3daf6b7a11b29f1721831af07847b32532fb4622e71fec73bf01c6a0cbcdfce4

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 19:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3daf6b7a11b29f1721831af07847b32532fb4622e71fec73bf01c6a0cbcdfce4.exe
Size

1.1MB
MD5

958b7c6dc567d45b089b0289409d30aa
SHA1

2fb3714098e35ba41a2bdf9a998083565900ac4a
SHA256

3daf6b7a11b29f1721831af07847b32532fb4622e71fec73bf01c6a0cbcdfce4
SHA512

d5eede63a9fb566465cc0650dd30d7a9a676ae78235f8506e72d241adb7bb7509bf04f0f83c6955ca704fd6a8567aaf76a42d7f8fcd257fd9754c521577bc532
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Q7:CcaClSFlG4ZM7QzM8

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2016	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2016	svchcst.exe
2976	svchcst.exe
2696	svchcst.exe
1416	svchcst.exe
2140	svchcst.exe
604	svchcst.exe
1536	svchcst.exe
2900	svchcst.exe
2020	svchcst.exe
2536	svchcst.exe
1300	svchcst.exe
1672	svchcst.exe
240	svchcst.exe
776	svchcst.exe
1496	svchcst.exe
1884	svchcst.exe
1848	svchcst.exe
2480	svchcst.exe
2980	svchcst.exe
2504	svchcst.exe
2500	svchcst.exe
1220	svchcst.exe
2076	svchcst.exe

Loads dropped DLL 34 IoCs

pid	Process
2440	WScript.exe
2440	WScript.exe
2524	WScript.exe
1624	WScript.exe
1624	WScript.exe
3004	WScript.exe
1252	WScript.exe
2300	WScript.exe
2300	WScript.exe
888	WScript.exe
888	WScript.exe
2972	WScript.exe
2972	WScript.exe
2972	WScript.exe
1704	WScript.exe
540	WScript.exe
1440	WScript.exe
1440	WScript.exe
976	WScript.exe
976	WScript.exe
1744	WScript.exe
1744	WScript.exe
1088	WScript.exe
1088	WScript.exe
2004	WScript.exe
2004	WScript.exe
2716	WScript.exe
2716	WScript.exe
2784	WScript.exe
2784	WScript.exe
2532	WScript.exe
2532	WScript.exe
2840	WScript.exe
2840	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1712	3daf6b7a11b29f1721831af07847b32532fb4622e71fec73bf01c6a0cbcdfce4.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1712	3daf6b7a11b29f1721831af07847b32532fb4622e71fec73bf01c6a0cbcdfce4.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
1712	3daf6b7a11b29f1721831af07847b32532fb4622e71fec73bf01c6a0cbcdfce4.exe
1712	3daf6b7a11b29f1721831af07847b32532fb4622e71fec73bf01c6a0cbcdfce4.exe
2016	svchcst.exe
2016	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
1416	svchcst.exe
1416	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
604	svchcst.exe
604	svchcst.exe
1536	svchcst.exe
1536	svchcst.exe
2900	svchcst.exe
2900	svchcst.exe
2020	svchcst.exe
2020	svchcst.exe
2536	svchcst.exe
2536	svchcst.exe
1300	svchcst.exe
1300	svchcst.exe
1672	svchcst.exe
1672	svchcst.exe
240	svchcst.exe
240	svchcst.exe
776	svchcst.exe
776	svchcst.exe
1496	svchcst.exe
1496	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1848	svchcst.exe
1848	svchcst.exe
2480	svchcst.exe
2480	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2500	svchcst.exe
2500	svchcst.exe
1220	svchcst.exe
1220	svchcst.exe
2076	svchcst.exe
2076	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2440	1712	3daf6b7a11b29f1721831af07847b32532fb4622e71fec73bf01c6a0cbcdfce4.exe	20
PID 1712 wrote to memory of 2440	1712	3daf6b7a11b29f1721831af07847b32532fb4622e71fec73bf01c6a0cbcdfce4.exe	20
PID 1712 wrote to memory of 2440	1712	3daf6b7a11b29f1721831af07847b32532fb4622e71fec73bf01c6a0cbcdfce4.exe	20
PID 1712 wrote to memory of 2440	1712	3daf6b7a11b29f1721831af07847b32532fb4622e71fec73bf01c6a0cbcdfce4.exe	20
PID 2440 wrote to memory of 2016	2440	WScript.exe	31
PID 2440 wrote to memory of 2016	2440	WScript.exe	31
PID 2440 wrote to memory of 2016	2440	WScript.exe	31
PID 2440 wrote to memory of 2016	2440	WScript.exe	31
PID 2016 wrote to memory of 2524	2016	svchcst.exe	30
PID 2016 wrote to memory of 2524	2016	svchcst.exe	30
PID 2016 wrote to memory of 2524	2016	svchcst.exe	30
PID 2016 wrote to memory of 2524	2016	svchcst.exe	30
PID 2524 wrote to memory of 2976	2524	WScript.exe	33
PID 2524 wrote to memory of 2976	2524	WScript.exe	33
PID 2524 wrote to memory of 2976	2524	WScript.exe	33
PID 2524 wrote to memory of 2976	2524	WScript.exe	33
PID 2976 wrote to memory of 1624	2976	svchcst.exe	32
PID 2976 wrote to memory of 1624	2976	svchcst.exe	32
PID 2976 wrote to memory of 1624	2976	svchcst.exe	32
PID 2976 wrote to memory of 1624	2976	svchcst.exe	32
PID 1624 wrote to memory of 2696	1624	WScript.exe	35
PID 1624 wrote to memory of 2696	1624	WScript.exe	35
PID 1624 wrote to memory of 2696	1624	WScript.exe	35
PID 1624 wrote to memory of 2696	1624	WScript.exe	35
PID 2696 wrote to memory of 2808	2696	svchcst.exe	34
PID 2696 wrote to memory of 2808	2696	svchcst.exe	34
PID 2696 wrote to memory of 2808	2696	svchcst.exe	34
PID 2696 wrote to memory of 2808	2696	svchcst.exe	34
PID 1624 wrote to memory of 1416	1624	WScript.exe	37
PID 1624 wrote to memory of 1416	1624	WScript.exe	37
PID 1624 wrote to memory of 1416	1624	WScript.exe	37
PID 1624 wrote to memory of 1416	1624	WScript.exe	37
PID 1416 wrote to memory of 3004	1416	svchcst.exe	36
PID 1416 wrote to memory of 3004	1416	svchcst.exe	36
PID 1416 wrote to memory of 3004	1416	svchcst.exe	36
PID 1416 wrote to memory of 3004	1416	svchcst.exe	36
PID 3004 wrote to memory of 2140	3004	WScript.exe	39
PID 3004 wrote to memory of 2140	3004	WScript.exe	39
PID 3004 wrote to memory of 2140	3004	WScript.exe	39
PID 3004 wrote to memory of 2140	3004	WScript.exe	39
PID 2140 wrote to memory of 1252	2140	svchcst.exe	38
PID 2140 wrote to memory of 1252	2140	svchcst.exe	38
PID 2140 wrote to memory of 1252	2140	svchcst.exe	38
PID 2140 wrote to memory of 1252	2140	svchcst.exe	38
PID 1252 wrote to memory of 604	1252	WScript.exe	41
PID 1252 wrote to memory of 604	1252	WScript.exe	41
PID 1252 wrote to memory of 604	1252	WScript.exe	41
PID 1252 wrote to memory of 604	1252	WScript.exe	41
PID 604 wrote to memory of 2300	604	svchcst.exe	40
PID 604 wrote to memory of 2300	604	svchcst.exe	40
PID 604 wrote to memory of 2300	604	svchcst.exe	40
PID 604 wrote to memory of 2300	604	svchcst.exe	40
PID 2300 wrote to memory of 1536	2300	WScript.exe	42
PID 2300 wrote to memory of 1536	2300	WScript.exe	42
PID 2300 wrote to memory of 1536	2300	WScript.exe	42
PID 2300 wrote to memory of 1536	2300	WScript.exe	42
PID 1536 wrote to memory of 1148	1536	svchcst.exe	43
PID 1536 wrote to memory of 1148	1536	svchcst.exe	43
PID 1536 wrote to memory of 1148	1536	svchcst.exe	43
PID 1536 wrote to memory of 1148	1536	svchcst.exe	43
PID 2300 wrote to memory of 2900	2300	WScript.exe	45
PID 2300 wrote to memory of 2900	2300	WScript.exe	45
PID 2300 wrote to memory of 2900	2300	WScript.exe	45
PID 2300 wrote to memory of 2900	2300	WScript.exe	45

C:\Users\Admin\AppData\Local\Temp\3daf6b7a11b29f1721831af07847b32532fb4622e71fec73bf01c6a0cbcdfce4.exe
"C:\Users\Admin\AppData\Local\Temp\3daf6b7a11b29f1721831af07847b32532fb4622e71fec73bf01c6a0cbcdfce4.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2016

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2976

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2696
- C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1416

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
1⤵
PID:2808

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2140

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:604

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
    3⤵
    PID:1148
- C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2900

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
1⤵
- Loads dropped DLL
PID:888
- C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2020
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
    3⤵
    PID:2080
- C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2536

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
1⤵
- Loads dropped DLL
PID:2972
- C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1300
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
    3⤵
    PID:1600
- C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1672
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
    3⤵
    - Loads dropped DLL
    PID:1704
  - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:240
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        5⤵
        Loads dropped DLL
        
        PID:540
      - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:776
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        7⤵
        Loads dropped DLL
        
        PID:1440
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1496
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        9⤵
        Loads dropped DLL
        
        PID:976
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1884
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        11⤵
        Loads dropped DLL
        
        PID:1744
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1848
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        13⤵
        Loads dropped DLL
        
        PID:1088
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2480
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        15⤵
        Loads dropped DLL
        
        PID:2004
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2980
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        17⤵
        Loads dropped DLL
        
        PID:2716
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2504
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        19⤵
        Loads dropped DLL
        
        PID:2784
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2500
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        21⤵
        Loads dropped DLL
        
        PID:2532
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1220
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        23⤵
        Loads dropped DLL
        
        PID:2840
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2076
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        25⤵
        
        PID:1256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
df56efc5aa49720056952b653a76a0d1

SHA1
82823a83837e69b031a973238d78e0360d113ac7

SHA256
bd6fdd2db5dd3828baa84352f1c382304ce0481755f000a7445e3977c24d0a35

SHA512
ffd2ffc465dcd33cca7fdf4cce8711ce7a5cb6af0933fbf2885b7b4164ea2c19ec1a776f2422996599e28b05a3ff927dd76221b9b4dec49b942941b48962034c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
66dec81d7f7dc4e36f9d8151fe38056a

SHA1
fc169994b2239eb407778d28d35025f7c9a1658e

SHA256
a09a3c722b494400011829c5645415020d39c8e6ec90f466fc3109a1ba49db2a

SHA512
3e8af1d301ba9228d5afcfaa1e1d3e6f931c5f0ba5e19c74f73b88ddf7c4baa7b24f13533679096f6c94871985de9e47d0f91362ec2ee9132b1e1b772d56fbcc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3612d3ea6472851cf27d0650f30a8461

SHA1
6deb8050a9d5911a2bcaa1dff30442b243389423

SHA256
2952c41a53b0569f4005c91e142940e5e96ab915146591fd27e380826de74370

SHA512
274ea073a41fbb585172d72f0f3c37132154378212b24cf3609f2bb450d631741c438035f81046ec36f08e62f287949079776d359cd42602ad097cfc0689f49c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
fb757130836576e5f952cb011021776c

SHA1
68f6351ef6dd363f67e76b91e7d8150050948698

SHA256
2d8143967be00cc4d6f3a1b8671885498b80e57ec52a84e19eaf136e64980e5b

SHA512
6f7311c6964be509733152377344d37f311021a6638946d275d282aa1b0212d8d790175b8c4e61fba6f5f4299c0e5da3307b69b03f619273462edd5c3cfce0d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
780c5b88f55c3463a252f361d53f98db

SHA1
244e739c7401ce41027d7786f4a48f4806a9939b

SHA256
d8b383df125f83a39c299a3134c88e981cf47755ddd6b44310f70231305c6bb0

SHA512
b12e3266edea4f9dff105ed8617c81a29f9873d646b6b326c5c29c0c590049dd85458b8ff7541957f9ab995896e7bfd08b171959e592ccc6edbedf998fdf1045

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
011a146b0f54da2667193f90d675c9b4

SHA1
4ea7a63d97698ea2d66004583e83e5001d84a136

SHA256
338b1453765ba26642c00fc32d216c7f133b08aab87140bcf1b3356d6a241520

SHA512
4572d7be4de39a534017b69af6a576a9cdc2aa6964cc27bddf1046024ec72eb914b58c295f3c034db2137d15067ad27139421a0feda7c9d9148db960547ed563

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
48e04b8c794b661550560f9e02af5bb4

SHA1
973d939e48bc7713c0338e95966219616bd415d0

SHA256
f3bfe9c6c363e0ef4e22d9990175cb4c1c5d7d087aa5a2cff9f912d5ac6676da

SHA512
23ca46c09e1c2c320c7c79e71056dc6cb78d1dbaa75f4cee92e63626fe1eef268d91c519a8a0219f816049d2babd0276d27471ccc57a05825ce339ea88eea778

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3f88ed4a802ff96db44e34ad53ac06c2

SHA1
446fe4e265af02ea012b5a8d5d0e7a0c9867f1ed

SHA256
04a5abb92c689fa7b9d768a067b1d9bd16c0a5d856c67c7f7881d62662ae0911

SHA512
f1afaf53ee96969d58902836b841ca7feed9769c81d9b2d63b72db5d7cf04d6a659b50869f8dba0d650aa6833d892261c0c3dd918e8bfbed13237e6333c47fdf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c1f667683c1809dc2fa81d863ea10a4e

SHA1
dc9fdbeca32f2afbcfdc5363769ebb594fc93e44

SHA256
a0afd04975f7f5cf26533640020a9533d4dcf1b152143e69196f93bd5b49fa1e

SHA512
e4c894530934444cb97392b0180e5b6040b84ab5c639412c6b9e5355a13152412da8d881403832c2f3c601624465b16242ebd8710f6e6a4666a27e15ce759b2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3436c1c6420b4dd3e950884257e8b45d

SHA1
4889f8460c4c1b1fc3f357a03df6ca7fac272fbf

SHA256
88d11bc6a0ed417ee8dbbc8ec0894c9b616480afec00a30256ca41150aab17b8

SHA512
7960190b3738a018b0c04804e673662b6227bc397fa6a6ca2b1b1041ed7403f4dbe80f7aa6d63484f1f49c98361f27dd425b95b4c6fafedafb5f1e864b3adeb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
9e8dca236ce949019c46b94428612ac9

SHA1
0917050afcbb7b94fce6fbb9827fb57de7432b0b

SHA256
bd9f06dbb8f2165c3b75da289ad7983f0c57328d236b2c68a2b5798188874fb3

SHA512
23ce9deba9286cbb24c1725503542b63d7e44ea7ada302e5aba6595f84398e2162008d7431f842cccfb2b8fae126216d85c566931d5fcc8c8c5625e2c05f44d6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
75b8f60cfe6895a93f2d8f1b5568af94

SHA1
b80485bc82864b4e1bf0bcc44579eaa01776b1fb

SHA256
6ff47f7681e8f497470bd11b2cfd8156c5d8f1b01f48bfd89037cc4bfe0f34cc

SHA512
089e237c5309d36058e036f69d78deb4144749e91b3a8a8383f817af051a3452acfdf42227cc721517e93428cfd5d48b42e9750e9548762609e81917a4de29c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5f2a40f410e1db471d583c90bb1bf208

SHA1
1e49ed23e02976dede24633c367ab8c92fb4fd9b

SHA256
03c04fafe55862423025fe6e16bbeda1dbded8150a0c0dd363164733051fe1e4

SHA512
98a4ba3960f66728d4a286c8cff2223742d701467a647b6d4a2f118a6e2c53c9a4f6c329a36c099b151d42279ba0823ff07a8df49c87d02a7470f595052f725c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
6c449490fbbd7eb3ebf30e6213365b17

SHA1
e95d08e1a1711d536b155bca822e4cfb91752632

SHA256
c562426fbf6c82e95a16a6eb48b48f59c6e4684c3e6de9ad533074e506226c40

SHA512
ee034bca8cb319ac17b2e82b36dea8849120c33cf44719a95f8a9afe95a8c20acfe4a8cf636f67ded30bddaf76f3fee6485aac145333ec03ec0f6b767caa2e98

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
193KB

MD5
790fe2ba44c29c3001d243d18cc327cd

SHA1
e401daf9b534e5360d062fdf670b3022ab29f1d6

SHA256
6607ecabdaa673522c41be777041168eaa5a134881ad80c45652f7fa63f0d77e

SHA512
5abc6c84832638dbbdb984d5d3343073914b42a6009920bb8167aa9a00ed0a669db9547113acc5ca530c6cef47f85e7cb418c8e738cfbd65ef3fcefccc0d561d

Download Submit
C:\Users\Admin\AppData\Roaming\svchcst.exe

Filesize
384KB

MD5
aacfab22ae920bd8640e6a9eaf6372cc

SHA1
e465143054a1a82fda375068ee75efc8cc915671

SHA256
7096569c01c32a4231f556435b0604195fcbfcda7dea046ab3b584e73cc2c746

SHA512
bb6b3450eb837bcea3f7e64ee967742719cb6b3503f1e0194c992027c6d11591e55ce7a2d0158690b3c117a353207adc2218ed0c6db1bf77fc1520d7cf683498

Download Submit
C:\Users\Admin\AppData\Roaming\svchcst.exe

Filesize
93KB

MD5
2a1ed1834415d084941f71e0bcd61fae

SHA1
841e0345d82165dcc05b685cc57c4ee3b79a27ed

SHA256
1e32e2594f8e60bd53e8e537effd45549004f5c62c53bfad876e03cfe98c65d4

SHA512
5b36f036b63ce54397d6bdf4e0922aef06b47417dba8ac556c48d5bab4d3cf13d715ec8c94cf5b4b0874d85df1aab49d4dc68e901d6c5b3965ed516bdf048842

Download Submit
C:\Users\Admin\AppData\Roaming\svchcst.exe

Filesize
413KB

MD5
d9de3abcffa0089c2ea2cdee47e05176

SHA1
72fc66c8796b75d95b88bf7cbcc78f0277ed1adf

SHA256
e43c249a987dcdc84ebb36ee845366e0504bb12c85b51fe2f3ca0b2a23c18490

SHA512
3d66c1ec361c07c12ee956709ab06fd73d376a5f1c41c438bf42ab69fc503ea2e05d660df231645527ed9d412f85a33e736a73ca0e6ad605851f72aa22080c45

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
fa2edeca1249d028951818fb9e98e90b

SHA1
112f9ef28fd14611c27b91e9cc4d02641040e44d

SHA256
ea8ad6ca4accda5225660050a1d212ace4a7e5b34b500d644ad2e63135e49ee4

SHA512
64aee87f300f1fdcc8156ca4b2a08d80b235de10707eae3a781d81cfec40fb723bd836d47e317cae23a5619cbe6a8be4084c13b02cd65d4717e9df56d3661a77

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
919KB

MD5
cec2320f64ea1c7840fec4423aa67210

SHA1
ec1b4ebb464806cb10497932dc4a8298a7a7b29d

SHA256
6bf50f8fc69e35f905364757d20a511ed951ff92c1616c369728b4b01dc3558d

SHA512
e19e6e9b4f3a6e2f9e864fe7abc29249cb659512828eb78cf12196e742826eb5959425c4f92b85efdf8b00153ed31d143071d3ad0d9a76cda70c603f0534373e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
399KB

MD5
eafce0e74c060fae92e0da8c0fa5a5ec

SHA1
a9d64f08575b7a3224fc3b289dfcf1e89fbf13c9

SHA256
9ed00039665a0b6a7d2b6cd9c9cf4e5bd42bc51757b253b0cef4e21722437cc0

SHA512
82b7e1836825945d1d27b8426b816d882d0ef078c4c53a1ffe279f4173d75ff35534b61cdd62fe6120aaba1136cdb4c943a3bfe1e81d42957cd9579985d31027

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
665KB

MD5
5a279be6ae8a3f3bb0f8b50f339b33ab

SHA1
7472c79160c54054bb30b06b8016792cfb1fef78

SHA256
fb8c8081fabdb050d04bd3406f94c3b3fdf5e63073de8dd150fd5af9565a227a

SHA512
553832cdb72ca22da6794b85d209d9d671f8f900583e242f3f955dba73ef3da03e402f106c11647eb61d0a0d5a92c8f83a2d79fa00841adea58c46d0d7dcbbfc

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
904KB

MD5
db71d9c22682f9d368a5e5b88237dbcb

SHA1
a83b31323fdeeea3aed05bc6586503fe505b177f

SHA256
e9609777ad18e34d2519b05dfb44bd8dc4d959a724d927616dd0cb1b627fea3d

SHA512
c1bd737c97b714d85e4cf344df81bf5ef2a4597c2bd685061b3ca5f79c19d157f1fd43200c398962fe8383fe1731c677502b94b694e1f6f2c70bd0ddfe815357

Download Submit