote to memory of 2908	2124	WScript.exe	34
PID 2124 wrote to memory of 2908	2124	WScript.exe	34
PID 2548 wrote to memory of 2940	2548	WScript.exe	33
PID 2548 wrote to memory of 2940	2548	WScript.exe	33
PID 2548 wrote to memory of 2940	2548	WScript.exe	33
PID 2548 wrote to memory of 2940	2548	WScript.exe	33
PID 2940 wrote to memory of 1968	2940	svchcst.exe	35
PID 2940 wrote to memory of 1968	2940	svchcst.exe	35
PID 2940 wrote to memory of 1968	2940	svchcst.exe	35
PID 2940 wrote to memory of 1968	2940	svchcst.exe	35
PID 1968 wrote to memory of 1688	1968	WScript.exe	36
PID 1968 wrote to memory of 1688	1968	WScript.exe	36
PID 1968 wrote to memory of 1688	1968	WScript.exe	36
PID 1968 wrote to memory of 1688	1968	WScript.exe	36
PID 1688 wrote to memory of 2456	1688	svchcst.exe	38
PID 1688 wrote to memory of 2456	1688	svchcst.exe	38
PID 1688 wrote to memory of 2456	1688	svchcst.exe	38
PID 1688 wrote to memory of 2456	1688	svchcst.exe	38
PID 1688 wrote to memory of 1284	1688	svchcst.exe	37
PID 1688 wrote to memory of 1284	1688	svchcst.exe	37
PID 1688 wrote to memory of 1284	1688	svchcst.exe	37
PID 1688 wrote to memory of 1284	1688	svchcst.exe	37
PID 2456 wrote to memory of 2428	2456	WScript.exe	39
PID 2456 wrote to memory of 2428	2456	WScript.exe	39
PID 2456 wrote to memory of 2428	2456	WScript.exe	39
PID 2456 wrote to memory of 2428	2456	WScript.exe	39
PID 1284 wrote to memory of 2996	1284	WScript.exe	40
PID 1284 wrote to memory of 2996	1284	WScript.exe	40
PID 1284 wrote to memory of 2996	1284	WScript.exe	40
PID 1284 wrote to memory of 2996	1284	WScript.exe	40
PID 2428 wrote to memory of 1044	2428	svchcst.exe	41
PID 2428 wrote to memory of 1044	2428	svchcst.exe	41
PID 2428 wrote to memory of 1044	2428	svchcst.exe	41
PID 2428 wrote to memory of 1044	2428	svchcst.exe	41
PID 2456 wrote to memory of 2248	2456	WScript.exe	44
PID 2456 wrote to memory of 2248	2456	WScript.exe	44
PID 2456 wrote to memory of 2248	2456	WScript.exe	44
PID 2456 wrote to memory of 2248	2456	WScript.exe	44
PID 1044 wrote to memory of 1648	1044	WScript.exe	45
PID 1044 wrote to memory of 1648	1044	WScript.exe	45
PID 1044 wrote to memory of 1648	1044	WScript.exe	45
PID 1044 wrote to memory of 1648	1044	WScript.exe	45
PID 1044 wrote to memory of 272	1044	WScript.exe	46
PID 1044 wrote to memory of 272	1044	WScript.exe	46
PID 1044 wrote to memory of 272	1044	WScript.exe	46
PID 1044 wrote to memory of 272	1044	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\e7b7e1196063e2ee21b049f5a18a86892949a86a810cba6b06ba72ac23dd1207.exe
"C:\Users\Admin\AppData\Local\Temp\e7b7e1196063e2ee21b049f5a18a86892949a86a810cba6b06ba72ac23dd1207.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1320
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2548
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2940
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1284
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2996
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2092
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        
        PID:2392
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1648
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:272
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        
        PID:2108
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2212
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3064
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        
        PID:1012
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2476
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:2940
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2236
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2004
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2992
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:1844
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:972
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        
        PID:600
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2288
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:272
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1100
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:544
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2696
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:2184
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2492
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:2756
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2868
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        
        PID:800
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        
        PID:400
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        
        PID:544
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2248
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2124
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ebf405e49dade13da94f737cdc03dba1

SHA1
8a0c39e59beed0deb4e726566b235c42c70942bb

SHA256
d15af3885670c4fea9dd97da21025faa5fd2b42bddc310bad2893e23a3ed2bef

SHA512
bbdef781757a387898665650d8f951e7fc495770d34595d9badbe5a39d46ec49a06ec00cbe28ed5e2677e5eeea518241fb638580668baca8d7728c44f2069ea2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
427acf0d31e4c051a5ecca486df18aaa

SHA1
66ed2e8e5533846366375ce855fb7b5d574d97fc

SHA256
397aa2536df328968f7006d3c5a2d0e7e53ab1e6d2deae8bb5bc7a242b4ba012

SHA512
aa2fe9a10550076d478762ed2043437460bfa1d81c3e6b793127d1235f8a6e75dc6002aad415f8086387faf7dc75a83f1790662cdfa58aa66596c640ed35b778

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
e4b3a6ada7d7c1a8b83cdd349f4faa22

SHA1
09ef5a92b332edf3e892b3d33e65aedd1b72216c

SHA256
cda1329414306d38e52f9c1f394d05ec38040dbbeab9f685b110a8312955d0d5

SHA512
773e86e40d0440e1f40308fd1bbc996132872f31b46a982c0873478ac82d10b498f10c8d9eac6d156a2df3c652268a17e5ed6ec8a8244802678edeab7e2071f7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
152cdcb10a0dcbdcaeb00bd4b08b2f94

SHA1
d957bd7eff64e6b13d3a088c0ae764eaeedf0ad2

SHA256
5525126f60e1b6cf4d353d30db46873836712e3964020d1dbca2694b6dc3d599

SHA512
c2e61516af9e5c14978792ec3b5e20aa84d5f6d9607322575d2f0448a67b6a10911ebf350f51e24e19f40840897251c891cda2c651c0881fccc9e0006d1a2f99

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2c3b5340da071ac89dded61dffd49fb5

SHA1
77a880658d0b70e5455379099427bfdae8cc0ae8

SHA256
d7433fbea40ea3f87e991ce54c73436c110cfbb83748d554aea8d94051a5224e

SHA512
7e69f14c55afec39149491531c2a499b6253aa71ad448e722912f239fde055826b34383bd8d14773af08ef475b5fe53451a0a93e0bcc46fbeba3872198200f3c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
dcda7be7bee467e770890045f8b7ae2a

SHA1
c2d1c9669b5115473dd2fcb27bb76aed83afdcd1

SHA256
5818c70269cba768813218e1a65265488b4c36ebee593535af98a52bf1eeed33

SHA512
5a69286101d6a3f52a919910584f2618e2e7adcf8b77806b5e4ecd8b881a86693df968818cec771b93b50d05849e165da0d66c5cfb121297f56cf7bef804a408

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f9d25791d9949ef33ed0c208f3d11851

SHA1
1cdf525209a1d7ade65168011e4de530de7bdc5a

SHA256
d3592a18c2a195dba2db76e25fb1516b2a9ef5297e9d72716e232d3540bc4481

SHA512
efb6f3882b9c75aa5193cf1bfeeb430b0a963681bf5367f535e3eb9c4e7c796c0aa1d0e3df9803c635ba6d863dc129a9ab30c954c6d4af27803036859d3d3113

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0deab118abcf8e078322ee46edd4cfd3

SHA1
b0f46f2ca33e8ea264812838f6c7a98d0c55a0bf

SHA256
344ce7e23c768177547510b0627c60667804530f220048e11f21e1cda521c502

SHA512
e7e4c041addbecf42ec91877dac6c89a207a3c1eb0247d56c6e4844852a3c7a3a716809d5040d01b03ab332bd155a4f4fb014abc896b9598ac52218c74a1f3c0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3be529c48598ce74c5871846d63ca15c

SHA1
93bb8e6882b776b47589ffa48116e17c98071383

SHA256
f9f80c033a3cb1e2e9a8aa108427d6985dd2a08c2bea70e4dda2309f03ab7b2a

SHA512
e848a532aa9acfddfb754e081353660af23f3d0ee7720f6162fc5e8a2104d98b7be8aa461ea274a311634ae3b5b0bd219731da7d6b43c3b381de56d03bb43608

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e4d3ddb48ef67f8866c1f242c328f691

SHA1
381e52b58ed874fae0ec4d2c8ef680f9eb7b443b

SHA256
1b9103446df1bbb34f92ebc75ba9c7bd8fed74d38e636d3c96fa9ecc34ed2ba3

SHA512
0ccc3ccfde2e943e49d2a5b2d72fc5ef5163661f652078aeff15ac77a72aef64b39c40890263d88434b7b42dc6cf610d58255ac0052abffa997cb660cb0038c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
8fa8cb56f19b2f9806393af360643e71

SHA1
4875b2594194fced27f9200fb23aa43f79000a34

SHA256
58fba0cab48776c8163aec0ddf5bbf549a8c6c116c7df6f0c3d6855e758f5c79

SHA512
b0c5b4c87232dcfd193ed1c2c9d809177b230e65133db3e2f8c31a601c1d346acd0b6ae2a718d6997bd2f5fcb8ecc9fcb4dc4d5de3be40da4754239bd1b221b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e36b2e488fca735a4c5608164cb3ff18

SHA1
e137ccf35fbad03c1e4a919fb97dd4016fa00780

SHA256
006b837bd0ee34e74330d51317c7c5a21e34cd8d113ceaa9f676e592cf756aa8

SHA512
c498c6b3e1161e77117db73dde698b621d08d80b60ef364fa77a51b380e67b0a3dd0afa92ee4457b94d402bf503949932cbaa2ada7cd4eb03ac0ee96bf76a101

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
128KB

MD5
bc1864c83633336ea3d14046f55a915e

SHA1
a0708b453a5d391e5e9267b19de285a839d3ad8b

SHA256
f026e2d94c11085502a28d9203e0d787246439229bfb983e90f50a47fad6be4e

SHA512
23bfd188abd2a24b7e4b9a79caecc98b995c316528a36836b5cbd0d36f7559bbb3e088f72fcffb06827b5e93447bda54831261d36bef342589c12b3691e23310

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
009d042fba446c886870f0bd57469dc7

SHA1
ae7b171abebf9493533f15f8a50fe225466b0b48

SHA256
a66e4e082afe690e8cf6755064c90b1f7804b5be91c31919986e07bb9b8ca906

SHA512
cf604caeff562faf297c2d0db41d92f8c2e98f27c49309c8d8c55170ff7a269650212edb3cfc458d9ff71e46ac822d2bb4e2bed5bce6c3e78aa3eb3b55cabe39

Download Submit
memory/1320-16-0x0000000004100000-0x0000000004170000-memory.dmp

Filesize
448KB

Download