9a8666fd99f237286d73a308764f720296ee2ffd52f857ee2c96fc3531475fd3

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20/04/2024, 06:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9a8666fd99f237286d73a308764f720296ee2ffd52f857ee2c96fc3531475fd3.exe
Size

1.1MB
MD5

fc30d9fddd5dccc0b891fabf24664500
SHA1

6fc765362b94db6fcdde780b54ecd323e5424882
SHA256

9a8666fd99f237286d73a308764f720296ee2ffd52f857ee2c96fc3531475fd3
SHA512

af0a15fea20be5ca2f3ea2932e0fdf15d0575e7771e2c343d6e66e4011025ee5e17dda7fbe28bf34657fdedd661ea3c2d10cdd02e637c4c5391e224d85133590
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QJ:CcaClSFlG4ZM7QzMq

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2712	svchcst.exe

Executes dropped EXE 26 IoCs

pid	Process
2712	svchcst.exe
1576	svchcst.exe
1600	svchcst.exe
2036	svchcst.exe
824	svchcst.exe
2896	svchcst.exe
3012	svchcst.exe
1004	svchcst.exe
2100	svchcst.exe
2576	svchcst.exe
1636	svchcst.exe
2604	svchcst.exe
856	svchcst.exe
692	svchcst.exe
3060	svchcst.exe
2376	svchcst.exe
1980	svchcst.exe
1756	svchcst.exe
2220	svchcst.exe
2432	svchcst.exe
1732	svchcst.exe
948	svchcst.exe
556	svchcst.exe
1692	svchcst.exe
336	svchcst.exe
2256	svchcst.exe

Loads dropped DLL 39 IoCs

pid	Process
2828	WScript.exe
2828	WScript.exe
2440	WScript.exe
2440	WScript.exe
1888	WScript.exe
1888	WScript.exe
2240	WScript.exe
1912	WScript.exe
1912	WScript.exe
1772	WScript.exe
860	WScript.exe
860	WScript.exe
2772	WScript.exe
2836	WScript.exe
1864	WScript.exe
1864	WScript.exe
2796	WScript.exe
2700	WScript.exe
2700	WScript.exe
1968	WScript.exe
1968	WScript.exe
2896	WScript.exe
2896	WScript.exe
2896	WScript.exe
2896	WScript.exe
2888	WScript.exe
2888	WScript.exe
1500	WScript.exe
1500	WScript.exe
2204	WScript.exe
2204	WScript.exe
2884	WScript.exe
2884	WScript.exe
296	WScript.exe
296	WScript.exe
1276	WScript.exe
1276	WScript.exe
2252	WScript.exe
2252	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1964	9a8666fd99f237286d73a308764f720296ee2ffd52f857ee2c96fc3531475fd3.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
1576	svchcst.exe
1576	svchcst.exe
1576	svchcst.exe
1576	svchcst.exe
1576	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1964	9a8666fd99f237286d73a308764f720296ee2ffd52f857ee2c96fc3531475fd3.exe

Suspicious use of SetWindowsHookEx 54 IoCs

pid	Process
1964	9a8666fd99f237286d73a308764f720296ee2ffd52f857ee2c96fc3531475fd3.exe
1964	9a8666fd99f237286d73a308764f720296ee2ffd52f857ee2c96fc3531475fd3.exe
2712	svchcst.exe
2712	svchcst.exe
1576	svchcst.exe
1576	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
2036	svchcst.exe
2036	svchcst.exe
824	svchcst.exe
824	svchcst.exe
2896	svchcst.exe
2896	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
1004	svchcst.exe
1004	svchcst.exe
2100	svchcst.exe
2100	svchcst.exe
2576	svchcst.exe
2576	svchcst.exe
1636	svchcst.exe
1636	svchcst.exe
2604	svchcst.exe
2604	svchcst.exe
856	svchcst.exe
856	svchcst.exe
692	svchcst.exe
692	svchcst.exe
2376	svchcst.exe
3060	svchcst.exe
2376	svchcst.exe
3060	svchcst.exe
1980	svchcst.exe
1980	svchcst.exe
1756	svchcst.exe
1756	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
1732	svchcst.exe
1732	svchcst.exe
948	svchcst.exe
948	svchcst.exe
556	svchcst.exe
556	svchcst.exe
1692	svchcst.exe
1692	svchcst.exe
336	svchcst.exe
336	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 2828	1964	9a8666fd99f237286d73a308764f720296ee2ffd52f857ee2c96fc3531475fd3.exe	28
PID 1964 wrote to memory of 2828	1964	9a8666fd99f237286d73a308764f720296ee2ffd52f857ee2c96fc3531475fd3.exe	28
PID 1964 wrote to memory of 2828	1964	9a8666fd99f237286d73a308764f720296ee2ffd52f857ee2c96fc3531475fd3.exe	28
PID 1964 wrote to memory of 2828	1964	9a8666fd99f237286d73a308764f720296ee2ffd52f857ee2c96fc3531475fd3.exe	28
PID 2828 wrote to memory of 2712	2828	WScript.exe	30
PID 2828 wrote to memory of 2712	2828	WScript.exe	30
PID 2828 wrote to memory of 2712	2828	WScript.exe	30
PID 2828 wrote to memory of 2712	2828	WScript.exe	30
PID 2712 wrote to memory of 2440	2712	svchcst.exe	31
PID 2712 wrote to memory of 2440	2712	svchcst.exe	31
PID 2712 wrote to memory of 2440	2712	svchcst.exe	31
PID 2712 wrote to memory of 2440	2712	svchcst.exe	31
PID 2440 wrote to memory of 1576	2440	WScript.exe	32
PID 2440 wrote to memory of 1576	2440	WScript.exe	32
PID 2440 wrote to memory of 1576	2440	WScript.exe	32
PID 2440 wrote to memory of 1576	2440	WScript.exe	32
PID 1576 wrote to memory of 1888	1576	svchcst.exe	33
PID 1576 wrote to memory of 1888	1576	svchcst.exe	33
PID 1576 wrote to memory of 1888	1576	svchcst.exe	33
PID 1576 wrote to memory of 1888	1576	svchcst.exe	33
PID 1888 wrote to memory of 1600	1888	WScript.exe	34
PID 1888 wrote to memory of 1600	1888	WScript.exe	34
PID 1888 wrote to memory of 1600	1888	WScript.exe	34
PID 1888 wrote to memory of 1600	1888	WScript.exe	34
PID 1600 wrote to memory of 2240	1600	svchcst.exe	35
PID 1600 wrote to memory of 2240	1600	svchcst.exe	35
PID 1600 wrote to memory of 2240	1600	svchcst.exe	35
PID 1600 wrote to memory of 2240	1600	svchcst.exe	35
PID 2240 wrote to memory of 2036	2240	WScript.exe	36
PID 2240 wrote to memory of 2036	2240	WScript.exe	36
PID 2240 wrote to memory of 2036	2240	WScript.exe	36
PID 2240 wrote to memory of 2036	2240	WScript.exe	36
PID 2036 wrote to memory of 1912	2036	svchcst.exe	37
PID 2036 wrote to memory of 1912	2036	svchcst.exe	37
PID 2036 wrote to memory of 1912	2036	svchcst.exe	37
PID 2036 wrote to memory of 1912	2036	svchcst.exe	37
PID 1912 wrote to memory of 824	1912	WScript.exe	38
PID 1912 wrote to memory of 824	1912	WScript.exe	38
PID 1912 wrote to memory of 824	1912	WScript.exe	38
PID 1912 wrote to memory of 824	1912	WScript.exe	38
PID 824 wrote to memory of 1772	824	svchcst.exe	39
PID 824 wrote to memory of 1772	824	svchcst.exe	39
PID 824 wrote to memory of 1772	824	svchcst.exe	39
PID 824 wrote to memory of 1772	824	svchcst.exe	39
PID 1912 wrote to memory of 2896	1912	WScript.exe	40
PID 1912 wrote to memory of 2896	1912	WScript.exe	40
PID 1912 wrote to memory of 2896	1912	WScript.exe	40
PID 1912 wrote to memory of 2896	1912	WScript.exe	40
PID 2896 wrote to memory of 860	2896	svchcst.exe	41
PID 2896 wrote to memory of 860	2896	svchcst.exe	41
PID 2896 wrote to memory of 860	2896	svchcst.exe	41
PID 2896 wrote to memory of 860	2896	svchcst.exe	41
PID 1772 wrote to memory of 3012	1772	WScript.exe	42
PID 1772 wrote to memory of 3012	1772	WScript.exe	42
PID 1772 wrote to memory of 3012	1772	WScript.exe	42
PID 1772 wrote to memory of 3012	1772	WScript.exe	42
PID 860 wrote to memory of 1004	860	WScript.exe	43
PID 860 wrote to memory of 1004	860	WScript.exe	43
PID 860 wrote to memory of 1004	860	WScript.exe	43
PID 860 wrote to memory of 1004	860	WScript.exe	43
PID 3012 wrote to memory of 2772	3012	svchcst.exe	44
PID 3012 wrote to memory of 2772	3012	svchcst.exe	44
PID 3012 wrote to memory of 2772	3012	svchcst.exe	44
PID 3012 wrote to memory of 2772	3012	svchcst.exe	44

C:\Users\Admin\AppData\Local\Temp\9a8666fd99f237286d73a308764f720296ee2ffd52f857ee2c96fc3531475fd3.exe
"C:\Users\Admin\AppData\Local\Temp\9a8666fd99f237286d73a308764f720296ee2ffd52f857ee2c96fc3531475fd3.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2440
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1576
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:824
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        
        PID:2772
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2576
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:2836
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1636
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:1864
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2604
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2700
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3060
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:856
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2796
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:692
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:1968
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2376
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1980
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:2896
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1756
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2220
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:2888
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2432
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:1500
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1732
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:2204
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:948
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:2884
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:556
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:296
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1692
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:1276
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:336
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:2252
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2256
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1004
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2100
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        
        PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
02c0783b10e76a283288fd3c8c93410d

SHA1
bf57b828aa2f953cf12e260e128161d3f72d0e5b

SHA256
b1c8174235171548af77845722c41396a21e4e856fbb149ce77d99ba8b160d22

SHA512
6364366b27fa43443f12551d81f1746997ce8f90565e6b886cb6797cff342fec17624171c9c4b93c231d28ed97ca1c4805f53c33ae729f89742ed64179e0ddac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
48e04b8c794b661550560f9e02af5bb4

SHA1
973d939e48bc7713c0338e95966219616bd415d0

SHA256
f3bfe9c6c363e0ef4e22d9990175cb4c1c5d7d087aa5a2cff9f912d5ac6676da

SHA512
23ca46c09e1c2c320c7c79e71056dc6cb78d1dbaa75f4cee92e63626fe1eef268d91c519a8a0219f816049d2babd0276d27471ccc57a05825ce339ea88eea778

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d7e57302723e6adcd36bc753c7cb3d1b

SHA1
24f5af99f2988b5fa7383dae1f53347b597956a3

SHA256
abf7ef48d31eaabd0227b0a91a44e8b53e9fbadff16ef2d9c2b131776898977e

SHA512
0aee51cab495d2df1e1957f85cbfa1a8ca95fad5fa669d2f0918a0e4be4d090c868582935136684d872695bdd075523ad1386639690e9d7016201b6985a9c8a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3353d1633bca569636039038a518d927

SHA1
780e7b0504ce0c3eb7a2d5ab9cc18b9d0596bd34

SHA256
6f9daffcca457b49869f9b22fe00e63b4c232c9e13998ab908b91909aa446b8d

SHA512
66a8b0877d6c6f196b85b4e8bf7d67da20fd3749543d65b54599233fc68f476445e70f9ad8e54cb3a71676c6b8a51957f11df2442883f1283c6d526884ec0c18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8364c7b31d7cc2ff033d43e692633d35

SHA1
8c51dd902e1739104aff48093aecb669522fea1f

SHA256
7ac0c74de647ef78ef6fffba49310f3c9c1b7d9ad19121d3502ec03c6e412a42

SHA512
0615c03be93f2b8cadfa7f0fca0ec6a790728d61980a9cd5edc372c99d3d73c5bdd1e6abfc055d4bd7ff2a2aa67f6fd5221c0d0479e33ac6736522fdc0572571

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8cb32754e88999ece2a392d94875313e

SHA1
da0ef4e297872b82db206ebdc4cafefeed2a4e3d

SHA256
3dc5ae697f3f5a3ffe053412e05a646883c49be29b179039ceadf5f71a595f9d

SHA512
a331a2472d0ef04f4d6a9b41a147020a688c96977feec8d61878f31382af8c27b8e990dc404137475d48f0155d600cc0d6ebe0a5d1cbb60b1fecf364301ebaa7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
619955d43a58558c766025119a5a66cb

SHA1
cfb43d2b9cb68699667ca8d4929e71b25ed115ab

SHA256
a129bff17a859b7b2d6681f519c985c661797dd508ac249d30f02a0a78858cee

SHA512
20f9499cddf2fb824365830736255a1dce689da0e94fa8e999ee4e28883e65637410710ea01204b5f3d48213f697461288da2b7a535511da87f848b1e6e83bc6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1c0ff223574a58a062d6e26c4b0bb7cd

SHA1
b61341ae86f6fd2a2e76592a2fc693479b62f37c

SHA256
b9baaa35fb2544dd650a875b31c12ae5393b345528009fc8c438296ac71da48b

SHA512
b89b388955e99d95ea0a6be87df42a49823ca71ab65505e19689b8ecc56484246bc36abaac9b7b76874b8c287a33645932573b90786886e0289dff05a6874cc5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
bb73f45ba0ab8d0e25bc6dcd5900a0f1

SHA1
18dd20b311cabf033725cb71f00e22449f559963

SHA256
c5b311f8ce95c93ed51768b74c6765874352e5fc61641ab54034281a5206c3b5

SHA512
f2adbb4978b02ce150fc2f4a8f6d7734ca465351c502e5a425a9dc0f751be9a048df54dfff086b4b049a80cdc8127863ea704a3b6e1855f9d4406e5778b82e04

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
22ee4efbc67fc70b9f9d483cf169e846

SHA1
5e0a01490f92c7a77457c1df61c009cdc5c641dd

SHA256
abd4fb5ee308e65770cced9ea111c1dcfc48e0571cfcb79284f4fbbab293e161

SHA512
7638f6551734a6256e6d7666a9811368ee2894afeb442f65c6da0680fe8134059c52f552e36b2539774c4e3e5fc0cc1ae027e3ef872b5bb5d4b8e0f6687ce238

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0297693238c8d2753940dd61243ddfd8

SHA1
c5e61e727061ecb2475cfd052102d1ec3f837ad8

SHA256
2c553c736dbf82875ba83b712b4d0a0e5b63b0e4089f0882755bbf078c22c0a5

SHA512
042527b1ea8d7e3cc25f8cc72c357e39ef822e78eb9c5802613ff806f9869fff49e63ebd0d8e52754c5a918fd76640dd0bc7a1a1dfd5e82cecfcfcc13c8579cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
38a699d07d8879db6356427ad5568cde

SHA1
a13f87e47243e126c2ea20018877fbeac913a320

SHA256
33039fb8b50833ea2836de980992405e10426ad862007f2fef2a96147dccc7bb

SHA512
b5373577a397c0eb493b1173f0fa5a583fe10b986eced439f39997707622fdb54dad7f39311c0148da02b9f0eda2c097d6d9e98b6a7c7d4aa5996e7cc5f4791d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
cf593317e1c03f40fe74e99175ccf14f

SHA1
585bb9d7b8204ec2958bbe432a56d0de9f03d216

SHA256
ea634a68143aa8682a3715cf983bbe7e27506c94ae6dd6ca0db819d954dab4d4

SHA512
61bf44ae13005a119c131b47c144442531542b1050fd54a5ece50f6171f9f40e18934aa369f84fa1d61d9313033280604ef16cf5cac61f869afb135ec30166d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f20ffb573c7ea1d612ce05c8ffaba50e

SHA1
1b591ca65e796334cdc9c6db3720e8f01341fe7b

SHA256
ea22fd006adce6c146a245d9c8b45813c3e3ff4065e625f62bdd0d387f10fa12

SHA512
3d873579a2bc3bbd4f58efe87f16226af5244e9d80b8913ec735f512e2c7de2ae6481ff3b42fe00e0acad035df006196b4e5b007e4ed1729d61eb98ad68047f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
445b84d097afd8bbe2ce976021c492b4

SHA1
005968f29925495a8d45d22bda6ee922f4cb1b06

SHA256
a9f90f4bf0b42c17953986997ebd51e1c633f183d5f1272707d64f504136df1f

SHA512
698ce4082c7db0958a63dd53c465bfc6aa79c42122bed7590ffebee1caf852f1f81b131c02ed94ab9f3fec4889584453bae2d5f0123e4e09064a918f1d3ee11c

Download Submit