a857a0ff99743e8e4e74e15fb90aaa5b87057eb42b81e4e1aafb2fd927616d11

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
26/04/2024, 21:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a857a0ff99743e8e4e74e15fb90aaa5b87057eb42b81e4e1aafb2fd927616d11.exe
Size

1.1MB
MD5

5ea79538eb3fe4be756e953f36e0989d
SHA1

b6e04bb15dc6ac0b5c09ca39fa408c100d912b06
SHA256

a857a0ff99743e8e4e74e15fb90aaa5b87057eb42b81e4e1aafb2fd927616d11
SHA512

2faa1b5298a90d3f4a78b3cab4a1ddebff9baede156e2b65041c6c931b1504cbe9f2c8d4b47ab701b6297e32184cbd0db2830a9053780bfd96ac3b5024c07a03
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QD:CcaClSFlG4ZM7QzM0

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2716	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2716	svchcst.exe
2756	svchcst.exe
2028	svchcst.exe
1588	svchcst.exe
680	svchcst.exe
2344	svchcst.exe
920	svchcst.exe
2588	svchcst.exe
1260	svchcst.exe
2844	svchcst.exe
1272	svchcst.exe
2732	svchcst.exe
1904	svchcst.exe
848	svchcst.exe
956	svchcst.exe
2656	svchcst.exe
2632	svchcst.exe
2792	svchcst.exe
2228	svchcst.exe
2392	svchcst.exe
2744	svchcst.exe
2732	svchcst.exe
2376	svchcst.exe

Loads dropped DLL 45 IoCs

pid	Process
1776	WScript.exe
1776	WScript.exe
2552	WScript.exe
2552	WScript.exe
3004	WScript.exe
3004	WScript.exe
496	WScript.exe
2488	WScript.exe
2488	WScript.exe
576	WScript.exe
576	WScript.exe
808	WScript.exe
808	WScript.exe
352	WScript.exe
352	WScript.exe
2824	WScript.exe
2824	WScript.exe
2500	WScript.exe
2500	WScript.exe
2316	WScript.exe
2316	WScript.exe
1420	WScript.exe
1420	WScript.exe
1772	WScript.exe
1772	WScript.exe
960	WScript.exe
960	WScript.exe
2244	WScript.exe
2244	WScript.exe
1600	WScript.exe
1600	WScript.exe
772	WScript.exe
772	WScript.exe
2524	WScript.exe
2524	WScript.exe
2592	WScript.exe
2592	WScript.exe
2904	WScript.exe
2904	WScript.exe
1632	WScript.exe
1632	WScript.exe
2016	WScript.exe
2016	WScript.exe
740	WScript.exe
740	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2944	a857a0ff99743e8e4e74e15fb90aaa5b87057eb42b81e4e1aafb2fd927616d11.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2944	a857a0ff99743e8e4e74e15fb90aaa5b87057eb42b81e4e1aafb2fd927616d11.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2944	a857a0ff99743e8e4e74e15fb90aaa5b87057eb42b81e4e1aafb2fd927616d11.exe
2944	a857a0ff99743e8e4e74e15fb90aaa5b87057eb42b81e4e1aafb2fd927616d11.exe
2716	svchcst.exe
2716	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2028	svchcst.exe
2028	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
680	svchcst.exe
680	svchcst.exe
2344	svchcst.exe
2344	svchcst.exe
920	svchcst.exe
920	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
1260	svchcst.exe
1260	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
1272	svchcst.exe
1272	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
1904	svchcst.exe
1904	svchcst.exe
848	svchcst.exe
848	svchcst.exe
956	svchcst.exe
956	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2228	svchcst.exe
2228	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2376	svchcst.exe
2376	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 1776	2944	a857a0ff99743e8e4e74e15fb90aaa5b87057eb42b81e4e1aafb2fd927616d11.exe	28
PID 2944 wrote to memory of 1776	2944	a857a0ff99743e8e4e74e15fb90aaa5b87057eb42b81e4e1aafb2fd927616d11.exe	28
PID 2944 wrote to memory of 1776	2944	a857a0ff99743e8e4e74e15fb90aaa5b87057eb42b81e4e1aafb2fd927616d11.exe	28
PID 2944 wrote to memory of 1776	2944	a857a0ff99743e8e4e74e15fb90aaa5b87057eb42b81e4e1aafb2fd927616d11.exe	28
PID 1776 wrote to memory of 2716	1776	WScript.exe	30
PID 1776 wrote to memory of 2716	1776	WScript.exe	30
PID 1776 wrote to memory of 2716	1776	WScript.exe	30
PID 1776 wrote to memory of 2716	1776	WScript.exe	30
PID 2716 wrote to memory of 2552	2716	svchcst.exe	31
PID 2716 wrote to memory of 2552	2716	svchcst.exe	31
PID 2716 wrote to memory of 2552	2716	svchcst.exe	31
PID 2716 wrote to memory of 2552	2716	svchcst.exe	31
PID 2552 wrote to memory of 2756	2552	WScript.exe	32
PID 2552 wrote to memory of 2756	2552	WScript.exe	32
PID 2552 wrote to memory of 2756	2552	WScript.exe	32
PID 2552 wrote to memory of 2756	2552	WScript.exe	32
PID 2756 wrote to memory of 3004	2756	svchcst.exe	33
PID 2756 wrote to memory of 3004	2756	svchcst.exe	33
PID 2756 wrote to memory of 3004	2756	svchcst.exe	33
PID 2756 wrote to memory of 3004	2756	svchcst.exe	33
PID 3004 wrote to memory of 2028	3004	WScript.exe	34
PID 3004 wrote to memory of 2028	3004	WScript.exe	34
PID 3004 wrote to memory of 2028	3004	WScript.exe	34
PID 3004 wrote to memory of 2028	3004	WScript.exe	34
PID 2028 wrote to memory of 496	2028	svchcst.exe	35
PID 2028 wrote to memory of 496	2028	svchcst.exe	35
PID 2028 wrote to memory of 496	2028	svchcst.exe	35
PID 2028 wrote to memory of 496	2028	svchcst.exe	35
PID 496 wrote to memory of 1588	496	WScript.exe	36
PID 496 wrote to memory of 1588	496	WScript.exe	36
PID 496 wrote to memory of 1588	496	WScript.exe	36
PID 496 wrote to memory of 1588	496	WScript.exe	36
PID 1588 wrote to memory of 2488	1588	svchcst.exe	37
PID 1588 wrote to memory of 2488	1588	svchcst.exe	37
PID 1588 wrote to memory of 2488	1588	svchcst.exe	37
PID 1588 wrote to memory of 2488	1588	svchcst.exe	37
PID 2488 wrote to memory of 680	2488	WScript.exe	38
PID 2488 wrote to memory of 680	2488	WScript.exe	38
PID 2488 wrote to memory of 680	2488	WScript.exe	38
PID 2488 wrote to memory of 680	2488	WScript.exe	38
PID 680 wrote to memory of 576	680	svchcst.exe	39
PID 680 wrote to memory of 576	680	svchcst.exe	39
PID 680 wrote to memory of 576	680	svchcst.exe	39
PID 680 wrote to memory of 576	680	svchcst.exe	39
PID 576 wrote to memory of 2344	576	WScript.exe	40
PID 576 wrote to memory of 2344	576	WScript.exe	40
PID 576 wrote to memory of 2344	576	WScript.exe	40
PID 576 wrote to memory of 2344	576	WScript.exe	40
PID 2344 wrote to memory of 808	2344	svchcst.exe	41
PID 2344 wrote to memory of 808	2344	svchcst.exe	41
PID 2344 wrote to memory of 808	2344	svchcst.exe	41
PID 2344 wrote to memory of 808	2344	svchcst.exe	41
PID 808 wrote to memory of 920	808	WScript.exe	42
PID 808 wrote to memory of 920	808	WScript.exe	42
PID 808 wrote to memory of 920	808	WScript.exe	42
PID 808 wrote to memory of 920	808	WScript.exe	42
PID 920 wrote to memory of 352	920	svchcst.exe	43
PID 920 wrote to memory of 352	920	svchcst.exe	43
PID 920 wrote to memory of 352	920	svchcst.exe	43
PID 920 wrote to memory of 352	920	svchcst.exe	43
PID 352 wrote to memory of 2588	352	WScript.exe	46
PID 352 wrote to memory of 2588	352	WScript.exe	46
PID 352 wrote to memory of 2588	352	WScript.exe	46
PID 352 wrote to memory of 2588	352	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\a857a0ff99743e8e4e74e15fb90aaa5b87057eb42b81e4e1aafb2fd927616d11.exe
"C:\Users\Admin\AppData\Local\Temp\a857a0ff99743e8e4e74e15fb90aaa5b87057eb42b81e4e1aafb2fd927616d11.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2552
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2756
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:496
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:680
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:576
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:808
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:352
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2588
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2824
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1260
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2500
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2844
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:2316
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1272
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:1420
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2732
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:1772
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1904
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:960
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:848
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:2244
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:956
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:1600
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2656
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:772
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2632
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:2524
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2792
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:2592
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2228
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:2904
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2392
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:1632
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2744
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        
        PID:2016
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2732
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        
        PID:740
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2376
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        
        PID:1880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
bd0cc8385e2c94da465451e7bd8d4303

SHA1
6866d3d8d4bc37bbd976b44b74d4cef9b018da66

SHA256
099ad392a60ee09509cf2982deb126acb373115124e33c1c9d18931fa32af630

SHA512
5212403107457416b6b8e3c033c9521f744845edbf0c9bba5c962bea5946c2a24e1081cf472e907b3e16fb593b98c119802e3162e5260b30574f2c086af3d6b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
b7d0c8434c4edee9693b2d29b80ab171

SHA1
28f37befe1450b19c998d8cc6e6b339f7aa8ce7f

SHA256
43e5aa15dfb2da231e8df7837ba98292f0ca6af22171a2ef93147d256c1951e7

SHA512
8728688726d17c87d58c1af7b5fbf1a0c243ec4a65bfd39442b2a6040bf94caae4bd322474a25e205ca0eaa5e03831dbc67a1d23bfd86fdfa7746357fc0b2cdf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7e30bbf5f589f6ae6e5daf322f9f4c63

SHA1
4078c36ab68538c4d3aa3996b3a218fa786e5813

SHA256
9ed68f0cb63b2fca99956af2a550eb26ac99a883afef4ea6dc1236c14593266b

SHA512
63bb07bfbef6c96b50bbcb60d7f805930aaeefd6eadaa39dcb3e591c84636c670257a7f544bb0565174578a517d06de29a6c086812ef5cfb3039aea1917fb4b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c1f667683c1809dc2fa81d863ea10a4e

SHA1
dc9fdbeca32f2afbcfdc5363769ebb594fc93e44

SHA256
a0afd04975f7f5cf26533640020a9533d4dcf1b152143e69196f93bd5b49fa1e

SHA512
e4c894530934444cb97392b0180e5b6040b84ab5c639412c6b9e5355a13152412da8d881403832c2f3c601624465b16242ebd8710f6e6a4666a27e15ce759b2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
85fa416be0b995c6e53ce5e2df106d8a

SHA1
bcffe6d0eb7594897fb6c1c1e6e409bacd04f009

SHA256
f08a191ea7850c2d2e0fa0cd1f40254eecb8dcb63a9dfa94cc8a97f609c49293

SHA512
5d92938d833d0555e94027148d0d9fc064274885bb4992f4e5840e7be03b629a3d2dc3703f9a7aa7614cb46ee19f9cfe26c69cc2e3a162f4be9045e5da18efbf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
df56efc5aa49720056952b653a76a0d1

SHA1
82823a83837e69b031a973238d78e0360d113ac7

SHA256
bd6fdd2db5dd3828baa84352f1c382304ce0481755f000a7445e3977c24d0a35

SHA512
ffd2ffc465dcd33cca7fdf4cce8711ce7a5cb6af0933fbf2885b7b4164ea2c19ec1a776f2422996599e28b05a3ff927dd76221b9b4dec49b942941b48962034c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f76c7cf504b872903a1325a57e8baaf9

SHA1
896ac9d8338b41c7673781f07915612c538c385f

SHA256
46436b128cbdb907e9666c1aa6257164f7e5a2ebe1c79b9198b36e50115a8163

SHA512
59c0e9f508682af572185dd2578ad1e62abb99297a99018af7638bc8d2f6693fe00900bd739e00a912088f77624f08034dba041ce1677e2924cb8ab3196b6054

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1ef0f0b572c2f4293cad723d25d00c42

SHA1
21070aedce103ee5e41ef411b732699f04623804

SHA256
92f0114d24a1bf7f670197c1b6e8cecc445559bbf6b12e1a82538aa9213fe4a3

SHA512
0af8482f8df004ae0534ab1d23addd55149209ab50bfb1ecbfc4d9ee49c7cce91b53fd3ed3b155e020286772eaa8396c89b8f67befe3ca5d9804b7871add0c4c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b80e64a84f22d05c1da6e47ce54973aa

SHA1
5cad9390328f2c7439c775fabb7a0456663085d9

SHA256
9dd0f5f176d3fad7c0eb3bdd6f14036a878cbce9fd50fb1a47318da147bfd82e

SHA512
983affb7f9189c1eb80982438c288ee607e7ee91675b6a6e854873c476961b39ddec66801e0a09bedd0f133a0132693a5fed5c8ff0f8c3d3aa4f470fdb8c39b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
99c82369839776d3d954a85361e76565

SHA1
fe01d71a20a80f468e5fa4df991eacca97e650a1

SHA256
ecfe1904a389f25b460a8eec64349498fde06733fa12cd5ae8e0c49a9699154f

SHA512
5deb6fd1534298cbc80f4653e60b9dcaba6cfd4af1f3b1e5369929472ab4f8cba7d50d3f63d7154170b5ea84f40f7511f1839f2e89340c6942fede255c93b69f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1ca638ab56e1883ffe75969d1d8c4a61

SHA1
2f32fe1ad07a21f4aade2693ef174e30427e4f26

SHA256
ab716890ffa3b303c706ba2fc2ff48ba57e82b94b3bb3198cbb5700d74218c9d

SHA512
91f259046507902e077ac73aa23005f33cb3f93b6822e325bf3dd785b7616128bae36e13ba016f6a67cdddedef644d9cf44d49bba7d989dc5e59b93d446d626c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
faf92ea9514d783f9491012da2e5b9e7

SHA1
096809068db7adba01245889c66e150e0b3726b8

SHA256
541b89910b54748f6e0097eb010c943710f6dd96f894c5404a724579ebd63daf

SHA512
f0b2080a2fbfc831cabbafd05e4eb040375d2f649c99d61a8666a537c95ee4621f87522b5d9b6873dbdff45cb6d171c6d7e45d69b62dfed8065b16321ccfe5ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b194eadbdf9945f2f82168ffd2296291

SHA1
57d325b54932b32f9e313800f6671162db5623f7

SHA256
57b4d80a89039512e5979d1f6a0b82a571548ba6c4643ec738fb735512af0d79

SHA512
8e1623f64594cb2c717c529fc8b309d79f4c671353d3524dbb0a3c7d300f241e5c9ef5a8f3c0c3a7e7cb7528ec6dc8e0d3036af9cb7d1c7871a5336e6144e78e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ca33e153fda8d334c59660c3c22b271b

SHA1
2199832f2d803b492f330389a6362a769cce56bf

SHA256
fa03b08384c07383277fb0779d52f7bcb2ab752fe10bf225896f7cc4d985c759

SHA512
e6eced5e989d77db14b5a7ed9b75db9a0270d679f168b850a4c6220dca3a68af6aa8536c23aef0f8c232e592f15972be8bc09d35438b7805d00e7dbbccf94d58

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2f53dd2eb64199747576ccccefd4f112

SHA1
6fee2913aa14a16f92152b8128fd4dc07332eaa8

SHA256
8af6af573536dcecf982d8fae38758842ebab95412d404d046d2ef41f764c3a9

SHA512
b08e98600be94817cf3040380604861994d60adbc73aad513e181dd71f6b33f68d4c8aab6c0b7de04386d7cf8c83b9197d92083dd6ac96ceac764e080339da78

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
eedca8d081c7f86065324fa613182bc6

SHA1
38c30a91d6d1535a6b8aa09642fbbb9ce1a4f8ea

SHA256
9d36b1982fa67ff3bb8c6d27fae29085d92ce5bc93b88303bb6c9e194370ae23

SHA512
8ee215b429104253f39ec8bcf7404e5f824033aca986a46ed9ba8258224e2e970b83d77f9872e3fca427a9ef3ee9db6aced6256bbe124f22c48035c507e79b23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
86f17200e4accd387605aa13c4016068

SHA1
6f8cacee356873ec4b510fe45e9193260d4a42cc

SHA256
306a331560237463abf220b5c37c35de71d478a383a64c54be47616b4b0b5aa7

SHA512
ac39a796804649e830c36e7ea735516288080576be3ebbf040d591496b2671f546902c9afc2834412004ffce2dc19f63a7c0b7e808cde87f8b53f94482ff4cde

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7b9756a7e3fe82fc2d58050dfe6b9b97

SHA1
efea6210ebc7ad1047dad26044d5156448fb9872

SHA256
a39e84a44dcf1e98f04ad9d1603dcc19361d59e3691a6e50423e291ae867ed28

SHA512
83a95ca0ef36ac3de70808f235b2636936da9f0a0219e115aca4a0add6c3627351e5fdbc38ab229fb1d727b5f77c62a764d974e0ce22c37d5e33d6eed0511902

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7a974aa811583a689c82751f26dcd177

SHA1
c6c7207460d7246e48c998fc94e0cfb64f59b314

SHA256
91c8005d307aa2df36486e902515c81e60d8a6e98a39b624d4ce251536e07a57

SHA512
9c10c0e6a027b055d0a3915852c9f0df062ec42f1128844dfa6d7bedc5c6ffd67c0840c6e868b4fffcfb4a082f2eacb9317b511254e60aec0613c1e2fb4f610b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7cea4c545fd938d9f0282dd86c4de251

SHA1
4fbfdb1b7388c044517d35fac922f0fecf4303d6

SHA256
f924f312e3d96e8a73adca5d087b13ecd50e21f592d0fab9c6974c33c967729e

SHA512
55fdb33d70650c78960d5cfb365987a67c220f9ab581e66692bde9a2c8c7efc2774a71236c406bf4fa7b39456f7adda7d42f8befe871fb2dd1f2f18fd661e81c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a9a44410d3389681bbada2d2841cc576

SHA1
af85122167a7a81b3ff31e3d637afdb5c2053adb

SHA256
d9189f7bd0eb005bc8ee6e97fca3cb4bf0b9dc6efbb8123ac293759bab3713ae

SHA512
d6815a54c41618a84785ed773df943d5a2ea99373e764a3b8bacad162624a438dc404047657659b73c9f1a292c773f91f963274a38743b8968a24d83800c8380

Download Submit
memory/2944-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download