c1a7d33e6b9694aa57d86b980423ddd877139efbd542f10096fec7609583dc31

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
08-03-2024 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1a7d33e6b9694aa57d86b980423ddd877139efbd542f10096fec7609583dc31.exe
Size

1.1MB
MD5

503daa439879c6805cf54a8fcf6a1ece
SHA1

3d38e0d18c2f9fcd0d24cfbc9c31532611bda47e
SHA256

c1a7d33e6b9694aa57d86b980423ddd877139efbd542f10096fec7609583dc31
SHA512

af37f816c8afa8f5bf9ea5f4f022b4dde1d9253a09f3269f2cf3cf1334a2cdc50da768fcc2c4b88246c28e49ab5908a2aa93fec5030599a0531abd276586749b
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Q6:CcaClSFlG4ZM7QzMZ

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2448	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2448	svchcst.exe
2768	svchcst.exe
1932	svchcst.exe
2992	svchcst.exe
2880	svchcst.exe
1892	svchcst.exe
688	svchcst.exe
2612	svchcst.exe
2548	svchcst.exe
1412	svchcst.exe
1852	svchcst.exe
1000	svchcst.exe
2992	svchcst.exe
1784	svchcst.exe
1276	svchcst.exe
2904	svchcst.exe
400	svchcst.exe
1420	svchcst.exe
2656	svchcst.exe
2716	svchcst.exe
320	svchcst.exe
2076	svchcst.exe
1396	svchcst.exe

Loads dropped DLL 41 IoCs

pid	Process
2544	WScript.exe
2544	WScript.exe
1016	WScript.exe
1016	WScript.exe
1604	WScript.exe
1604	WScript.exe
1580	WScript.exe
1580	WScript.exe
2232	WScript.exe
2232	WScript.exe
628	WScript.exe
628	WScript.exe
1792	WScript.exe
1176	WScript.exe
1176	WScript.exe
1584	WScript.exe
2012	WScript.exe
2012	WScript.exe
2764	WScript.exe
2980	WScript.exe
2980	WScript.exe
2840	WScript.exe
2840	WScript.exe
828	WScript.exe
828	WScript.exe
1552	WScript.exe
1552	WScript.exe
2528	WScript.exe
2528	WScript.exe
1528	WScript.exe
1528	WScript.exe
2784	WScript.exe
2784	WScript.exe
2772	WScript.exe
2772	WScript.exe
2724	WScript.exe
2724	WScript.exe
112	WScript.exe
112	WScript.exe
764	WScript.exe
764	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2480	c1a7d33e6b9694aa57d86b980423ddd877139efbd542f10096fec7609583dc31.exe
2448	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2480	c1a7d33e6b9694aa57d86b980423ddd877139efbd542f10096fec7609583dc31.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2480	c1a7d33e6b9694aa57d86b980423ddd877139efbd542f10096fec7609583dc31.exe
2480	c1a7d33e6b9694aa57d86b980423ddd877139efbd542f10096fec7609583dc31.exe
2448	svchcst.exe
2448	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
1932	svchcst.exe
1932	svchcst.exe
2992	svchcst.exe
2992	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
1892	svchcst.exe
1892	svchcst.exe
688	svchcst.exe
688	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1852	svchcst.exe
1852	svchcst.exe
1000	svchcst.exe
1000	svchcst.exe
2992	svchcst.exe
2992	svchcst.exe
1784	svchcst.exe
1784	svchcst.exe
1276	svchcst.exe
1276	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
400	svchcst.exe
400	svchcst.exe
1420	svchcst.exe
1420	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
320	svchcst.exe
320	svchcst.exe
2076	svchcst.exe
2076	svchcst.exe
1396	svchcst.exe
1396	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 2544	2480	c1a7d33e6b9694aa57d86b980423ddd877139efbd542f10096fec7609583dc31.exe	28
PID 2480 wrote to memory of 2544	2480	c1a7d33e6b9694aa57d86b980423ddd877139efbd542f10096fec7609583dc31.exe	28
PID 2480 wrote to memory of 2544	2480	c1a7d33e6b9694aa57d86b980423ddd877139efbd542f10096fec7609583dc31.exe	28
PID 2480 wrote to memory of 2544	2480	c1a7d33e6b9694aa57d86b980423ddd877139efbd542f10096fec7609583dc31.exe	28
PID 2544 wrote to memory of 2448	2544	WScript.exe	30
PID 2544 wrote to memory of 2448	2544	WScript.exe	30
PID 2544 wrote to memory of 2448	2544	WScript.exe	30
PID 2544 wrote to memory of 2448	2544	WScript.exe	30
PID 2448 wrote to memory of 1016	2448	svchcst.exe	31
PID 2448 wrote to memory of 1016	2448	svchcst.exe	31
PID 2448 wrote to memory of 1016	2448	svchcst.exe	31
PID 2448 wrote to memory of 1016	2448	svchcst.exe	31
PID 1016 wrote to memory of 2768	1016	WScript.exe	32
PID 1016 wrote to memory of 2768	1016	WScript.exe	32
PID 1016 wrote to memory of 2768	1016	WScript.exe	32
PID 1016 wrote to memory of 2768	1016	WScript.exe	32
PID 2768 wrote to memory of 1604	2768	svchcst.exe	33
PID 2768 wrote to memory of 1604	2768	svchcst.exe	33
PID 2768 wrote to memory of 1604	2768	svchcst.exe	33
PID 2768 wrote to memory of 1604	2768	svchcst.exe	33
PID 1604 wrote to memory of 1932	1604	WScript.exe	34
PID 1604 wrote to memory of 1932	1604	WScript.exe	34
PID 1604 wrote to memory of 1932	1604	WScript.exe	34
PID 1604 wrote to memory of 1932	1604	WScript.exe	34
PID 1932 wrote to memory of 1580	1932	svchcst.exe	35
PID 1932 wrote to memory of 1580	1932	svchcst.exe	35
PID 1932 wrote to memory of 1580	1932	svchcst.exe	35
PID 1932 wrote to memory of 1580	1932	svchcst.exe	35
PID 1580 wrote to memory of 2992	1580	WScript.exe	36
PID 1580 wrote to memory of 2992	1580	WScript.exe	36
PID 1580 wrote to memory of 2992	1580	WScript.exe	36
PID 1580 wrote to memory of 2992	1580	WScript.exe	36
PID 2992 wrote to memory of 2232	2992	svchcst.exe	37
PID 2992 wrote to memory of 2232	2992	svchcst.exe	37
PID 2992 wrote to memory of 2232	2992	svchcst.exe	37
PID 2992 wrote to memory of 2232	2992	svchcst.exe	37
PID 2232 wrote to memory of 2880	2232	WScript.exe	38
PID 2232 wrote to memory of 2880	2232	WScript.exe	38
PID 2232 wrote to memory of 2880	2232	WScript.exe	38
PID 2232 wrote to memory of 2880	2232	WScript.exe	38
PID 2880 wrote to memory of 628	2880	svchcst.exe	39
PID 2880 wrote to memory of 628	2880	svchcst.exe	39
PID 2880 wrote to memory of 628	2880	svchcst.exe	39
PID 2880 wrote to memory of 628	2880	svchcst.exe	39
PID 628 wrote to memory of 1892	628	WScript.exe	40
PID 628 wrote to memory of 1892	628	WScript.exe	40
PID 628 wrote to memory of 1892	628	WScript.exe	40
PID 628 wrote to memory of 1892	628	WScript.exe	40
PID 1892 wrote to memory of 1792	1892	svchcst.exe	41
PID 1892 wrote to memory of 1792	1892	svchcst.exe	41
PID 1892 wrote to memory of 1792	1892	svchcst.exe	41
PID 1892 wrote to memory of 1792	1892	svchcst.exe	41
PID 1792 wrote to memory of 688	1792	WScript.exe	42
PID 1792 wrote to memory of 688	1792	WScript.exe	42
PID 1792 wrote to memory of 688	1792	WScript.exe	42
PID 1792 wrote to memory of 688	1792	WScript.exe	42
PID 688 wrote to memory of 1176	688	svchcst.exe	43
PID 688 wrote to memory of 1176	688	svchcst.exe	43
PID 688 wrote to memory of 1176	688	svchcst.exe	43
PID 688 wrote to memory of 1176	688	svchcst.exe	43
PID 1176 wrote to memory of 2612	1176	WScript.exe	46
PID 1176 wrote to memory of 2612	1176	WScript.exe	46
PID 1176 wrote to memory of 2612	1176	WScript.exe	46
PID 1176 wrote to memory of 2612	1176	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\c1a7d33e6b9694aa57d86b980423ddd877139efbd542f10096fec7609583dc31.exe
"C:\Users\Admin\AppData\Local\Temp\c1a7d33e6b9694aa57d86b980423ddd877139efbd542f10096fec7609583dc31.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2448
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1016
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2768
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:688
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2612
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:1584
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1412
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2764
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1000
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:2980
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2992
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:2840
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1784
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:828
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1276
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:1552
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2904
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:2528
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:400
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:1528
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1420
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:2784
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2656
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:2772
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2716
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:2724
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:320
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:112
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2076
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:764
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1396
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2548
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2012
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1852
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        
        PID:272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5465e98b54b47d65941e5d12deb27c9d

SHA1
50e5e6ced6e5e332b303de4fa146482fbdf782d5

SHA256
38f339c2f4c0d7ea1ba1500460c63bc626a2465b3ca48c4d63ee2b0f3eafb82a

SHA512
50c6bc8c7da8c036c909672ade71b08aea49bc58474c40e660d7dc23c3a9869cfad82b4dc96335057ecd5bd1011f3db712f667b4085555e3dc6fb90de56b1c3a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
753877b81fe72b8572ac123fd0082bde

SHA1
f381c373440da792a3bb50c5669d88a095d89ddb

SHA256
ae13fd4cf9f3fe302d2110bf6448e8b89b7d4dc51657756cc6dd85b0547c39a7

SHA512
036a6403645031a7e528be001b5fa44b761aaa6bfb336c98fbc12e9df0ca28b0e0d48b60ed47af1bbc5a6564f1e99f8941e6a68ecd463ff09431b2ebfcfef8ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
48e04b8c794b661550560f9e02af5bb4

SHA1
973d939e48bc7713c0338e95966219616bd415d0

SHA256
f3bfe9c6c363e0ef4e22d9990175cb4c1c5d7d087aa5a2cff9f912d5ac6676da

SHA512
23ca46c09e1c2c320c7c79e71056dc6cb78d1dbaa75f4cee92e63626fe1eef268d91c519a8a0219f816049d2babd0276d27471ccc57a05825ce339ea88eea778

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f9749c13b20bc60748c3f72c2cf20740

SHA1
227698fcf7919e5c66d91e4e0fd51a5d54ffcd6e

SHA256
2ea51d4fb5a6022d3cf66550189fa271c025d8fabd55cc24025d12e600b70594

SHA512
541c5d5e8187257adb03505430c87bd364bec53487b373ecf4f91aee21dcecc746a4855ca0ee72fbfddcf34e52fe2453770ae66183b308d6b45a0f37342e44d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0e6005a9dcb5a78d6fdd54527602f926

SHA1
90adc62e99f3c94c643596af0e17b5853b91fe1f

SHA256
847552b1ad30bd72f24acfe4afa5c326d3e79d7c2f147c958d72e92daca716da

SHA512
b4acfd81c1e926fcd305690aa3780bbec50460bcf947d17c20d6445faca4e774294b9da3a144207ccb3855e3ea2008a2d82ef691f32a4db6c7c3eb8202c6b568

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
10ffe941ac3b45a1b27eaab090d03e3b

SHA1
4f72abac858bc7659692930176f0cd4f18e354f1

SHA256
b2a27182b84ccf59736264c5fc788f96d92a2d3a14fe7c964e0976af00956144

SHA512
638a48fe06a5e0c47e50ac67e0df2d6952e5e39620a585e5fb086d40ff61cff9bee6a6cfda6582c54e216f052dc6ba4ce5d742ae5174a987701701e67dc65544

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5ef4272f4d6f345fc8cc1b2f059c81b4

SHA1
78bcb559f775d70e10396e1d6d7b95c28d2645d1

SHA256
19f8d5209b4a5789cdfd5b67cb0b9f6c3546c62912bcb1ef1c69a15602beb652

SHA512
002693255c600456d965b5a7e36f780deec4d80cd9fe56f7f974b8762e2b140002a1dabf4b059d6163c9cc00a0e1e9da71899e13347fb4bb2985bbc7058469cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
25741fab0bc335b1ed971b3134b0edd3

SHA1
9849046efa3f20662f73cefd0d090bef480c9835

SHA256
05963c6d3a7cc5421377a784df6474456fcbd2f95c7190f2ddb4a9ccbfbe7f98

SHA512
6e772baf90739a76c5c477780e2d158502b55d9c898e69402b0a3bfb840949959c6779f9b291c0503a4fcad95369be55b5f3233ded9329d49d5cde3f1a8369e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
379619305716718fbeeab2f364946c39

SHA1
b663cf106c4673549692fa39d25e9e8f4561cd64

SHA256
c844bc25686320e65c1b5259a6d0d6d47f61709f46e2c8eb2ad3f9c3b9333d84

SHA512
b2c91d0f1cbc9e253bb3bb339acbab0e31eef31188cc00132c423fee2a85c7a91132c9259b99b23a149f6ba1172b8522e2d8350f88dbb735ad8d7a32f71e2ed8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
68131c1f4506af5c010d5e01f031bfae

SHA1
51cc54917c040091c3a39dd33ec52fc5f4cb4c15

SHA256
d235953ddf5884a014ce05d8a26b9b93bafd580bdeda08e369e2d6e395d34a95

SHA512
69be7da57430dd6d3f1deea9c2a4f78a0ec41a74fc593f033a7944504cd9c4fe6d2f7a0be052e40238a4389b649c36a603b1725959fab050a0114714a6d65c6d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ed546bb522a06b2fe1964359d1c00489

SHA1
f645b56f6b42e6e187d97e90006e64493e168dfd

SHA256
770b107915197c74e581cfd8ea4047ad94180a81a2e6422eb5a8139839645257

SHA512
bc0172ea605aeb832088b2e5d3cd3c4ba9f052a1f4afaa3696e8672f3e6a5776537472d56805f0dea9d8474ffca77d9b574331c9dc57bc7a6e029e01169de0b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2c6490a42a6a0c40ff0c4e23b3e1aa2f

SHA1
673399038e095a86936267b5014fc7d216ee5c0a

SHA256
4b5b75f23c5d2765bccf9691327947fcdd4e1e17e6da73c1b1c47dab8db99b3d

SHA512
8ffd13c3e9ecd8c522703bf13f839b3925bf3dd0418c33e8b4edc5cd07ca53d76d21e3d8f2e47622d51cc73ac3eed7dd2f7308bb332cde1bd1e6f1cb8f8bb8d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
62413982ebdf744a296e0750131707f9

SHA1
8d7b3a958e765d171480c9c7d227d8c94b21c7d4

SHA256
f20126deea9a141babed84e93bfcb65ec58318d1e4d3ad7e2a931367a86e99c4

SHA512
c7ff35afa8d8f8a907e11fb959d4f8340177077a935bb3e61757b3c8e68813b2d646c3f42610a136a3add014e118efa270385f1d3821184fcdea4df725d3d370

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
cc217b99cfbdf98ad16709c175cc9227

SHA1
a7a6f728c491c2285ad1a7d52a3c4c6f9612db9f

SHA256
e354c707ecd320835fdcd15b205cc82f3c178cae8544463c0ed79030b4f53817

SHA512
190f0cf895654d581394c32a7d8d8081efe62ab1b545d3409dc0312dcb946029ea4bbcb60cccc5575d58ed29e0721bf6c024441037d9d9f9d510e6b9a5a3382e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
61e3bba22f3c351d5dc95174138769b2

SHA1
7f650b7d38c23bc01f19382b1a35221239169014

SHA256
0a3a1a47ddca30b647eb0ed9f0a7eaa1dec2b0f5edac2b14b81d5761adb2e5b4

SHA512
f4b717231229024fc1aa5dcfcd896b0707b81a79b26c6c156d55c73b102d9cc674799847afc29cc26c3823ee88cc33d84396c44c61bb83c88d701187a5dff09e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
871a265a923d3044bea70ae72142bf6a

SHA1
f34241f21a6e3882b1966854ab21e936221b82f4

SHA256
e0e4187d9fa2f474e0647d276dfcf3e62938bb28d13d834401926cd40c2d4b1a

SHA512
46f11cefcb83b2771d16fab87be26984b2eeda3eaff34c33b15868c4c267efd94cd75f0a680f0c9ee9a8b6956e375a37648e1ea29cd6f8be7772093d2585d5b0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7895308507f19067adddcdbb52dea66f

SHA1
ed056612b389c7f0752facc455324d4bccfb5b19

SHA256
b0e26327f76a15c999eb17029f397d32055088d29654d7f714640fff5a00082f

SHA512
50a317d41a21220ac5fd20dde9125f229b4b1cebe2c7b3c79ad5e1db463a3d310e0c0cef9ac323a403f4144876eff0aab535ca148bd099c58dc4d6d16ff57ae3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
067ec8902ce0151735da27d9ce9be853

SHA1
9b38d31a747cc0125b72c7aa32d475c6005b07c9

SHA256
65005a550176b110b9a987a6953080c4abd5bcb0dde88426e453548b157707a9

SHA512
107a715ab02e4a7db45e7b71b6be11b3f5862f3930b6172c1265d9945006b6250009e55510d531408ab541cfd71c59c221fcf1d3d32073d7be6188d1c649ac4d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
4acb298124c6a3ea1178e928a5f13000

SHA1
faa773e44bc7a4cf95cacc90bc3a398548cb4b7a

SHA256
8ac231a7b5e827dbec8382cefa7cb5a838d560948355d7178994c988c42d7cc8

SHA512
307e674dec847f56532b153d05877efd275abb4c3e848575a70a851a04763f56fec63190ef744480e3b06320cfe74176a1aae0abe61b6dde6bdaf98de2dbed44

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
704KB

MD5
dbbd3fad2367ece4bb9928bba49188ad

SHA1
1ef2dd9662a8d837519f90dca0faf3835b16cc02

SHA256
10cfb0ebe27a346c050d534c9ef05d136510d97c412303adb127b7078371e933

SHA512
1e555333dd6d48d1e64db60b8e1ce8776ea2f109119fe6194e00bb7e64b30e903614b34e865f6742d322716eec7c9c86f2b89f066b060d1810c8195e7a77b55c

Download Submit