727931a51abfa1d394edd4d8f290f4f10084b11c8b77dfd57a95f09245736c89

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
30/04/2024, 23:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

727931a51abfa1d394edd4d8f290f4f10084b11c8b77dfd57a95f09245736c89.exe
Size

1.1MB
MD5

ceddae2d3b15ed8dd6ba9c89c0e19678
SHA1

e2176012fb1dbff73e660f7c9ae8868a0a0036e9
SHA256

727931a51abfa1d394edd4d8f290f4f10084b11c8b77dfd57a95f09245736c89
SHA512

7e4eb5cf23ece12e9b8326fb15e71601f6f3cbfe49464a26b0f9d14cec29fef77270b951d52833e4616ab679f3850b30ff93e7125068d2ebf385b55e6c59986a
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Q5:CcaClSFlG4ZM7QzMK

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2640	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2640	svchcst.exe
2356	svchcst.exe
1776	svchcst.exe
1636	svchcst.exe
1720	svchcst.exe
840	svchcst.exe
1756	svchcst.exe
1596	svchcst.exe
1884	svchcst.exe
2764	svchcst.exe
2732	svchcst.exe
1936	svchcst.exe
2876	svchcst.exe
1324	svchcst.exe
1608	svchcst.exe
1732	svchcst.exe
1656	svchcst.exe
2780	svchcst.exe
2592	svchcst.exe
2124	svchcst.exe
1644	svchcst.exe
1692	svchcst.exe
1632	svchcst.exe

Loads dropped DLL 38 IoCs

pid	Process
2272	WScript.exe
2272	WScript.exe
2480	WScript.exe
2208	WScript.exe
2332	WScript.exe
2332	WScript.exe
2776	WScript.exe
332	WScript.exe
332	WScript.exe
332	WScript.exe
2068	WScript.exe
2468	WScript.exe
2528	WScript.exe
2528	WScript.exe
2528	WScript.exe
2528	WScript.exe
1060	WScript.exe
1780	WScript.exe
1128	WScript.exe
1128	WScript.exe
2188	WScript.exe
2188	WScript.exe
904	WScript.exe
904	WScript.exe
1600	WScript.exe
1600	WScript.exe
2648	WScript.exe
2648	WScript.exe
2640	WScript.exe
2640	WScript.exe
2468	WScript.exe
2468	WScript.exe
2720	WScript.exe
2720	WScript.exe
2200	WScript.exe
2200	WScript.exe
3032	WScript.exe
3032	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2164	727931a51abfa1d394edd4d8f290f4f10084b11c8b77dfd57a95f09245736c89.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2164	727931a51abfa1d394edd4d8f290f4f10084b11c8b77dfd57a95f09245736c89.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2164	727931a51abfa1d394edd4d8f290f4f10084b11c8b77dfd57a95f09245736c89.exe
2164	727931a51abfa1d394edd4d8f290f4f10084b11c8b77dfd57a95f09245736c89.exe
2640	svchcst.exe
2640	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
1776	svchcst.exe
1776	svchcst.exe
1636	svchcst.exe
1636	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
840	svchcst.exe
840	svchcst.exe
1756	svchcst.exe
1756	svchcst.exe
1596	svchcst.exe
1596	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
2876	svchcst.exe
2876	svchcst.exe
1324	svchcst.exe
1324	svchcst.exe
1608	svchcst.exe
1608	svchcst.exe
1732	svchcst.exe
1732	svchcst.exe
1656	svchcst.exe
1656	svchcst.exe
2780	svchcst.exe
2780	svchcst.exe
2592	svchcst.exe
2592	svchcst.exe
2124	svchcst.exe
2124	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1692	svchcst.exe
1692	svchcst.exe
1632	svchcst.exe
1632	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2272	2164	727931a51abfa1d394edd4d8f290f4f10084b11c8b77dfd57a95f09245736c89.exe	28
PID 2164 wrote to memory of 2272	2164	727931a51abfa1d394edd4d8f290f4f10084b11c8b77dfd57a95f09245736c89.exe	28
PID 2164 wrote to memory of 2272	2164	727931a51abfa1d394edd4d8f290f4f10084b11c8b77dfd57a95f09245736c89.exe	28
PID 2164 wrote to memory of 2272	2164	727931a51abfa1d394edd4d8f290f4f10084b11c8b77dfd57a95f09245736c89.exe	28
PID 2272 wrote to memory of 2640	2272	WScript.exe	30
PID 2272 wrote to memory of 2640	2272	WScript.exe	30
PID 2272 wrote to memory of 2640	2272	WScript.exe	30
PID 2272 wrote to memory of 2640	2272	WScript.exe	30
PID 2640 wrote to memory of 2480	2640	svchcst.exe	31
PID 2640 wrote to memory of 2480	2640	svchcst.exe	31
PID 2640 wrote to memory of 2480	2640	svchcst.exe	31
PID 2640 wrote to memory of 2480	2640	svchcst.exe	31
PID 2480 wrote to memory of 2356	2480	WScript.exe	32
PID 2480 wrote to memory of 2356	2480	WScript.exe	32
PID 2480 wrote to memory of 2356	2480	WScript.exe	32
PID 2480 wrote to memory of 2356	2480	WScript.exe	32
PID 2356 wrote to memory of 2208	2356	svchcst.exe	33
PID 2356 wrote to memory of 2208	2356	svchcst.exe	33
PID 2356 wrote to memory of 2208	2356	svchcst.exe	33
PID 2356 wrote to memory of 2208	2356	svchcst.exe	33
PID 2208 wrote to memory of 1776	2208	WScript.exe	34
PID 2208 wrote to memory of 1776	2208	WScript.exe	34
PID 2208 wrote to memory of 1776	2208	WScript.exe	34
PID 2208 wrote to memory of 1776	2208	WScript.exe	34
PID 1776 wrote to memory of 2332	1776	svchcst.exe	35
PID 1776 wrote to memory of 2332	1776	svchcst.exe	35
PID 1776 wrote to memory of 2332	1776	svchcst.exe	35
PID 1776 wrote to memory of 2332	1776	svchcst.exe	35
PID 2332 wrote to memory of 1636	2332	WScript.exe	36
PID 2332 wrote to memory of 1636	2332	WScript.exe	36
PID 2332 wrote to memory of 1636	2332	WScript.exe	36
PID 2332 wrote to memory of 1636	2332	WScript.exe	36
PID 1636 wrote to memory of 2776	1636	svchcst.exe	37
PID 1636 wrote to memory of 2776	1636	svchcst.exe	37
PID 1636 wrote to memory of 2776	1636	svchcst.exe	37
PID 1636 wrote to memory of 2776	1636	svchcst.exe	37
PID 2776 wrote to memory of 1720	2776	WScript.exe	38
PID 2776 wrote to memory of 1720	2776	WScript.exe	38
PID 2776 wrote to memory of 1720	2776	WScript.exe	38
PID 2776 wrote to memory of 1720	2776	WScript.exe	38
PID 1720 wrote to memory of 332	1720	svchcst.exe	39
PID 1720 wrote to memory of 332	1720	svchcst.exe	39
PID 1720 wrote to memory of 332	1720	svchcst.exe	39
PID 1720 wrote to memory of 332	1720	svchcst.exe	39
PID 332 wrote to memory of 840	332	WScript.exe	40
PID 332 wrote to memory of 840	332	WScript.exe	40
PID 332 wrote to memory of 840	332	WScript.exe	40
PID 332 wrote to memory of 840	332	WScript.exe	40
PID 840 wrote to memory of 1548	840	svchcst.exe	41
PID 840 wrote to memory of 1548	840	svchcst.exe	41
PID 840 wrote to memory of 1548	840	svchcst.exe	41
PID 840 wrote to memory of 1548	840	svchcst.exe	41
PID 332 wrote to memory of 1756	332	WScript.exe	42
PID 332 wrote to memory of 1756	332	WScript.exe	42
PID 332 wrote to memory of 1756	332	WScript.exe	42
PID 332 wrote to memory of 1756	332	WScript.exe	42
PID 1756 wrote to memory of 2068	1756	svchcst.exe	43
PID 1756 wrote to memory of 2068	1756	svchcst.exe	43
PID 1756 wrote to memory of 2068	1756	svchcst.exe	43
PID 1756 wrote to memory of 2068	1756	svchcst.exe	43
PID 2068 wrote to memory of 1596	2068	WScript.exe	46
PID 2068 wrote to memory of 1596	2068	WScript.exe	46
PID 2068 wrote to memory of 1596	2068	WScript.exe	46
PID 2068 wrote to memory of 1596	2068	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\727931a51abfa1d394edd4d8f290f4f10084b11c8b77dfd57a95f09245736c89.exe
"C:\Users\Admin\AppData\Local\Temp\727931a51abfa1d394edd4d8f290f4f10084b11c8b77dfd57a95f09245736c89.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2480
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2356
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:332
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1596
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:2468
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1884
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2528
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2764
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2732
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:1060
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1936
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:1780
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2876
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:1128
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1324
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:2188
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1608
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:904
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1732
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:1600
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1656
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:2648
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2780
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:2640
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2592
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:2468
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2124
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:2720
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1644
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:2200
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1692
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:3032
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1632
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        
        PID:1324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
538d1d713bf6a73a54866c955a19b831

SHA1
f3b77aa6a349979fc896b10e3b6a8a4bff6b7bd9

SHA256
5a238c32a42469056987c5c1638bf16d057dcc72b9070c66a5090547d55ce082

SHA512
82643ca8c8b4ce4c17e53927b199056f0652eed4816d49b2374c6da9dae27ee9eac12338931bccee3cb80b03359a1357155e57bd5c17787df2e7a95676991475

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
18daeaff7fc134fc2edabbaea7e7e9f0

SHA1
a6a3002f7828141bac042e08241df957ef348bb4

SHA256
56a26505482cb65715785a972070bd6b72ad56c09ec26f7a97d7b0ac5bf52303

SHA512
6a91ececa4ca5ffbd12c7ca83888a63a7baf2be281610d9b0d83ee9dfcb8f6d04c1466de5ac1b53abe3daaf2998ec40b4b3a1a1d6fc271f35d25523358bd3df0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
251a70f0c55d02e74e34c409c5795274

SHA1
b0eb587b5e8d597ef801848722b790692d804be2

SHA256
f5397f02a6c8c59bc9869c0e5c726c096a69c84ad7f0934608fdbd8bc7e5b9f3

SHA512
023cca65a97265961790183f43605fb3dd47426049f2152e5ed90d2daed98607d1e215cb8cabf54d7d2068f7a86d3b01b1d101823e8ed1acfb09076e69b67c71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
28167c064311357a30cc6de51b34120d

SHA1
cd6e8343bf5fa014ded5905fd8c6037eda277818

SHA256
e1a76a59c230fb740b85443e95d9db97f660e6d57f8f79060c51d3fb21f7af2a

SHA512
a8ca9a0804c9cb2c87148d82b2ffb169d766b6ea91b4106363b24d555c9a58594915364b6cb61a1757723e96f7095f06859ab83a6e1055d43c8e78e9b52c8b57

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
85fa416be0b995c6e53ce5e2df106d8a

SHA1
bcffe6d0eb7594897fb6c1c1e6e409bacd04f009

SHA256
f08a191ea7850c2d2e0fa0cd1f40254eecb8dcb63a9dfa94cc8a97f609c49293

SHA512
5d92938d833d0555e94027148d0d9fc064274885bb4992f4e5840e7be03b629a3d2dc3703f9a7aa7614cb46ee19f9cfe26c69cc2e3a162f4be9045e5da18efbf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
308b7da7ec377746fab239c88940c7ea

SHA1
62356f1d6078f5587c1e0fa2201b199ebfdd0372

SHA256
3c6e5a89529248f6074cab8ca705d7f399c2808e185a451f2520d767e7aecd77

SHA512
bfd886261d3c9ae90f40968acb30b229e8d6754768bee5430f246594b5f81952de101a572cedb84bd1ab9a39cb607ec981287e9e03ea45b829744c47ee9bc877

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
4d8de8aafa7849de2f40f61eb205cc42

SHA1
67decea42f8c2ee805e859a898922c90ae105cdc

SHA256
44a2def2aab8221d4302282a111d1b9592b8828363736aa27a3343836817d2e2

SHA512
a44c1b2e8bc3b432daac94073c22e3b93ee412e345f4b2037586fc178fc7909f9360c2ba0817d7648d0739aabf51c6533e87226bffcd7109974e561d901610fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0297693238c8d2753940dd61243ddfd8

SHA1
c5e61e727061ecb2475cfd052102d1ec3f837ad8

SHA256
2c553c736dbf82875ba83b712b4d0a0e5b63b0e4089f0882755bbf078c22c0a5

SHA512
042527b1ea8d7e3cc25f8cc72c357e39ef822e78eb9c5802613ff806f9869fff49e63ebd0d8e52754c5a918fd76640dd0bc7a1a1dfd5e82cecfcfcc13c8579cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6d7f7c489889b75561316023d3e8b801

SHA1
222906d8a273e49d99b9107d388856ba8e6a5400

SHA256
3c01dd72d85883db4a345c0092b799f8deb31d43fde226e7df011c64d95202a7

SHA512
7238e65f9b93ee3be8828f01b54fbb6acaeaaf31e2b62af398356b02fa80d615acc3f41139fb001b9c1e8855e5cfa467f2883acda663a08194955cadb409a24a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2caa2e102cde23b48c1d5a47d901c3ff

SHA1
715fcb390ad3d9016885ab48ea99b2e204d1989b

SHA256
8e1f14065ac316ee2fcefab057390fe8b1ec88d9c35536f0755204ddf0d84ada

SHA512
9f6b298b5becff9b0af67c3181177876366db57d8d48ad3974dffa4f61fe7512b68d770e518d08d59c58d2707c52bd78930d2e36f00ef06f0a26d208e5372ae3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5f762b3b2477d92959f29d768008d453

SHA1
ceaa2b37d64bcffd7f862a75e1d0fb06edbddb97

SHA256
5827d14409ed9f3361d81904d50e067223457590dda163a680ce4216e495a3d5

SHA512
fd1445d89a0fa5d185ce51442c402d9906fa8bf7c1458a862568ad0649dfa22c5f90ed243b98339ec9706541d244b0217f1cd05e715dc49067e059fe08d80420

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
910e8b4a682865877d5b4c6b32ac2db3

SHA1
7df0ffdcff6b2f1d51878af2ca989990c399c005

SHA256
0eaa114fec2febec98337efcccfbb2863979005935decd44f9cd7db110b33b9f

SHA512
eb3e30e57f8ae59dc62d7c7f6c20296c7105a3fead464229b7b037924a20127266c0f09a6090cdeae4bea0f728f6213b2da67b44c3cd85a662c6b0cdf34c24bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
fb757130836576e5f952cb011021776c

SHA1
68f6351ef6dd363f67e76b91e7d8150050948698

SHA256
2d8143967be00cc4d6f3a1b8671885498b80e57ec52a84e19eaf136e64980e5b

SHA512
6f7311c6964be509733152377344d37f311021a6638946d275d282aa1b0212d8d790175b8c4e61fba6f5f4299c0e5da3307b69b03f619273462edd5c3cfce0d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2715b237065470118310e7eec5aa1dc1

SHA1
3ff418ec596b55bf631ca37502cb51a420f2f8b3

SHA256
44b6df7acfc64d809f9d8fb6a4706e702bbd70f088793f3803c5e3debf7fc524

SHA512
a3c15dd9e67506c8b8db423e9a412fef0e9545b34e32728265914bcef6f09b7568a4160014dba4e023a3bf9f2faa38654eaec067099e4ab9ac9673f1334acf09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0d821dd756a8a7ae548ac03527a28df7

SHA1
0b78a2991ef49ecb60f36e194dabb497b173d453

SHA256
6c66372a97d4e280f8c75a2b0b5bdc4905c28e0c44b599b942375cc101a1d0cd

SHA512
a79b5ebed88265a23367e528cb00290d0f5d0aace57d50d7609afd79446f82aec56587dc115b219fae10ba467972d06be18229bad7730f83ec4e9691c9ed4f69

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e5e14702bfb5f878387da3c13ccba6ae

SHA1
381318c72d8432e92ac4148c5915ccf6452bb97f

SHA256
ba3fab7f522c966e6ea5f7b158ae187fb5e1762ae786135b2bb0f4aa0c6c2c53

SHA512
c7bf4d11eeea00a6fa074a0960371d1f75756cb4b5e78e78559a138e8de4347f343139d0573e08df0d018561c01993541e8fcc457f44d319f10a5b9099ad0af9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
96227fa328f12043e192c924df085cf4

SHA1
94dc8c48141a11b096ce00308137b6542d631d78

SHA256
74e214de2189a301f4421c90e05cf91eaf35f32d7f57de75242935e8b48e4641

SHA512
c63af52c72f3860a672d517e03f7b4e1945bc30403e61ef087ec5f948e542e565cd626d9b5ff3cd994a345fc898ac9557aeba26de007ac5a3a6509c65a5e1f40

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c060e3ede06c8567e3165cee27aebc57

SHA1
d01e7a1e10afe0010932a6fba2a6534d8322d1ae

SHA256
654269c46893ac75654baef79583523d1da1b92545de0282ee04b146ed5dc0b7

SHA512
6ebd37c4fb24c4c8c0ced0909fd17e0f01f2e2f21396a3df4d6a05b8e5c4d597c0d168ffde405948c6676b6354df817a1d6470c9577d9bd1cf9a05f6c4ddef88

Download Submit
memory/2164-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download