9159b21d8fb531a2573aa74b2266237dc3438f972e5f3ee9b44abd269443e3a0

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24/04/2024, 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9159b21d8fb531a2573aa74b2266237dc3438f972e5f3ee9b44abd269443e3a0.exe
Size

1.1MB
MD5

0231e1676624af500f811a5cb0ed2ad8
SHA1

b2966bef2e46a3eb09df5b0c48754ca6fc0cac5c
SHA256

9159b21d8fb531a2573aa74b2266237dc3438f972e5f3ee9b44abd269443e3a0
SHA512

19263682553e6404500cf7965bb1f1cb95b731c61d71794668c6f0f2121f2d2ff9726138d1b2ee92ab15315cb070850b567042e917eb74297904e08baabfb2ab
SSDEEP

24576:gRW3N/0f/oAPoRBchI5anfOlAUAi1K6oElG4lBujFAvCyRc:g5ApamAUAQ/lG4lBmFAvZc

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2580	svchcst.exe

Executes dropped EXE 24 IoCs

pid	Process
2580	svchcst.exe
344	svchcst.exe
1936	svchcst.exe
1256	svchcst.exe
588	svchcst.exe
1140	svchcst.exe
2044	svchcst.exe
2064	svchcst.exe
2156	svchcst.exe
2452	svchcst.exe
1904	svchcst.exe
1936	svchcst.exe
2924	svchcst.exe
2780	svchcst.exe
1364	svchcst.exe
1996	svchcst.exe
2128	svchcst.exe
2648	svchcst.exe
2608	svchcst.exe
2496	svchcst.exe
2308	svchcst.exe
2660	svchcst.exe
2404	svchcst.exe
1840	svchcst.exe

Loads dropped DLL 40 IoCs

pid	Process
1784	WScript.exe
1784	WScript.exe
2420	WScript.exe
2420	WScript.exe
2784	WScript.exe
2784	WScript.exe
2788	WScript.exe
2100	WScript.exe
2100	WScript.exe
1788	WScript.exe
804	WScript.exe
804	WScript.exe
1676	WScript.exe
2900	WScript.exe
2692	WScript.exe
2148	WScript.exe
2148	WScript.exe
2360	WScript.exe
2360	WScript.exe
1212	WScript.exe
1212	WScript.exe
448	WScript.exe
448	WScript.exe
1240	WScript.exe
1240	WScript.exe
1492	WScript.exe
1492	WScript.exe
2688	WScript.exe
2688	WScript.exe
3000	WScript.exe
3000	WScript.exe
2420	WScript.exe
2420	WScript.exe
872	WScript.exe
872	WScript.exe
1652	WScript.exe
1652	WScript.exe
2020	WScript.exe
2020	WScript.exe
2020	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2956	9159b21d8fb531a2573aa74b2266237dc3438f972e5f3ee9b44abd269443e3a0.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
344	svchcst.exe
344	svchcst.exe
344	svchcst.exe
344	svchcst.exe
344	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2956	9159b21d8fb531a2573aa74b2266237dc3438f972e5f3ee9b44abd269443e3a0.exe

Suspicious use of SetWindowsHookEx 50 IoCs

pid	Process
2956	9159b21d8fb531a2573aa74b2266237dc3438f972e5f3ee9b44abd269443e3a0.exe
2956	9159b21d8fb531a2573aa74b2266237dc3438f972e5f3ee9b44abd269443e3a0.exe
2580	svchcst.exe
2580	svchcst.exe
344	svchcst.exe
344	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
1256	svchcst.exe
1256	svchcst.exe
588	svchcst.exe
588	svchcst.exe
1140	svchcst.exe
1140	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2064	svchcst.exe
2064	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2452	svchcst.exe
2452	svchcst.exe
1904	svchcst.exe
1904	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2780	svchcst.exe
2780	svchcst.exe
1364	svchcst.exe
1364	svchcst.exe
1996	svchcst.exe
1996	svchcst.exe
2128	svchcst.exe
2128	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2608	svchcst.exe
2608	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2308	svchcst.exe
2308	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
1840	svchcst.exe
1840	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 1784	2956	9159b21d8fb531a2573aa74b2266237dc3438f972e5f3ee9b44abd269443e3a0.exe	28
PID 2956 wrote to memory of 1784	2956	9159b21d8fb531a2573aa74b2266237dc3438f972e5f3ee9b44abd269443e3a0.exe	28
PID 2956 wrote to memory of 1784	2956	9159b21d8fb531a2573aa74b2266237dc3438f972e5f3ee9b44abd269443e3a0.exe	28
PID 2956 wrote to memory of 1784	2956	9159b21d8fb531a2573aa74b2266237dc3438f972e5f3ee9b44abd269443e3a0.exe	28
PID 1784 wrote to memory of 2580	1784	WScript.exe	30
PID 1784 wrote to memory of 2580	1784	WScript.exe	30
PID 1784 wrote to memory of 2580	1784	WScript.exe	30
PID 1784 wrote to memory of 2580	1784	WScript.exe	30
PID 2580 wrote to memory of 2420	2580	svchcst.exe	31
PID 2580 wrote to memory of 2420	2580	svchcst.exe	31
PID 2580 wrote to memory of 2420	2580	svchcst.exe	31
PID 2580 wrote to memory of 2420	2580	svchcst.exe	31
PID 2420 wrote to memory of 344	2420	WScript.exe	32
PID 2420 wrote to memory of 344	2420	WScript.exe	32
PID 2420 wrote to memory of 344	2420	WScript.exe	32
PID 2420 wrote to memory of 344	2420	WScript.exe	32
PID 344 wrote to memory of 2784	344	svchcst.exe	33
PID 344 wrote to memory of 2784	344	svchcst.exe	33
PID 344 wrote to memory of 2784	344	svchcst.exe	33
PID 344 wrote to memory of 2784	344	svchcst.exe	33
PID 2784 wrote to memory of 1936	2784	WScript.exe	34
PID 2784 wrote to memory of 1936	2784	WScript.exe	34
PID 2784 wrote to memory of 1936	2784	WScript.exe	34
PID 2784 wrote to memory of 1936	2784	WScript.exe	34
PID 1936 wrote to memory of 2788	1936	svchcst.exe	35
PID 1936 wrote to memory of 2788	1936	svchcst.exe	35
PID 1936 wrote to memory of 2788	1936	svchcst.exe	35
PID 1936 wrote to memory of 2788	1936	svchcst.exe	35
PID 2788 wrote to memory of 1256	2788	WScript.exe	36
PID 2788 wrote to memory of 1256	2788	WScript.exe	36
PID 2788 wrote to memory of 1256	2788	WScript.exe	36
PID 2788 wrote to memory of 1256	2788	WScript.exe	36
PID 1256 wrote to memory of 2100	1256	svchcst.exe	37
PID 1256 wrote to memory of 2100	1256	svchcst.exe	37
PID 1256 wrote to memory of 2100	1256	svchcst.exe	37
PID 1256 wrote to memory of 2100	1256	svchcst.exe	37
PID 2100 wrote to memory of 588	2100	WScript.exe	38
PID 2100 wrote to memory of 588	2100	WScript.exe	38
PID 2100 wrote to memory of 588	2100	WScript.exe	38
PID 2100 wrote to memory of 588	2100	WScript.exe	38
PID 588 wrote to memory of 1788	588	svchcst.exe	39
PID 588 wrote to memory of 1788	588	svchcst.exe	39
PID 588 wrote to memory of 1788	588	svchcst.exe	39
PID 588 wrote to memory of 1788	588	svchcst.exe	39
PID 1788 wrote to memory of 1140	1788	WScript.exe	40
PID 1788 wrote to memory of 1140	1788	WScript.exe	40
PID 1788 wrote to memory of 1140	1788	WScript.exe	40
PID 1788 wrote to memory of 1140	1788	WScript.exe	40
PID 1140 wrote to memory of 804	1140	svchcst.exe	41
PID 1140 wrote to memory of 804	1140	svchcst.exe	41
PID 1140 wrote to memory of 804	1140	svchcst.exe	41
PID 1140 wrote to memory of 804	1140	svchcst.exe	41
PID 804 wrote to memory of 2044	804	WScript.exe	44
PID 804 wrote to memory of 2044	804	WScript.exe	44
PID 804 wrote to memory of 2044	804	WScript.exe	44
PID 804 wrote to memory of 2044	804	WScript.exe	44
PID 2044 wrote to memory of 1916	2044	svchcst.exe	45
PID 2044 wrote to memory of 1916	2044	svchcst.exe	45
PID 2044 wrote to memory of 1916	2044	svchcst.exe	45
PID 2044 wrote to memory of 1916	2044	svchcst.exe	45
PID 804 wrote to memory of 2064	804	WScript.exe	46
PID 804 wrote to memory of 2064	804	WScript.exe	46
PID 804 wrote to memory of 2064	804	WScript.exe	46
PID 804 wrote to memory of 2064	804	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\9159b21d8fb531a2573aa74b2266237dc3438f972e5f3ee9b44abd269443e3a0.exe
"C:\Users\Admin\AppData\Local\Temp\9159b21d8fb531a2573aa74b2266237dc3438f972e5f3ee9b44abd269443e3a0.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2420
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:344
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1256
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:588
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:804
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2064
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:1676
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2156
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2900
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2452
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2692
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1904
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:2148
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1936
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:2360
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2924
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:1212
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2780
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:448
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1364
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:1240
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1996
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:1492
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2128
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:2688
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2648
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:3000
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2608
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:2420
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2496
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:872
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2308
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:1652
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2660
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:2020
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2404
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1840
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        
        PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
adaef3dabb5fec7bb93ccb1663f58c8b

SHA1
b2bb7ce10bd84b2b4d121052629b8bc3dcc78275

SHA256
babc98f4a00a7f2b6a6f64fc11f5659ba5dcf5bfbbd0dfd2dd55d6d58576eeea

SHA512
404c4503c8c61f5f16d734776eb13713c993f2699c4ea984e01d5268a3a4b0295880cddb1553c9ff9a8005373d9cabb42fd22f5c36ba03a46f4f162c202e6cdc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ebf405e49dade13da94f737cdc03dba1

SHA1
8a0c39e59beed0deb4e726566b235c42c70942bb

SHA256
d15af3885670c4fea9dd97da21025faa5fd2b42bddc310bad2893e23a3ed2bef

SHA512
bbdef781757a387898665650d8f951e7fc495770d34595d9badbe5a39d46ec49a06ec00cbe28ed5e2677e5eeea518241fb638580668baca8d7728c44f2069ea2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5f762b3b2477d92959f29d768008d453

SHA1
ceaa2b37d64bcffd7f862a75e1d0fb06edbddb97

SHA256
5827d14409ed9f3361d81904d50e067223457590dda163a680ce4216e495a3d5

SHA512
fd1445d89a0fa5d185ce51442c402d9906fa8bf7c1458a862568ad0649dfa22c5f90ed243b98339ec9706541d244b0217f1cd05e715dc49067e059fe08d80420

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2caa2e102cde23b48c1d5a47d901c3ff

SHA1
715fcb390ad3d9016885ab48ea99b2e204d1989b

SHA256
8e1f14065ac316ee2fcefab057390fe8b1ec88d9c35536f0755204ddf0d84ada

SHA512
9f6b298b5becff9b0af67c3181177876366db57d8d48ad3974dffa4f61fe7512b68d770e518d08d59c58d2707c52bd78930d2e36f00ef06f0a26d208e5372ae3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7c92f92a39b74a1a62d4e78cab1e85ce

SHA1
12be3de5566511f06ef1d1354ce14e74381ef078

SHA256
919b452d34117c54e6e79cf6c3d338679c3553dd3ef1bb8d750da8738f6f4166

SHA512
ad945215baeb1b488a43705d18520fea653a881632cfcd8bc79182ce2863d7167e8631043bdea1ee1071eabfb87f7ce63f460becf63c9c2060e51a30fc8171b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
93bffb400f506fbd69421b6075802c65

SHA1
b9d8c4ea6a8fd739f6cf167e1f58412525f15784

SHA256
2e455d4d9ba6db3056e273b33c3cc67d60d76c4a750b98b2d4d0e2bcc6aa57b1

SHA512
e00a5d4ad19c488dc18e50150fcd50505133666e333f12f9e0cb3a894162951e4195886798de3531561ff99b4a3fbca6fb351f1ff0bcd0e1ac20cd685962ec23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e74576d29f1c1a7185cdf1e12b96a260

SHA1
f76ee203cb56b7dda62a2947ff1e2fc954efa777

SHA256
e31ecb9dcf31c19fbd131b31e5191375f7aeb708ffa678363de99e118715eb65

SHA512
934e3a9171de8fe03c9b398b4e79b3eee77845750ba2b0d16c3a38bc8299d3d72643cedfbb025df848f4c5ab302f5d4b145da13c2ac3ed96bdc1658791d4f5bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1cd04c63c025f0297f2ae60e978d92a1

SHA1
047246564f4b2ab71494a82cef25f5bcdeb63469

SHA256
c5d481502d8e9429512066a0eb058459e0d7d60fbfc4aed5169b3ea47966c9ed

SHA512
dede45f2ae3b7da526e64e82f5e550d9f29d7ad0409fe97a0067bcd8ad70859a8f05441dcad0f2364710f8d9bf58997ffea6874b4797948b61486570394325a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
344b0286b823cd492e5ca9c83c00ba11

SHA1
b76dbac9b5724f5b1e11a10ed7a2125edb16259b

SHA256
04ea89515062031f99eb08fad07de798532e0adea7ff18c0c9a8b1e3a1d4dbbd

SHA512
9aba17235e4f1bd62f45545cfa0e4f302c0471732b33a8398b462e334126c5a3e74fdcbe17db70029184cc1207f558efc46b868475fb607ad536288b0796bb80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1a94fff9bade36e4d067e0fcefb1a8f5

SHA1
1713c3fc499a56cd97035e44405e0b5e1a0a586b

SHA256
1977a5ac15e88252efdd11b9aace6de92383e71132a94273b0e890e92ae91048

SHA512
89a7dd6811f9491a14bf49f1cbce3e869107d2e0d410fa3d3c867ce68d573d6f8e6ada98ac3635fc620c96c61676b5cef2563b5fbea14f617c1fa61bce4f3ac7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
9627e3850f4f7495f6d36ebae56aa594

SHA1
001694633bc632a7ae2812ed74828335bec77531

SHA256
0aeaf02fb74a0799c8eccaa37e1586435318608e7945b8084fe87f956822cb25

SHA512
03986ee3b4faf96fdb2bdeb1c41e216c81e1c0f7d4403b69c7e7e39baa45e2806d57fad32904bdf04728eb9db7570d94341e73bf8a1f6ba1964072a65de4e894

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ab52ce62f84a24d48d9cebec5331b1c6

SHA1
6fcb810a46e83020e55af419752f5583f9dcb9ba

SHA256
908bec6021a78b90a02c6123db4ac62b590ea738e97fa35aac7c4dce624f3244

SHA512
8823f3f60863692a8fd2be8610670b06077ea7c948b7c46f9a1ab712276b27e48c19d0a394e7f51c0fbdf753f989af4cac5dab078e4f04ee5ee6a50427368cd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7a01dad1af2b3e0327e1d352436bbcd7

SHA1
10612930777b11e8edeb9bd33c74a6a2404c9d6b

SHA256
185fe22d4d1af7aee3fd8cf94dcfe20c5daf320764d2c96c2ad5f2cff4cd1655

SHA512
1fee128690213b1ffd6c1f95d9894f52c2b0374ca99b16795028fab6b364298c1d678c3f92775c410c0fe7a1a71a33d3db5635e5bb6c71449feb60c9f5316616

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
fa8ccc62aeefeab1f9c25e57306bc968

SHA1
562fda9383ef23b38620e78b2110e4882e8cac47

SHA256
f92022307b48b0bc737f7a5ef9014291fe0cf1c195b955f9a477e25ee456cfde

SHA512
026b5530de028a9e717351fda7db155c2030d89a6a42ddd3c8ea7127b9e26310d2fa968d3f7fd8cef9f9e0dfbfbe31a4f82afd47e42562ec0253a4f3b5f5be2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2b037b12cc1dfb7825fb53819f89d0fc

SHA1
5eab8fed2a9ccd61fb4cd25415670b7dc50fb060

SHA256
da4bfdad2b00d6a473fafdb1962fbe80ba237b0eecb28d4cebb94cdfe353ae2c

SHA512
21ad14f1d1207910f3f8d3ee067bd7f232d3e412e9ad925a8ce92403beb5a3b8e7c90f90f0932b18b7d966065bd27696fa30b17d2ad69f2bfd9aaca0f4eaee78

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e799c729128edb7964bbf26bc93fbcdd

SHA1
90c977f1ab827d6c781e515ec7266962317758f3

SHA256
7f2d5d3934ba98c038dc74e1feef950316e7481329db3c35c8cfbbf327e16600

SHA512
ca96679853a7bde930421d19f0da70ebb7bf3d9f8e282e38705c66c667caa2ed3e8bba93d48201b94b668573be32e8ec45b3ec475ce9f7707df297777766fa67

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
87f1310dca7168de07087f5bbaed307f

SHA1
c72465de29199b18fd6d06f6f42d53250b0eff5a

SHA256
340f1c45a14f57a388582c3d027cfc69fd8e59e71f092430c8161ae0112334d2

SHA512
00ff581087d9f8b30fd033173c370363d6871c0a041e12634f25ddb410152079c25d6f875a25092c66c1a4bc3af4ecf03210488da51cd8b38a9fcebafafb58c0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
3aa0ea256c4909d2968b4d1c5a0a77cb

SHA1
6311aa96a7fc31443651dcd24afd5e6ad836d112

SHA256
ac32c75003d278514eec19b1e8da50e5e6b0a249ec928ea2bd0e82cb68ac2999

SHA512
966105aa368b05946dcc1cd5b79d2d153ba3108f4644b8df35846e17be0e4209311e750484dca8092984cd135d1d68922c4d427aa29505e086585795e3708626

Download Submit