096103a9ac594bbd81a56684f38ae07cd1a689e2daf1d6384650538cde53db37

Analysis

max time kernel
149s
max time network
125s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
16/05/2024, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

096103a9ac594bbd81a56684f38ae07cd1a689e2daf1d6384650538cde53db37.exe
Size

1.1MB
MD5

797f3fabfc7ed695bafb8d14750a126c
SHA1

049518d6b65d71807bfb4597f8363dcac9c99aeb
SHA256

096103a9ac594bbd81a56684f38ae07cd1a689e2daf1d6384650538cde53db37
SHA512

58a2f00b9e109aa8a19b247847a6f2834f43f79b136bfcf99b27f543c62621cd1e65b46120fa7fd46c43843c2302b5778e8c1fb98103042c4bc7094bd75385a7
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q4:acallSllG4ZM7QzMv

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2472	svchcst.exe

Executes dropped EXE 24 IoCs

pid	Process
2472	svchcst.exe
2316	svchcst.exe
1656	svchcst.exe
2728	svchcst.exe
1568	svchcst.exe
868	svchcst.exe
2208	svchcst.exe
2204	svchcst.exe
2496	svchcst.exe
1560	svchcst.exe
1840	svchcst.exe
2812	svchcst.exe
2224	svchcst.exe
704	svchcst.exe
900	svchcst.exe
2196	svchcst.exe
2540	svchcst.exe
2164	svchcst.exe
1832	svchcst.exe
2148	svchcst.exe
2720	svchcst.exe
2792	svchcst.exe
2824	svchcst.exe
348	svchcst.exe

Loads dropped DLL 45 IoCs

pid	Process
1940	WScript.exe
1940	WScript.exe
2640	WScript.exe
2640	WScript.exe
808	WScript.exe
808	WScript.exe
1280	WScript.exe
2864	WScript.exe
2864	WScript.exe
2864	WScript.exe
764	WScript.exe
764	WScript.exe
2984	WScript.exe
2984	WScript.exe
2880	WScript.exe
2880	WScript.exe
1740	WScript.exe
1740	WScript.exe
1492	WScript.exe
1492	WScript.exe
2556	WScript.exe
1400	WScript.exe
1400	WScript.exe
688	WScript.exe
688	WScript.exe
1468	WScript.exe
1468	WScript.exe
1884	WScript.exe
1884	WScript.exe
1624	WScript.exe
1624	WScript.exe
1940	WScript.exe
1940	WScript.exe
2272	WScript.exe
2272	WScript.exe
2672	WScript.exe
2672	WScript.exe
2452	WScript.exe
2452	WScript.exe
1156	WScript.exe
1156	WScript.exe
1224	WScript.exe
1224	WScript.exe
1204	WScript.exe
1204	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2420	096103a9ac594bbd81a56684f38ae07cd1a689e2daf1d6384650538cde53db37.exe
2472	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2316	svchcst.exe
2316	svchcst.exe
2316	svchcst.exe
2316	svchcst.exe
2316	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2420	096103a9ac594bbd81a56684f38ae07cd1a689e2daf1d6384650538cde53db37.exe

Suspicious use of SetWindowsHookEx 50 IoCs

pid	Process
2420	096103a9ac594bbd81a56684f38ae07cd1a689e2daf1d6384650538cde53db37.exe
2420	096103a9ac594bbd81a56684f38ae07cd1a689e2daf1d6384650538cde53db37.exe
2472	svchcst.exe
2472	svchcst.exe
2316	svchcst.exe
2316	svchcst.exe
1656	svchcst.exe
1656	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
868	svchcst.exe
868	svchcst.exe
2208	svchcst.exe
2208	svchcst.exe
2204	svchcst.exe
2204	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
1560	svchcst.exe
1560	svchcst.exe
1840	svchcst.exe
1840	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
704	svchcst.exe
704	svchcst.exe
900	svchcst.exe
900	svchcst.exe
2196	svchcst.exe
2196	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
1832	svchcst.exe
1832	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
348	svchcst.exe
348	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 1940	2420	096103a9ac594bbd81a56684f38ae07cd1a689e2daf1d6384650538cde53db37.exe	28
PID 2420 wrote to memory of 1940	2420	096103a9ac594bbd81a56684f38ae07cd1a689e2daf1d6384650538cde53db37.exe	28
PID 2420 wrote to memory of 1940	2420	096103a9ac594bbd81a56684f38ae07cd1a689e2daf1d6384650538cde53db37.exe	28
PID 2420 wrote to memory of 1940	2420	096103a9ac594bbd81a56684f38ae07cd1a689e2daf1d6384650538cde53db37.exe	28
PID 1940 wrote to memory of 2472	1940	WScript.exe	30
PID 1940 wrote to memory of 2472	1940	WScript.exe	30
PID 1940 wrote to memory of 2472	1940	WScript.exe	30
PID 1940 wrote to memory of 2472	1940	WScript.exe	30
PID 2472 wrote to memory of 2640	2472	svchcst.exe	31
PID 2472 wrote to memory of 2640	2472	svchcst.exe	31
PID 2472 wrote to memory of 2640	2472	svchcst.exe	31
PID 2472 wrote to memory of 2640	2472	svchcst.exe	31
PID 2640 wrote to memory of 2316	2640	WScript.exe	32
PID 2640 wrote to memory of 2316	2640	WScript.exe	32
PID 2640 wrote to memory of 2316	2640	WScript.exe	32
PID 2640 wrote to memory of 2316	2640	WScript.exe	32
PID 2316 wrote to memory of 808	2316	svchcst.exe	33
PID 2316 wrote to memory of 808	2316	svchcst.exe	33
PID 2316 wrote to memory of 808	2316	svchcst.exe	33
PID 2316 wrote to memory of 808	2316	svchcst.exe	33
PID 808 wrote to memory of 1656	808	WScript.exe	34
PID 808 wrote to memory of 1656	808	WScript.exe	34
PID 808 wrote to memory of 1656	808	WScript.exe	34
PID 808 wrote to memory of 1656	808	WScript.exe	34
PID 1656 wrote to memory of 1280	1656	svchcst.exe	35
PID 1656 wrote to memory of 1280	1656	svchcst.exe	35
PID 1656 wrote to memory of 1280	1656	svchcst.exe	35
PID 1656 wrote to memory of 1280	1656	svchcst.exe	35
PID 1280 wrote to memory of 2728	1280	WScript.exe	36
PID 1280 wrote to memory of 2728	1280	WScript.exe	36
PID 1280 wrote to memory of 2728	1280	WScript.exe	36
PID 1280 wrote to memory of 2728	1280	WScript.exe	36
PID 2728 wrote to memory of 2864	2728	svchcst.exe	37
PID 2728 wrote to memory of 2864	2728	svchcst.exe	37
PID 2728 wrote to memory of 2864	2728	svchcst.exe	37
PID 2728 wrote to memory of 2864	2728	svchcst.exe	37
PID 2864 wrote to memory of 1568	2864	WScript.exe	38
PID 2864 wrote to memory of 1568	2864	WScript.exe	38
PID 2864 wrote to memory of 1568	2864	WScript.exe	38
PID 2864 wrote to memory of 1568	2864	WScript.exe	38
PID 1568 wrote to memory of 1968	1568	svchcst.exe	39
PID 1568 wrote to memory of 1968	1568	svchcst.exe	39
PID 1568 wrote to memory of 1968	1568	svchcst.exe	39
PID 1568 wrote to memory of 1968	1568	svchcst.exe	39
PID 2864 wrote to memory of 868	2864	WScript.exe	40
PID 2864 wrote to memory of 868	2864	WScript.exe	40
PID 2864 wrote to memory of 868	2864	WScript.exe	40
PID 2864 wrote to memory of 868	2864	WScript.exe	40
PID 868 wrote to memory of 764	868	svchcst.exe	41
PID 868 wrote to memory of 764	868	svchcst.exe	41
PID 868 wrote to memory of 764	868	svchcst.exe	41
PID 868 wrote to memory of 764	868	svchcst.exe	41
PID 764 wrote to memory of 2208	764	WScript.exe	42
PID 764 wrote to memory of 2208	764	WScript.exe	42
PID 764 wrote to memory of 2208	764	WScript.exe	42
PID 764 wrote to memory of 2208	764	WScript.exe	42
PID 2208 wrote to memory of 2984	2208	svchcst.exe	43
PID 2208 wrote to memory of 2984	2208	svchcst.exe	43
PID 2208 wrote to memory of 2984	2208	svchcst.exe	43
PID 2208 wrote to memory of 2984	2208	svchcst.exe	43
PID 2984 wrote to memory of 2204	2984	WScript.exe	46
PID 2984 wrote to memory of 2204	2984	WScript.exe	46
PID 2984 wrote to memory of 2204	2984	WScript.exe	46
PID 2984 wrote to memory of 2204	2984	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\096103a9ac594bbd81a56684f38ae07cd1a689e2daf1d6384650538cde53db37.exe
"C:\Users\Admin\AppData\Local\Temp\096103a9ac594bbd81a56684f38ae07cd1a689e2daf1d6384650538cde53db37.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2472
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2316
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:808
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2204
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:2880
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2496
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:1740
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1560
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:1492
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1840
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:2556
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2812
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:1400
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2224
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:688
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:704
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:1468
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:900
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:1884
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2196
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:1624
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2540
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:1940
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2164
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:2272
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1832
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:2672
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2148
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:2452
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2720
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:1156
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2792
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        
        PID:1224
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2824
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        
        PID:1204
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:348
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        
        PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
321085c6e57a8455a3e915906a6c160b

SHA1
9cd284183cd00b8ed9766cf5ba4433bd041c381e

SHA256
0d5abb9f989e8b184b17b159987cacb4be04d476a85a3c684e797cdbded810cb

SHA512
030c762c6548c28805fb3f9d97ed98ff958a379fb5142b7ba6c4cb2a8dd7a59051135e649abd6c16320361b10c374e4a1003c802560fcc244849089255fb7722

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
53586000e76ee6942df430b8716b4616

SHA1
97afd48071b6043c0a04b823875956b98a8d33bd

SHA256
486e66f5aafdb179f41e1d1f39c8fb5662bfad43d5d53dfa89405a04b0d42d69

SHA512
3a9a94289a667899d5ba7db41486854b9234929ecaa9d9aaff3188740cc084c0a633702be218f4b1a8afbfbd8a4e1a892eebbdfde1a7d3fb9c27c3482aa03bd7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
002d59e387a2aab05685cb845ea004e9

SHA1
6e1b96dfe552b06880783d1a020de74d61387d38

SHA256
e4fa27721fc4d60dff5cc5e9c53f3a8e8fcac726d91b0a0e38c68bbb148ea2c4

SHA512
52cd1a5b166b8ef6b77560d5666f68a9cef5ec81ac43a834bcc97804cc4330633a6ac68a8b3e964f85b8afd2de98adc8cae73344b2fc0735023cfc65e44d46a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
910e8b4a682865877d5b4c6b32ac2db3

SHA1
7df0ffdcff6b2f1d51878af2ca989990c399c005

SHA256
0eaa114fec2febec98337efcccfbb2863979005935decd44f9cd7db110b33b9f

SHA512
eb3e30e57f8ae59dc62d7c7f6c20296c7105a3fead464229b7b037924a20127266c0f09a6090cdeae4bea0f728f6213b2da67b44c3cd85a662c6b0cdf34c24bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
aac0fba8016aa15609aa7abb5db077ae

SHA1
f8afa6ff11a91f46eb961727ec6a5fad360fa1c9

SHA256
76a6ce5f2e579dc37db23bb0e1ef5ebdd8b02e6b22b6f8da1a17964db237a8a0

SHA512
26a4910f08563b7c4b1e1abba82fefdefcb43b7d1149d5e6c7dda36db4aa142c4b74bc64263f23a5177804e2191696795e0de5d5368ea6903b398415d435962e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1cd04c63c025f0297f2ae60e978d92a1

SHA1
047246564f4b2ab71494a82cef25f5bcdeb63469

SHA256
c5d481502d8e9429512066a0eb058459e0d7d60fbfc4aed5169b3ea47966c9ed

SHA512
dede45f2ae3b7da526e64e82f5e550d9f29d7ad0409fe97a0067bcd8ad70859a8f05441dcad0f2364710f8d9bf58997ffea6874b4797948b61486570394325a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f3159db8bd483868144429c5909d280a

SHA1
a3698b1ebb0e43a564357bb77c3462539a114f87

SHA256
f31b8921a342ba1eecff8852bd1904a17e94e544a1975106b9b5533155ed044c

SHA512
328e166bbd706c7e6848c246909d96779ee2efcdf7bdb0ff47eed24e0267dcca005bb41651b60393ffafbb7b7467d94b22454e8c4be57108ffeb6238e88db916

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d7e57302723e6adcd36bc753c7cb3d1b

SHA1
24f5af99f2988b5fa7383dae1f53347b597956a3

SHA256
abf7ef48d31eaabd0227b0a91a44e8b53e9fbadff16ef2d9c2b131776898977e

SHA512
0aee51cab495d2df1e1957f85cbfa1a8ca95fad5fa669d2f0918a0e4be4d090c868582935136684d872695bdd075523ad1386639690e9d7016201b6985a9c8a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
10ffe941ac3b45a1b27eaab090d03e3b

SHA1
4f72abac858bc7659692930176f0cd4f18e354f1

SHA256
b2a27182b84ccf59736264c5fc788f96d92a2d3a14fe7c964e0976af00956144

SHA512
638a48fe06a5e0c47e50ac67e0df2d6952e5e39620a585e5fb086d40ff61cff9bee6a6cfda6582c54e216f052dc6ba4ce5d742ae5174a987701701e67dc65544

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2551ae733b39ac9061a9d5ebd2f29d98

SHA1
08247d27dd5bf959db0b29d3e5b0551dc47c9d02

SHA256
c69ee4a632cc1c351d5fa930d42546923a4125e7d9cbccb2ad9f9e3318be2b77

SHA512
a1c669cb87194c2b496a7131f7f2920b6c31156f88d6c1140e79f3b83fbca3785cd57fea2d47cb951ed576e69a1240e81746a5bc5444e65fd05fa5234125731c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a28791ebea83786bb5889ef857a9e493

SHA1
0c7cc3d05c844d5edd4535fbd48d2c73b2764630

SHA256
ad8607d9518b14cf6e9f567194700afa64c424bbe7da5b1819babbc7678a98bf

SHA512
d357643579f32de1c3f28b9d717d4d82a91d2ae25014a2ab52c0b6340ea577c31386cfa7901694f47889e5966ab11ff6888ae19a8602f812d2484827295d12ce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
8a63a118db41c87cfd949647804868e4

SHA1
d8e769c741d956b1940693113177c6a262c9938a

SHA256
cf028bfb836e0f6bd6b18d3fb053b3460ac79ae0a5874e32370efc327c3c41aa

SHA512
d1d2294a1fb376799370ced6326d4fe35b92641d2b53eb679c40d958f2454bd7e6641ece833b8cca592305a0e30fee74bc32a42b36f5a8266bde88d2f79ccffe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a539bfcf741cc63f48d320efc6eb7e3f

SHA1
106347812d1c1b94e56c3f0f545213c49cfda9e3

SHA256
d3cb021d12bccf6517f33fb80e8b5020f1e0f83e1a1a0398f336a727ebf18335

SHA512
cb9b89bf56a9befa7eed758d0d70d2631fde177c9d6dd31610733e144daf6a312076050647735d67c2921e1c8f5539cf841fba20d25e7be4d38b8f515ec25c79

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2b82f0362389cca1c7d3196aed9687ec

SHA1
3c34426fc541af426280f865f02d1f5182e64000

SHA256
f037b6e4ebac0c5f6aba2d35bdee3cf8960239f9d6938340e4055fe8ded45442

SHA512
970a0f1600f515f4d23e8b2d4885a17ecda4ef1929ca6dcbcb8e5af5bdf951b3615ab7467384b9ab78d838104e13bc823163e22f96ccb07d7b0daf20b6f02560

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
856781c7bd7fbedeaae2a9f239e1f878

SHA1
4f5b155768f1310d3681e5bf96b5b61f9b5d704e

SHA256
d9865e4545f28894e72e114bab6a8f60a037bb95d41e9af9e3f09052492c8c18

SHA512
8132fa6b141bd764d914d741d1faac5e763dd12169587c34b659f374f469c32ad1fe6662e1d9c7eaede9aa0532d2bd22b8ae137c75907c4687d41970b98ef79d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9df4cd45f0abce4cd24046b5933fab7f

SHA1
ba41e7a9b27d7a1d647a461c2867ab282640455d

SHA256
da70ce45227506535cf695db92e0dee352739d366dbbb2eee127f14335143ed0

SHA512
98e1ace131dd64ddc4979dcca8b9d67ed4a3c9dcd859d4b156e6036a7801245c8ceb29835ee4c804fb2b8d8c2d37e0872399775573d83328abb1054f1120e99b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f60e13e146aaaec5dc61e0b9016800ea

SHA1
b67ebe8cdea2de5cc1bda01330430e6c5d0abd4b

SHA256
2c2029044b91321c0908c74cec814f95159ae2f94d453b8a28076138a03366ac

SHA512
7c7e227f7773f34bb3bd48e4fc585ecc048b770741992c0f8f542bdfe96cd4c89c300bf43d0c1c226e1bef9c3725f13dbd2c4a311eda87e7b45a64eebd553bb7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
95b1ce82ab60447b3e72252a6bc7356f

SHA1
ecb10516bf5ae2d9436f22ef3a0ed1a500cf0fff

SHA256
cb30e8627068895a00729640c5ebcfcb41fb01f669dcc1bac4dc1836e9ebd88a

SHA512
6954f0afa68b0fcd261a67f64069070fed9e0deb57269ede421744f7c931fdaa6c011e6cf186471406ff8a724f611f5f92856122f9efcec2980290b92c99855a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f34f7b19715d09f9e61cd5ac44a27448

SHA1
88fe51800178109abfaba50e732df9131187bcb0

SHA256
a5ae6656d9af1dc8f15e022b8943925524dac982559c3a44cc3324bfc55f2474

SHA512
9de9ce2a2bc2a789d4a263b55a51fb79bb7788350f3411d870c795098ebd52e662e2ed84a797adcfd031af84ebe9270af449587d83cac69e4f21a3b7ff461151

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9a751c028b02143ba63a8a310fe62b86

SHA1
9114c649d8b3be1eec7df8022da15d5da32e0c2a

SHA256
a006f62cff2a81807b8d5ef2c3d61b9ff1dcca78714a2026b3f50612a3163fdd

SHA512
8bcaad2507a433ca5b7b304b63893c7e2de8889ed4950e77a99fd9e123c645ede574a997228a2901512e71d786eae1f8088690a598f350a2765ac331aacfac96

Download Submit
memory/348-267-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/704-180-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/704-187-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/764-100-0x0000000005C70000-0x0000000005DCF000-memory.dmp

Filesize
1.4MB

Download
memory/764-99-0x0000000005C70000-0x0000000005DCF000-memory.dmp

Filesize
1.4MB

Download
memory/808-45-0x0000000005A80000-0x0000000005BDF000-memory.dmp

Filesize
1.4MB

Download
memory/808-46-0x0000000005A80000-0x0000000005BDF000-memory.dmp

Filesize
1.4MB

Download
memory/868-94-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/868-86-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/900-188-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/900-195-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1156-249-0x0000000005A10000-0x0000000005B6F000-memory.dmp

Filesize
1.4MB

Download
memory/1204-266-0x00000000048A0000-0x00000000049FF000-memory.dmp

Filesize
1.4MB

Download
memory/1280-58-0x00000000042D0000-0x000000000442F000-memory.dmp

Filesize
1.4MB

Download
memory/1400-171-0x00000000044E0000-0x000000000463F000-memory.dmp

Filesize
1.4MB

Download
memory/1492-154-0x0000000005C80000-0x0000000005DDF000-memory.dmp

Filesize
1.4MB

Download
memory/1560-151-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1568-79-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1568-71-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1656-51-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1656-56-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1740-142-0x0000000005A70000-0x0000000005BCF000-memory.dmp

Filesize
1.4MB

Download
memory/1832-227-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1832-224-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1840-162-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1840-155-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1940-13-0x0000000005A90000-0x0000000005BEF000-memory.dmp

Filesize
1.4MB

Download
memory/1940-14-0x0000000005A90000-0x0000000005BEF000-memory.dmp

Filesize
1.4MB

Download
memory/2148-235-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2148-228-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2164-212-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2164-219-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2196-203-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2196-200-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2204-123-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2204-115-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2208-101-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2208-109-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2224-172-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2224-179-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2316-40-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2316-31-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2420-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2420-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2452-236-0x0000000005B40000-0x0000000005C9F000-memory.dmp

Filesize
1.4MB

Download
memory/2472-26-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2472-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2496-130-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2496-138-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2540-204-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2540-211-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2720-244-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2720-237-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2728-67-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2792-250-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2792-253-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2812-170-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2812-167-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2824-254-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2824-261-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2864-70-0x0000000003D90000-0x0000000003EEF000-memory.dmp

Filesize
1.4MB

Download
memory/2864-83-0x0000000004730000-0x000000000488F000-memory.dmp

Filesize
1.4MB

Download
memory/2864-84-0x0000000004730000-0x000000000488F000-memory.dmp

Filesize
1.4MB

Download
memory/2880-129-0x0000000005D00000-0x0000000005E5F000-memory.dmp

Filesize
1.4MB

Download
memory/2880-128-0x0000000005D00000-0x0000000005E5F000-memory.dmp

Filesize
1.4MB

Download