9087dfe67cc572ef184414d4d794e2931e801bb04a2e0b25ed38cea247f46457

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
15/05/2024, 02:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9087dfe67cc572ef184414d4d794e2931e801bb04a2e0b25ed38cea247f46457.exe
Size

1.1MB
MD5

1a5dc8768b70a470aa4143cad7b8613d
SHA1

a357bc09f8718d1308743fb954c7f4ee1bfa5ac3
SHA256

9087dfe67cc572ef184414d4d794e2931e801bb04a2e0b25ed38cea247f46457
SHA512

15d91650c44ac532c9fef99a5d513d2063937675f81db1f5d4d87a47db3e5994c266e87d3e9c0e26362794f14e03c417a7823dd0e8adcacbb6d94aa060fab8c5
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qe:CcaClSFlG4ZM7QzMl

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2708	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2708	svchcst.exe
2864	svchcst.exe
1628	svchcst.exe
2280	svchcst.exe
332	svchcst.exe
2012	svchcst.exe
880	svchcst.exe
2016	svchcst.exe
1516	svchcst.exe
1220	svchcst.exe
1396	svchcst.exe
2104	svchcst.exe
1760	svchcst.exe
692	svchcst.exe
1568	svchcst.exe
1508	svchcst.exe
2776	svchcst.exe
2544	svchcst.exe
2708	svchcst.exe
2800	svchcst.exe
1156	svchcst.exe
2856	svchcst.exe
648	svchcst.exe

Loads dropped DLL 46 IoCs

pid	Process
3044	WScript.exe
3044	WScript.exe
2572	WScript.exe
2572	WScript.exe
1044	WScript.exe
1044	WScript.exe
2000	WScript.exe
2000	WScript.exe
1944	WScript.exe
1944	WScript.exe
1476	WScript.exe
1476	WScript.exe
948	WScript.exe
948	WScript.exe
2964	WScript.exe
2964	WScript.exe
2852	WScript.exe
2852	WScript.exe
2528	WScript.exe
2528	WScript.exe
2332	WScript.exe
2332	WScript.exe
1752	WScript.exe
1752	WScript.exe
1308	WScript.exe
1308	WScript.exe
2968	WScript.exe
2968	WScript.exe
836	WScript.exe
836	WScript.exe
1328	WScript.exe
1328	WScript.exe
2084	WScript.exe
2084	WScript.exe
2848	WScript.exe
2848	WScript.exe
1696	WScript.exe
1696	WScript.exe
2396	WScript.exe
2396	WScript.exe
2916	WScript.exe
2916	WScript.exe
1264	WScript.exe
1264	WScript.exe
2988	WScript.exe
2988	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3000	9087dfe67cc572ef184414d4d794e2931e801bb04a2e0b25ed38cea247f46457.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3000	9087dfe67cc572ef184414d4d794e2931e801bb04a2e0b25ed38cea247f46457.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
3000	9087dfe67cc572ef184414d4d794e2931e801bb04a2e0b25ed38cea247f46457.exe
3000	9087dfe67cc572ef184414d4d794e2931e801bb04a2e0b25ed38cea247f46457.exe
2708	svchcst.exe
2708	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
332	svchcst.exe
332	svchcst.exe
2012	svchcst.exe
2012	svchcst.exe
880	svchcst.exe
880	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
1516	svchcst.exe
1516	svchcst.exe
1220	svchcst.exe
1220	svchcst.exe
1396	svchcst.exe
1396	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
1760	svchcst.exe
1760	svchcst.exe
692	svchcst.exe
692	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
1508	svchcst.exe
1508	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
648	svchcst.exe
648	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 3044	3000	9087dfe67cc572ef184414d4d794e2931e801bb04a2e0b25ed38cea247f46457.exe	28
PID 3000 wrote to memory of 3044	3000	9087dfe67cc572ef184414d4d794e2931e801bb04a2e0b25ed38cea247f46457.exe	28
PID 3000 wrote to memory of 3044	3000	9087dfe67cc572ef184414d4d794e2931e801bb04a2e0b25ed38cea247f46457.exe	28
PID 3000 wrote to memory of 3044	3000	9087dfe67cc572ef184414d4d794e2931e801bb04a2e0b25ed38cea247f46457.exe	28
PID 3044 wrote to memory of 2708	3044	WScript.exe	30
PID 3044 wrote to memory of 2708	3044	WScript.exe	30
PID 3044 wrote to memory of 2708	3044	WScript.exe	30
PID 3044 wrote to memory of 2708	3044	WScript.exe	30
PID 2708 wrote to memory of 2572	2708	svchcst.exe	31
PID 2708 wrote to memory of 2572	2708	svchcst.exe	31
PID 2708 wrote to memory of 2572	2708	svchcst.exe	31
PID 2708 wrote to memory of 2572	2708	svchcst.exe	31
PID 2572 wrote to memory of 2864	2572	WScript.exe	32
PID 2572 wrote to memory of 2864	2572	WScript.exe	32
PID 2572 wrote to memory of 2864	2572	WScript.exe	32
PID 2572 wrote to memory of 2864	2572	WScript.exe	32
PID 2864 wrote to memory of 1044	2864	svchcst.exe	33
PID 2864 wrote to memory of 1044	2864	svchcst.exe	33
PID 2864 wrote to memory of 1044	2864	svchcst.exe	33
PID 2864 wrote to memory of 1044	2864	svchcst.exe	33
PID 1044 wrote to memory of 1628	1044	WScript.exe	34
PID 1044 wrote to memory of 1628	1044	WScript.exe	34
PID 1044 wrote to memory of 1628	1044	WScript.exe	34
PID 1044 wrote to memory of 1628	1044	WScript.exe	34
PID 1628 wrote to memory of 2000	1628	svchcst.exe	35
PID 1628 wrote to memory of 2000	1628	svchcst.exe	35
PID 1628 wrote to memory of 2000	1628	svchcst.exe	35
PID 1628 wrote to memory of 2000	1628	svchcst.exe	35
PID 2000 wrote to memory of 2280	2000	WScript.exe	36
PID 2000 wrote to memory of 2280	2000	WScript.exe	36
PID 2000 wrote to memory of 2280	2000	WScript.exe	36
PID 2000 wrote to memory of 2280	2000	WScript.exe	36
PID 2280 wrote to memory of 1944	2280	svchcst.exe	37
PID 2280 wrote to memory of 1944	2280	svchcst.exe	37
PID 2280 wrote to memory of 1944	2280	svchcst.exe	37
PID 2280 wrote to memory of 1944	2280	svchcst.exe	37
PID 1944 wrote to memory of 332	1944	WScript.exe	38
PID 1944 wrote to memory of 332	1944	WScript.exe	38
PID 1944 wrote to memory of 332	1944	WScript.exe	38
PID 1944 wrote to memory of 332	1944	WScript.exe	38
PID 332 wrote to memory of 1476	332	svchcst.exe	39
PID 332 wrote to memory of 1476	332	svchcst.exe	39
PID 332 wrote to memory of 1476	332	svchcst.exe	39
PID 332 wrote to memory of 1476	332	svchcst.exe	39
PID 1476 wrote to memory of 2012	1476	WScript.exe	40
PID 1476 wrote to memory of 2012	1476	WScript.exe	40
PID 1476 wrote to memory of 2012	1476	WScript.exe	40
PID 1476 wrote to memory of 2012	1476	WScript.exe	40
PID 2012 wrote to memory of 948	2012	svchcst.exe	41
PID 2012 wrote to memory of 948	2012	svchcst.exe	41
PID 2012 wrote to memory of 948	2012	svchcst.exe	41
PID 2012 wrote to memory of 948	2012	svchcst.exe	41
PID 948 wrote to memory of 880	948	WScript.exe	42
PID 948 wrote to memory of 880	948	WScript.exe	42
PID 948 wrote to memory of 880	948	WScript.exe	42
PID 948 wrote to memory of 880	948	WScript.exe	42
PID 880 wrote to memory of 2964	880	svchcst.exe	43
PID 880 wrote to memory of 2964	880	svchcst.exe	43
PID 880 wrote to memory of 2964	880	svchcst.exe	43
PID 880 wrote to memory of 2964	880	svchcst.exe	43
PID 2964 wrote to memory of 2016	2964	WScript.exe	46
PID 2964 wrote to memory of 2016	2964	WScript.exe	46
PID 2964 wrote to memory of 2016	2964	WScript.exe	46
PID 2964 wrote to memory of 2016	2964	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\9087dfe67cc572ef184414d4d794e2931e801bb04a2e0b25ed38cea247f46457.exe
"C:\Users\Admin\AppData\Local\Temp\9087dfe67cc572ef184414d4d794e2931e801bb04a2e0b25ed38cea247f46457.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2864
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:332
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:880
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2016
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2852
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1516
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2528
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1220
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:2332
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1396
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:1752
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2104
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:1308
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1760
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:2968
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:692
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:836
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1568
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:1328
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1508
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:2084
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2776
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:2848
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2544
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:1696
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2708
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:2396
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2800
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:2916
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1156
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        
        PID:1264
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2856
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        
        PID:2988
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:648
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        
        PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1cd04c63c025f0297f2ae60e978d92a1

SHA1
047246564f4b2ab71494a82cef25f5bcdeb63469

SHA256
c5d481502d8e9429512066a0eb058459e0d7d60fbfc4aed5169b3ea47966c9ed

SHA512
dede45f2ae3b7da526e64e82f5e550d9f29d7ad0409fe97a0067bcd8ad70859a8f05441dcad0f2364710f8d9bf58997ffea6874b4797948b61486570394325a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
33e7888ce494d2c8b707e9595dbe9b42

SHA1
9d077a37f8194e6333102e51dcaf79e0d1707c02

SHA256
b0cfd9bb9f7900be2592c312acd6c6608597027c22a5428deaf8c8471ca649ac

SHA512
dfb6bc0fc7804a22f03eee72f69ece0a02baa6305ae21936f800dbade14528db7b105d593caaeb36b06bfd6e1fbd98fb1462e3a88492d01a57d6c9cfd063d577

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f080eefd41c0fca1c404d5133fb5c957

SHA1
bef3f9c014eca7cf4dc001f3d85befd3681d4bcc

SHA256
758f74e1aa31de598fbf37f70ffd76f936c0b5dd2227b17c0d8e9ac4506f3aaf

SHA512
e2066e4082f51d4064bfd68eff48c97c481bbb524bb0fa2da0b5ae25bda730811d2933480a72d91a8e5c10ac794f0e793fb8323892332eb9b7c43890ee25c4d7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3436c1c6420b4dd3e950884257e8b45d

SHA1
4889f8460c4c1b1fc3f357a03df6ca7fac272fbf

SHA256
88d11bc6a0ed417ee8dbbc8ec0894c9b616480afec00a30256ca41150aab17b8

SHA512
7960190b3738a018b0c04804e673662b6227bc397fa6a6ca2b1b1041ed7403f4dbe80f7aa6d63484f1f49c98361f27dd425b95b4c6fafedafb5f1e864b3adeb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f68761d0622df41d256ee6fc39583d8a

SHA1
2dd40e574a86ff4b4be5e6aca6fda4d7fcc33d56

SHA256
b4bf1092c76497e935596e32fcb9119a44acab11e9b80b660ecea53867655245

SHA512
fd70e0b445bcd24117b449853c98a4996063d49f774a55bc5aca087b44cdb5381974551c4fcd2d3d1c82cd708fcb616009519f3914267ea5c37cdda4d31ea3a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
81da78e4c29b5abf222c1425d1b8da16

SHA1
c68fae858982c6217d14f0a94f1e424dc47e5abb

SHA256
e1c0bac8ec1a6de7acf76dbaae7862a630d01697c06843f75330f8be29261f38

SHA512
859ff4f8d8119e4a12c83c8aa7a7c392b9bde66358d189f67f0d44ae6777f75dd7f994536d812cb00f0612a9c4444a3775ff729512d50c1a6173f23b5866fdb0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
41bdc303960afcda8ebae4f3e29f0b52

SHA1
4cbf649fb04c836614138308a06ecd48dcb2882d

SHA256
da674cdbd4dd762cc32ce0bd2ec36929a626e0e87f7ab7a4a1b1e1ce0123d999

SHA512
800b5b01cc41e7633f203579e7f6ec0a9f6408f7af79dcfa74596be9264dbb8baade6b1439dedb5194496aa27b8b0e2680ce65ad91032138ea0ac2c8a0872cf1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
067a3458406fce1e0caec803b21a2c58

SHA1
1277d2a3236100a0758d4f4f279cd02d537e626b

SHA256
35c0d5d7757b50c61a708107c8e2ab5df872fdc25516f8003d9d58d3ae5ec9e3

SHA512
99918a35f93140231d63a17c97bb9ef66a5744dc044c7e48034c3d2fcc49c3b97fe0d37a32ae6307a7b7e772b8016a6727672d2844b5ed7dcf20c31dd01724e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
be85ce7bb02d959078db568ee3a8905d

SHA1
e3598468f1db49d961a98da4deda91a619b56985

SHA256
4d76969f7a746574f6be0eca7b1939230ca7607610f12f82b670f4b7bf829806

SHA512
8ffd0d9432c57b2a445afb0701de88903bee1df5295b7ec14042623bfd5d72d0d3cdf198bbdce55be06439c8ac594ddc9bcf53f425bf9e9c9ebb299f6d8150cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
55765ba68da8820ee35d2d4d1dedeac0

SHA1
19f5f147056f3d837a11d6b08a7fc9544f9927f6

SHA256
1eb237d283717ac45bdfef217d3d09fb4ef73db3838859057c94e488b329c522

SHA512
61b6361b8dfef2067016c50e830db1fc768d0654a3f643cf4b4cb1193de722f74401e73f719d8cff5a443058adfa7e3cd0dfc502f25dd249cdc36a7056c81c18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
603be4ee47a510aea10b30532f410549

SHA1
8b14f15370d434a2b35205cbd4edc881b4477850

SHA256
178f99f12a3ce5b076f0e36e1660f20969f42c03593734c627a75ba94a92ef0a

SHA512
0ccc9b8396e72a3b033c382cd17cdc9248be7dbeaa882d6e1ddbd3ee011824d4f7227909a502e565bdf13b415cc98d2afc03433d2ab9deed8513ba243f5f684a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
8abecab5a6b57d2942f2fd71f3cb3b80

SHA1
a2101b5262c06a5dc4ef675b0517dd9847b7f489

SHA256
acf2d88dd728abc56fffb6ab1911298229b4cdaf1af3f78e605b701df338938f

SHA512
65440f0a98d448bf75fb919fbcecb826be0305a14dc339c1497f1513470353808d826cd2cad75d80aa8227ff837bf5cc694fa699d1c85ef29073e743be619a4e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0758fab63bd446f535e63fef5bec7874

SHA1
e707a66ae675a41c7cafe492121e5951eda83a32

SHA256
144f6f314c1b687a98d40cb88242331fca49cfc82895d35cdeb557dbf04f4d75

SHA512
563d5ba080221d27388b94c11a098828aab0dda56296eed5798c72f61edb9d291aee4a95a5ec43f35649f6b4b354d87cdc4bb8a10cd97f570c168515a13c07ce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
900d652188f7a917e353e7438d7ba1db

SHA1
52e9cd7c4e1b03824611088183df5071794600d6

SHA256
ff7854c84c35527a969882a0c51bdae446078796d362e1df2a52bd7d5bf5ae59

SHA512
126d1a46aa7cdf8ba8207caa239df35ac9303ce3deccc6d6be3ee437076ff21f8ce44393273f9eb9ecdb265c080bba1dc0ffbb5ace033187031f385b1d5d63d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ddb544fa6d3fc13024fe8ded215cfe52

SHA1
2e53a81946f8d839224da56709b48e6a662d1e90

SHA256
67f3c307cc95fc6746f872e0ba8c5d834b36982cba66ef85c3228d4658b0edb5

SHA512
0941742a1a42954c05d2b4ec5bbbd6d4a5de18cc1f4c77ff35370d3639421a0b5575b3964b419c5db61fb8a7b390a514f41cddec28bbd847b02d2113c8473936

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
6beea9c3f31929b60eae1bcaaf846f91

SHA1
98d542cfbfc4727968f4785d2cc5d46cf00ca54a

SHA256
5fe61934bda96d19285e39cbaecd6ba4978f95d5fc705ee7aae4b0e16ef9c7ee

SHA512
7d3f3c793994cd13b87e21b99d2d03fd4cff4c9ee6ecf9fee9748884de3bddd2c3d5c0a9781a70b11de392442f615648b34064a8b8a6ff747dd8ea63c1555af4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
eedbb02425518b0bf061de18e4221200

SHA1
0112dcd1c5d45b255eeea3442ff6fb8fbe46bf77

SHA256
762ae4e1dea8e1d3693788838a3f489733394502a656fed576206ed955811667

SHA512
d5dca884eb8b3cd11123557147364103dbabd8c9732422d28d4c1a3667b836d6ee46824878f7c4c3d2a5672d5739711d42abe5e5903f218b44d83f0228c5267c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2ac7210aa39e0fb177ba2b562d166ddb

SHA1
04c4423013b247f29eae8627a11f4d575a276794

SHA256
298431971ed5a04ded7ac96b8e7ec6a12b1552ce4ec923fb1a8ca31b7304c829

SHA512
b42b5a631a0cd98ba03fb86e196f40c2fb5fb9aa57121738ace01e2a3484de69edcaa588864a75499145d55b526360a3579d73b619a4213e0f60e66f93bbeece

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f7eb4542d72ec3dba62931d6514e71ac

SHA1
f7fa89cd9fc8882fa48ca550873007ae1d4c34bf

SHA256
436c427611467621d39ea1963a4b63844cd36282d3ca6448d5b3d8b7ddd72983

SHA512
140074cbf876a9f5bb22e079dfe5fb1824cbd3342281699d35ba571e6c84a5f05ec20070cee0aeafda9e176fda889719f41eec6ce9af5140146ee0a9fd400bd3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
8d5ff9bb4fd0f793ffa8e0394f8c929a

SHA1
90e1ec0ef93a1f341f36f1806dc096278f7d6e07

SHA256
5a36cad58a47a2b430bf037c0e56bb0bec228243bf97ffec4dce79c19d2a1626

SHA512
30da7c1d0198b1029715ec8fa8f4663ed1532afbfd55a3025cc2badff0a05b7c649339003a012db6552524cb36cfa7953dfd2c47cbb874f853477ed9a76f9167

Download Submit
memory/3000-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download