e073e571f2ae0faa285e6366a2ec8e96ac60475848d9e3e4c33f23697207695f

Analysis

max time kernel
147s
max time network
117s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26/01/2024, 06:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e073e571f2ae0faa285e6366a2ec8e96ac60475848d9e3e4c33f23697207695f.exe
Size

1.1MB
MD5

1fe6fd6f72201126b772b9a366df0853
SHA1

22d06de967dd37114d9c4b1723904a61fdfe8983
SHA256

e073e571f2ae0faa285e6366a2ec8e96ac60475848d9e3e4c33f23697207695f
SHA512

b9564f232b4e861e00115820d929c90045edafb7473840fa74fc38b4335f6c38cffee0de7d4f1f9c38e53074e01bf864c2895d2352bfc58288748b60ef0630e4
SSDEEP

24576:gRW3N/0f/oAPoRBchI5anfOlAUAi1K6oElG4lBujFAvCyRZ:g5ApamAUAQ/lG4lBmFAvZZ

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2776	svchcst.exe

Executes dropped EXE 22 IoCs

pid	Process
2776	svchcst.exe
1064	svchcst.exe
2572	svchcst.exe
952	svchcst.exe
2916	svchcst.exe
1164	svchcst.exe
1944	svchcst.exe
1748	svchcst.exe
2172	svchcst.exe
2884	svchcst.exe
2732	svchcst.exe
1436	svchcst.exe
700	svchcst.exe
2840	svchcst.exe
300	svchcst.exe
2952	svchcst.exe
2332	svchcst.exe
852	svchcst.exe
1724	svchcst.exe
956	svchcst.exe
820	svchcst.exe
1220	svchcst.exe

Loads dropped DLL 31 IoCs

pid	Process
2160	WScript.exe
2160	WScript.exe
2524	WScript.exe
2904	WScript.exe
2904	WScript.exe
1232	WScript.exe
1232	WScript.exe
1816	WScript.exe
1816	WScript.exe
1092	WScript.exe
1092	WScript.exe
2464	WScript.exe
1380	WScript.exe
1896	WScript.exe
1896	WScript.exe
1056	WScript.exe
1056	WScript.exe
2412	WScript.exe
2412	WScript.exe
1544	WScript.exe
1544	WScript.exe
2308	WScript.exe
2308	WScript.exe
1092	WScript.exe
1092	WScript.exe
1468	WScript.exe
1468	WScript.exe
2008	WScript.exe
2008	WScript.exe
936	WScript.exe
936	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2336	e073e571f2ae0faa285e6366a2ec8e96ac60475848d9e3e4c33f23697207695f.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
1064	svchcst.exe
1064	svchcst.exe
1064	svchcst.exe
1064	svchcst.exe
1064	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2336	e073e571f2ae0faa285e6366a2ec8e96ac60475848d9e3e4c33f23697207695f.exe

Suspicious use of SetWindowsHookEx 46 IoCs

pid	Process
2336	e073e571f2ae0faa285e6366a2ec8e96ac60475848d9e3e4c33f23697207695f.exe
2336	e073e571f2ae0faa285e6366a2ec8e96ac60475848d9e3e4c33f23697207695f.exe
2776	svchcst.exe
2776	svchcst.exe
1064	svchcst.exe
1064	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
952	svchcst.exe
952	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
1164	svchcst.exe
1164	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1748	svchcst.exe
1748	svchcst.exe
2172	svchcst.exe
2172	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
1436	svchcst.exe
1436	svchcst.exe
700	svchcst.exe
700	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
300	svchcst.exe
300	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2028	svchcst.exe
2028	svchcst.exe
852	svchcst.exe
852	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
956	svchcst.exe
956	svchcst.exe
820	svchcst.exe
820	svchcst.exe
1220	svchcst.exe
1220	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2160	2336	e073e571f2ae0faa285e6366a2ec8e96ac60475848d9e3e4c33f23697207695f.exe	28
PID 2336 wrote to memory of 2160	2336	e073e571f2ae0faa285e6366a2ec8e96ac60475848d9e3e4c33f23697207695f.exe	28
PID 2336 wrote to memory of 2160	2336	e073e571f2ae0faa285e6366a2ec8e96ac60475848d9e3e4c33f23697207695f.exe	28
PID 2336 wrote to memory of 2160	2336	e073e571f2ae0faa285e6366a2ec8e96ac60475848d9e3e4c33f23697207695f.exe	28
PID 2160 wrote to memory of 2776	2160	WScript.exe	30
PID 2160 wrote to memory of 2776	2160	WScript.exe	30
PID 2160 wrote to memory of 2776	2160	WScript.exe	30
PID 2160 wrote to memory of 2776	2160	WScript.exe	30
PID 2776 wrote to memory of 2524	2776	svchcst.exe	31
PID 2776 wrote to memory of 2524	2776	svchcst.exe	31
PID 2776 wrote to memory of 2524	2776	svchcst.exe	31
PID 2776 wrote to memory of 2524	2776	svchcst.exe	31
PID 2524 wrote to memory of 1064	2524	WScript.exe	32
PID 2524 wrote to memory of 1064	2524	WScript.exe	32
PID 2524 wrote to memory of 1064	2524	WScript.exe	32
PID 2524 wrote to memory of 1064	2524	WScript.exe	32
PID 1064 wrote to memory of 2904	1064	svchcst.exe	33
PID 1064 wrote to memory of 2904	1064	svchcst.exe	33
PID 1064 wrote to memory of 2904	1064	svchcst.exe	33
PID 1064 wrote to memory of 2904	1064	svchcst.exe	33
PID 2904 wrote to memory of 2572	2904	WScript.exe	34
PID 2904 wrote to memory of 2572	2904	WScript.exe	34
PID 2904 wrote to memory of 2572	2904	WScript.exe	34
PID 2904 wrote to memory of 2572	2904	WScript.exe	34
PID 2572 wrote to memory of 2908	2572	svchcst.exe	35
PID 2572 wrote to memory of 2908	2572	svchcst.exe	35
PID 2572 wrote to memory of 2908	2572	svchcst.exe	35
PID 2572 wrote to memory of 2908	2572	svchcst.exe	35
PID 2904 wrote to memory of 952	2904	WScript.exe	36
PID 2904 wrote to memory of 952	2904	WScript.exe	36
PID 2904 wrote to memory of 952	2904	WScript.exe	36
PID 2904 wrote to memory of 952	2904	WScript.exe	36
PID 952 wrote to memory of 1232	952	svchcst.exe	37
PID 952 wrote to memory of 1232	952	svchcst.exe	37
PID 952 wrote to memory of 1232	952	svchcst.exe	37
PID 952 wrote to memory of 1232	952	svchcst.exe	37
PID 1232 wrote to memory of 2916	1232	WScript.exe	38
PID 1232 wrote to memory of 2916	1232	WScript.exe	38
PID 1232 wrote to memory of 2916	1232	WScript.exe	38
PID 1232 wrote to memory of 2916	1232	WScript.exe	38
PID 2916 wrote to memory of 724	2916	svchcst.exe	39
PID 2916 wrote to memory of 724	2916	svchcst.exe	39
PID 2916 wrote to memory of 724	2916	svchcst.exe	39
PID 2916 wrote to memory of 724	2916	svchcst.exe	39
PID 1232 wrote to memory of 1164	1232	WScript.exe	40
PID 1232 wrote to memory of 1164	1232	WScript.exe	40
PID 1232 wrote to memory of 1164	1232	WScript.exe	40
PID 1232 wrote to memory of 1164	1232	WScript.exe	40
PID 1164 wrote to memory of 1816	1164	svchcst.exe	41
PID 1164 wrote to memory of 1816	1164	svchcst.exe	41
PID 1164 wrote to memory of 1816	1164	svchcst.exe	41
PID 1164 wrote to memory of 1816	1164	svchcst.exe	41
PID 1816 wrote to memory of 1944	1816	WScript.exe	42
PID 1816 wrote to memory of 1944	1816	WScript.exe	42
PID 1816 wrote to memory of 1944	1816	WScript.exe	42
PID 1816 wrote to memory of 1944	1816	WScript.exe	42
PID 1944 wrote to memory of 2984	1944	svchcst.exe	43
PID 1944 wrote to memory of 2984	1944	svchcst.exe	43
PID 1944 wrote to memory of 2984	1944	svchcst.exe	43
PID 1944 wrote to memory of 2984	1944	svchcst.exe	43
PID 1816 wrote to memory of 1748	1816	WScript.exe	46
PID 1816 wrote to memory of 1748	1816	WScript.exe	46
PID 1816 wrote to memory of 1748	1816	WScript.exe	46
PID 1816 wrote to memory of 1748	1816	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\e073e571f2ae0faa285e6366a2ec8e96ac60475848d9e3e4c33f23697207695f.exe
"C:\Users\Admin\AppData\Local\Temp\e073e571f2ae0faa285e6366a2ec8e96ac60475848d9e3e4c33f23697207695f.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2524
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1064
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        
        PID:724
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1748
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        
        PID:1092
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2172
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2884
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        
        PID:2464
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2732
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:1380
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1436
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:1896
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:700
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2840

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
1⤵
- Loads dropped DLL
PID:1056
- C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:300
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
    3⤵
    - Loads dropped DLL
    PID:2412
  - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2952
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        5⤵
        Loads dropped DLL
        
        PID:1544
      - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        6⤵
        Executes dropped EXE
        
        PID:2332
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        7⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2028
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        9⤵
        Loads dropped DLL
        
        PID:2308
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:852
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        11⤵
        Loads dropped DLL
        
        PID:1092
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1724
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        13⤵
        Loads dropped DLL
        
        PID:1468
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:956
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        15⤵
        Loads dropped DLL
        
        PID:2008
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:820
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        17⤵
        Loads dropped DLL
        
        PID:936
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1220
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        19⤵
        
        PID:1028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
99190cc32e9995c46b8a5b9b268a5bbe

SHA1
4ad00bc8655bced61776b40f2cc5bf0180a175d4

SHA256
308f79dad8498e1020104d40c992a2a6b9d4841f2c9c705e4b4401c48764a096

SHA512
f6447cdd779f7e95f6e84469388e55d7c18249f434aadf7cb7d4ec18cded20161a1cd8bb8830186c55ce8a945ab7c7cff08f85787c2616d447a90cb6f4622571

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e94e88174ec781f873054a1341dde3c1

SHA1
1bfcc1fd57262661e3e17db7f582004d481e95d9

SHA256
83a3606b4d4b48761b768ff2bd5668a599025f46b5d31b73bd0b014f6f95e225

SHA512
10dd4c89ea250920267a33317f693093471b805e33f18b38ffd7e3b9fb12624047f6bca7c82b0a2c83a3d6cead4d289f3da723b249a7ab6a9c40b339977fe7f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
55765ba68da8820ee35d2d4d1dedeac0

SHA1
19f5f147056f3d837a11d6b08a7fc9544f9927f6

SHA256
1eb237d283717ac45bdfef217d3d09fb4ef73db3838859057c94e488b329c522

SHA512
61b6361b8dfef2067016c50e830db1fc768d0654a3f643cf4b4cb1193de722f74401e73f719d8cff5a443058adfa7e3cd0dfc502f25dd249cdc36a7056c81c18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6cefcde7a292edfc29b3882cdeb23dba

SHA1
3588db649319258acc78049555e0c587aae5dcf1

SHA256
4fc01d17db5185ecf506bb8ad2665dc04fbc85d9b55282b364687c5c82689251

SHA512
14f7f31813f271f8ab4c58ad06504769900ae075915db76882bce80dfaa82bb76bc6c40fa76f6eae4f3c65d2311a702d5581510ea5ade452ea8b6f957da1684c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
b26ce510777359b5e92f17a3232a7262

SHA1
e5decb520463ce13cba2256981c03978afae751d

SHA256
4682706b6fb51c99a7e4803e441401688bc976d9ade325fa0fc3a362d88ae557

SHA512
24949b63d563e672faa95180ac941e6c0e0ac8eb14166541c58586e233e5f491e86701fd5fee9aaf103744727174f1432cd6720900b30792ec732cea6df8ec81

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f02b234115a56496bcd6642d1de04e5d

SHA1
d383b9d3c82fe145f25a9a6e7e4333151fd4ecc6

SHA256
9eca0120263ab4947d38369d9a4986744e61189382c1d313eb464ad449ea2651

SHA512
c446eccd822729a81d49321c88ecc0fba4e4f7b6f6277d2660c7f3a18a67614915ae24a96353bf93b039eb441f0c260c1961a1363f16524dbeaf2554626c1b4e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
423a0fabd3a9fd2cbedc3aba67c69650

SHA1
880097557ac6718e93822ac7efc9a3e2986c51de

SHA256
d77f549afde3b88ac747c3d0dee3069f914fac77b572ae08737ffc05f696491b

SHA512
c65d3db8250c7885b05075ebc3485db4506dde6c435247ad6a86e9085d59b039f4629583b327662a2eb40c79bc135d5d17b5bfb01f63ee02726aa57ecd7ed139

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e0e0a1f6d22e3905753a9c1ed053cbff

SHA1
52c11b8049f4015d7825fc1fcbd0d5eadb29a6e4

SHA256
2eca9ba67f160c00268003e7239f9cfc5da0f10b6a0b3c82538ef2a0874b871d

SHA512
3eb98287cc8115cb648626272eaa6cc77cb57fcd614f0e969d3af3977a8e09e0f7f6f3ee6ef9322e096bf0cec546f681a6983030a10e972b538d42e2bd17740c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
9d9867376c8284245aea97643987cadf

SHA1
fe6a7bd23577feb841e3cbeae6aebd38a742b0a5

SHA256
b31c91bdbe14673b004567163ddea094dd6bd903f62c5a57c3b3f79268021fb4

SHA512
2dc179cf9f71aae049072f62e06951537e38c6070d79d98aaaa94d2b1b53edd6550f6d1c61a2ffc117ed53791689b59c50826bb506cf22cb01235da522d623a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
427acf0d31e4c051a5ecca486df18aaa

SHA1
66ed2e8e5533846366375ce855fb7b5d574d97fc

SHA256
397aa2536df328968f7006d3c5a2d0e7e53ab1e6d2deae8bb5bc7a242b4ba012

SHA512
aa2fe9a10550076d478762ed2043437460bfa1d81c3e6b793127d1235f8a6e75dc6002aad415f8086387faf7dc75a83f1790662cdfa58aa66596c640ed35b778

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
99c82369839776d3d954a85361e76565

SHA1
fe01d71a20a80f468e5fa4df991eacca97e650a1

SHA256
ecfe1904a389f25b460a8eec64349498fde06733fa12cd5ae8e0c49a9699154f

SHA512
5deb6fd1534298cbc80f4653e60b9dcaba6cfd4af1f3b1e5369929472ab4f8cba7d50d3f63d7154170b5ea84f40f7511f1839f2e89340c6942fede255c93b69f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
da3756fe77b1ce1465fb00cc442a7dee

SHA1
604d08b3c5dd6c3f5ed8d4a7d9ec3aa5e19b53b2

SHA256
ef61b71e56c17ee1342136511edeca29ba694817f8b1eacfa3ff554f6587b1d3

SHA512
d0268ce38fad699105f578ad65e64f11a7ea51e8435e5156a431fd3cd9012ac9efc03e673cea11a76e31cc42edf6ea42d72f377e7b4e7d3433520253946b8316

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
550KB

MD5
6a772ebe0a691d6fac38dc78a1891e85

SHA1
fade055ecc2c64ac6ce2bdd27438501f9f200265

SHA256
609e8e7e6dc8cd4c18d501b906ad2f8cb28c31ba9c12e82e340626807393223b

SHA512
aceada94ade1ca3c3a897a0bd39db6230c8ce0b6af299cd75cf2bbddf5327fd7c3aa430ecc27ce114ee09380e1f0a9599fe5d0650a8579901c75b6de0b90be9f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
644KB

MD5
ccfeebebf8959b7ee28a7e3c4348ecc8

SHA1
d01b70ae4d99c352ba6ad145cee1a1d2d497e83f

SHA256
2d0a9e5c88b84558fd5dc67dfe6b8b20573fa096e16f27414b2da3d7086ae638

SHA512
4a38b79ac70b8fee5c6af0a58cae4f9713790072e4ef0cd68ddcfd1aec1c004b92141ae403795d46078faf563a1d4609d3da1187eaad5d6748b599e258720a45

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
628KB

MD5
f325520c439b831d37cd5291d6bc1a42

SHA1
f463c8073186bb3fcda012b4bc7ffbdf70f9935b

SHA256
645adc88a234f549dc3ade6526489d7a4367556367ba57b4d15aa2a7b3451f85

SHA512
3af9b4655857fa1e12552334655ee5f5973156a919ec52630a4412344df9346f11dfe83fb9ea7ee545919d109d0327ccb128504c1eb9fb4ac79c52846dfab011

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
234KB

MD5
73588c6fc768a7d3f81c668284329d3a

SHA1
71dee9541fa9df505fc10216b87a8dc65eab956b

SHA256
7fad4947e19e8273bd7c1fc796de341458d63dc7f00daae4abae3d3f5b1ea72e

SHA512
59f53d17aba37470803196f2f39e9135273b76a34a2a1f5bbeba4e03348c2fabc60b24ca2dddd4a8fa166f6d86736fa5a0a0773bf6e0f925bd995ca9598d0eb0

Download Submit
C:\Users\Admin\AppData\Roaming\svchcst.exe

Filesize
517KB

MD5
0883bd232f8c201d20351b444cb05bc6

SHA1
25727259c01f3638c5128e5ffe27a1864b560de8

SHA256
2898f6410771a050e04f3fbe2a0d16498f2e0ed2c68d82ee9a0bc619f2a6e391

SHA512
acb755f63888031e8a363a338768be15aed068749cd23657ddf1d5de065a938dd418a03dc3e07e48779107ab84c6b3a715c1fb8ad131f963603d4a89f461a25a

Download Submit
C:\Users\Admin\AppData\Roaming\svchcst.exe

Filesize
595KB

MD5
2b086412fd07e35da5e305098254687f

SHA1
21ed13c3e8e84c3ab1c0372b5e8e18048d7cfdf7

SHA256
1aa2387f2bb7172de040d6d5849d5ccfa9d7d7500f8d9d88e569f0b37ffd1dc5

SHA512
a92ee20886a51b4fe3a656eb8712652cd2908f39904c0aa600ff7476b49d9a874ce967bdcb46341ed79c37391b6ac7c520ec6202d695059acd39a5964b6f05a1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
693KB

MD5
f6765fdda84fe3543f36aadc8295dbe8

SHA1
d759263ffbfbe01d4d3c8d82b91f6bb87ddaa4c0

SHA256
d397ab4bbd3304409b79d73edb608c31729fba7e1199c4b9e9ed2cfa6f479b2f

SHA512
130b87ec5e3b87b1cbb38462006578a28fe3012624a13755de3b95d1ab144223455ad01e541df086bfd50280d78a8414f65d4e704b9e9f9a1bea99ea0fad0604

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
662KB

MD5
9888bdd7f2eee60cffb97bf37566e548

SHA1
5b85508cf4e8ecbe828253eb71cdd5e5376b398c

SHA256
a1d14c4cdccd19946a40565a51e261d4d1f53a4f73b15dbb14ce61165a033dc3

SHA512
6414bd6dd76c7f81c704f6f555704b852658556f304cbc445e9cd910e82d4d36ad94cc81c9aebe1fcd6e7fcc25c537bb4c27fbc5982d7a969d44389c10f50fbe

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
908KB

MD5
e63c47d009f8b35c98d575ad4646d6b2

SHA1
b45e6c5d5e724c577ea451e56029ef9b56977725

SHA256
cc8e9ce4f56c34a1b9f3af7602d860a7d3c35695d68cd4860a248f86a00d0a6c

SHA512
ce5548f6c83e314361faf15faa3a1465390711b5efcdd6a104232ad91b543ff23bce5b6cc472800de3d161a4490a4861939d8753444e1cf3bdafa9e607afc31f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
320KB

MD5
5a71db48c6d6a47dd064ce2971ea8c9a

SHA1
fdad0e2fdb5526467e349fd8388af908c895bcc2

SHA256
9b0c0979286f02f2d0c1523bd74e73e585d76f0aa50ffb2458462180beed8fea

SHA512
dbf75c1f940bd422889d15685ca58fe7dee9f2a1e38c069e547fe514fc57de4b948f0627f67b7d40dbbf44a4f1e7b14c2f6aa60c15e4df11c1e13b47cad99ad8

Download Submit