9e19a57c155aefb7783f85b49a406cf43d01de188d9a8711fc4769c3510cd719

Analysis

max time kernel
123s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/05/2024, 21:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e19a57c155aefb7783f85b49a406cf43d01de188d9a8711fc4769c3510cd719.exe
Size

1.1MB
MD5

3fa648098db9fb665e5f3548b6620ca4
SHA1

e5dfd4dbf53dd2ed63622445df92fab0618e859e
SHA256

9e19a57c155aefb7783f85b49a406cf43d01de188d9a8711fc4769c3510cd719
SHA512

ec486c02c35523187f990ade82f882713dee24e83f77d4644f09c3def68e1528ff9632cf7328069a6906b6ac98339940b1c8d3709f7dc826fa64a6411305c96a
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QX:CcaClSFlG4ZM7QzMw

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2560	svchcst.exe

Executes dropped EXE 20 IoCs

pid	Process
2560	svchcst.exe
920	svchcst.exe
2208	svchcst.exe
2652	svchcst.exe
324	svchcst.exe
1044	svchcst.exe
1508	svchcst.exe
2032	svchcst.exe
2776	svchcst.exe
1472	svchcst.exe
1776	svchcst.exe
2448	svchcst.exe
3032	svchcst.exe
2648	svchcst.exe
3052	svchcst.exe
1276	svchcst.exe
1536	svchcst.exe
1156	svchcst.exe
364	svchcst.exe
1496	svchcst.exe

Loads dropped DLL 35 IoCs

pid	Process
2116	WScript.exe
2116	WScript.exe
2348	WScript.exe
2348	WScript.exe
1768	WScript.exe
1768	WScript.exe
956	WScript.exe
956	WScript.exe
2672	WScript.exe
1644	WScript.exe
1644	WScript.exe
1644	WScript.exe
1728	WScript.exe
2316	WScript.exe
2316	WScript.exe
2424	WScript.exe
2404	WScript.exe
2168	WScript.exe
2404	WScript.exe
2168	WScript.exe
2404	WScript.exe
2168	WScript.exe
2168	WScript.exe
1556	WScript.exe
1556	WScript.exe
976	WScript.exe
976	WScript.exe
2100	WScript.exe
2100	WScript.exe
1728	WScript.exe
1728	WScript.exe
764	WScript.exe
764	WScript.exe
768	WScript.exe
768	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1084	9e19a57c155aefb7783f85b49a406cf43d01de188d9a8711fc4769c3510cd719.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
920	svchcst.exe
920	svchcst.exe
920	svchcst.exe
920	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1084	9e19a57c155aefb7783f85b49a406cf43d01de188d9a8711fc4769c3510cd719.exe

Suspicious use of SetWindowsHookEx 42 IoCs

pid	Process
1084	9e19a57c155aefb7783f85b49a406cf43d01de188d9a8711fc4769c3510cd719.exe
1084	9e19a57c155aefb7783f85b49a406cf43d01de188d9a8711fc4769c3510cd719.exe
2560	svchcst.exe
2560	svchcst.exe
920	svchcst.exe
920	svchcst.exe
2208	svchcst.exe
2208	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
324	svchcst.exe
324	svchcst.exe
1044	svchcst.exe
1044	svchcst.exe
1508	svchcst.exe
1508	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
1472	svchcst.exe
1472	svchcst.exe
1776	svchcst.exe
1776	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
1276	svchcst.exe
1276	svchcst.exe
1536	svchcst.exe
1536	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
364	svchcst.exe
364	svchcst.exe
1496	svchcst.exe
1496	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1084 wrote to memory of 2116	1084	9e19a57c155aefb7783f85b49a406cf43d01de188d9a8711fc4769c3510cd719.exe	28
PID 1084 wrote to memory of 2116	1084	9e19a57c155aefb7783f85b49a406cf43d01de188d9a8711fc4769c3510cd719.exe	28
PID 1084 wrote to memory of 2116	1084	9e19a57c155aefb7783f85b49a406cf43d01de188d9a8711fc4769c3510cd719.exe	28
PID 1084 wrote to memory of 2116	1084	9e19a57c155aefb7783f85b49a406cf43d01de188d9a8711fc4769c3510cd719.exe	28
PID 2116 wrote to memory of 2560	2116	WScript.exe	30
PID 2116 wrote to memory of 2560	2116	WScript.exe	30
PID 2116 wrote to memory of 2560	2116	WScript.exe	30
PID 2116 wrote to memory of 2560	2116	WScript.exe	30
PID 2560 wrote to memory of 2404	2560	svchcst.exe	31
PID 2560 wrote to memory of 2404	2560	svchcst.exe	31
PID 2560 wrote to memory of 2404	2560	svchcst.exe	31
PID 2560 wrote to memory of 2404	2560	svchcst.exe	31
PID 2560 wrote to memory of 2348	2560	svchcst.exe	32
PID 2560 wrote to memory of 2348	2560	svchcst.exe	32
PID 2560 wrote to memory of 2348	2560	svchcst.exe	32
PID 2560 wrote to memory of 2348	2560	svchcst.exe	32
PID 2348 wrote to memory of 920	2348	WScript.exe	33
PID 2348 wrote to memory of 920	2348	WScript.exe	33
PID 2348 wrote to memory of 920	2348	WScript.exe	33
PID 2348 wrote to memory of 920	2348	WScript.exe	33
PID 920 wrote to memory of 1768	920	svchcst.exe	34
PID 920 wrote to memory of 1768	920	svchcst.exe	34
PID 920 wrote to memory of 1768	920	svchcst.exe	34
PID 920 wrote to memory of 1768	920	svchcst.exe	34
PID 1768 wrote to memory of 2208	1768	WScript.exe	35
PID 1768 wrote to memory of 2208	1768	WScript.exe	35
PID 1768 wrote to memory of 2208	1768	WScript.exe	35
PID 1768 wrote to memory of 2208	1768	WScript.exe	35
PID 2208 wrote to memory of 956	2208	svchcst.exe	36
PID 2208 wrote to memory of 956	2208	svchcst.exe	36
PID 2208 wrote to memory of 956	2208	svchcst.exe	36
PID 2208 wrote to memory of 956	2208	svchcst.exe	36
PID 956 wrote to memory of 2652	956	WScript.exe	39
PID 956 wrote to memory of 2652	956	WScript.exe	39
PID 956 wrote to memory of 2652	956	WScript.exe	39
PID 956 wrote to memory of 2652	956	WScript.exe	39
PID 2652 wrote to memory of 2672	2652	svchcst.exe	40
PID 2652 wrote to memory of 2672	2652	svchcst.exe	40
PID 2652 wrote to memory of 2672	2652	svchcst.exe	40
PID 2652 wrote to memory of 2672	2652	svchcst.exe	40
PID 2672 wrote to memory of 324	2672	WScript.exe	41
PID 2672 wrote to memory of 324	2672	WScript.exe	41
PID 2672 wrote to memory of 324	2672	WScript.exe	41
PID 2672 wrote to memory of 324	2672	WScript.exe	41
PID 324 wrote to memory of 1644	324	svchcst.exe	42
PID 324 wrote to memory of 1644	324	svchcst.exe	42
PID 324 wrote to memory of 1644	324	svchcst.exe	42
PID 324 wrote to memory of 1644	324	svchcst.exe	42
PID 1644 wrote to memory of 1044	1644	WScript.exe	43
PID 1644 wrote to memory of 1044	1644	WScript.exe	43
PID 1644 wrote to memory of 1044	1644	WScript.exe	43
PID 1644 wrote to memory of 1044	1644	WScript.exe	43
PID 1044 wrote to memory of 2756	1044	svchcst.exe	44
PID 1044 wrote to memory of 2756	1044	svchcst.exe	44
PID 1044 wrote to memory of 2756	1044	svchcst.exe	44
PID 1044 wrote to memory of 2756	1044	svchcst.exe	44
PID 1644 wrote to memory of 1508	1644	WScript.exe	45
PID 1644 wrote to memory of 1508	1644	WScript.exe	45
PID 1644 wrote to memory of 1508	1644	WScript.exe	45
PID 1644 wrote to memory of 1508	1644	WScript.exe	45
PID 1508 wrote to memory of 1728	1508	svchcst.exe	46
PID 1508 wrote to memory of 1728	1508	svchcst.exe	46
PID 1508 wrote to memory of 1728	1508	svchcst.exe	46
PID 1508 wrote to memory of 1728	1508	svchcst.exe	46

C:\Users\Admin\AppData\Local\Temp\9e19a57c155aefb7783f85b49a406cf43d01de188d9a8711fc4769c3510cd719.exe
"C:\Users\Admin\AppData\Local\Temp\9e19a57c155aefb7783f85b49a406cf43d01de188d9a8711fc4769c3510cd719.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      PID:2404
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2348
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:920
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:956
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:324
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        
        PID:1728
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2032
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:2316
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2776
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2424
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1472
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2404
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1776
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:2168
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2448
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2648
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:1556
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3052
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:976
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1276
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:2100
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1536
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:1728
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1156
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:764
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:364
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:768
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1496
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        
        PID:2576
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        
        PID:780
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        
        PID:692
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3032
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        
        PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6a10838e65cf3aedda11230ee7f407b7

SHA1
7878e96feb82d309b74e4fe98ad256d3bfd63d08

SHA256
79b9776ab8d5f525f63ccab50ff6d79e7a7daeb47894ce971b63ab072314009e

SHA512
7fd419656935cef9e30f36f618df90399b015dc281dea6b30f12ba7bf2c07a58e7aa570ea5fd1f04b3643be33eb1d8521787c94384cb7ef0ec8d5459a8c50eaa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
024be950e07002e527b8dd1efbb0e4b4

SHA1
1a56034c6366027442be28a75bce7cdea55a8a98

SHA256
51f47375c2a87dc9fe8cc958432adcc166d0faf75f7d1da1322e238fb5d72893

SHA512
96864be4661feeef155d1816192852146e5d2aa3266ce5b732ec203d43a6098a5fa456a7decb9ab1bd66bc959ed85b485de32c11cea6ee6d1a48d0bea2349b6f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
bdff210bf33c9ed5f2b10773c8c98ff5

SHA1
fc4fbaca4c7f23506dc792dec89e640050ad62e9

SHA256
900ab6b8ac0df4e138335d9d8e283495f569bf9fa1f401a6f8122661104f8cf8

SHA512
45849b735796586ea2518bd4aec42377db54b2de01025df65e52d8d1561d7e26702051c945ac7257857e00d7ab9d2d7fbf87f178e1e606905e095b22d95e5b32

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7f92a34f71720b04d60028801eb07932

SHA1
1701bae49609dc0ad1ab56823ae2414fd6c286c5

SHA256
b7445df62a392850e8ed07fba398dd5896625b6bcd694dfb5a02797ca2c637ee

SHA512
f5173fb410530956a6fcc8a15894c4186ae7fbac8e408714143359b476a2a2b1bd528cdb2e4647d1c16b99f108e452fb4fcb0a6db5eae6750fc6f6d8edd85360

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
61341c5819d0caed1ef4e66580f0de87

SHA1
6175670def068f8c5e8adfac554e32a8f297e416

SHA256
05b7230c14d88fa1884eb65d192ae16df36b66ba30f52a13157ba27b516eea0f

SHA512
17928869fa3b74ae0eb9f4966e5e9962d077fceb3b95fbc453d8251ce7db68dcb6b48a2d841e7bc33049d728bf89625ad8ad969877c53395bfae696902dfc7ba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0297693238c8d2753940dd61243ddfd8

SHA1
c5e61e727061ecb2475cfd052102d1ec3f837ad8

SHA256
2c553c736dbf82875ba83b712b4d0a0e5b63b0e4089f0882755bbf078c22c0a5

SHA512
042527b1ea8d7e3cc25f8cc72c357e39ef822e78eb9c5802613ff806f9869fff49e63ebd0d8e52754c5a918fd76640dd0bc7a1a1dfd5e82cecfcfcc13c8579cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
38a699d07d8879db6356427ad5568cde

SHA1
a13f87e47243e126c2ea20018877fbeac913a320

SHA256
33039fb8b50833ea2836de980992405e10426ad862007f2fef2a96147dccc7bb

SHA512
b5373577a397c0eb493b1173f0fa5a583fe10b986eced439f39997707622fdb54dad7f39311c0148da02b9f0eda2c097d6d9e98b6a7c7d4aa5996e7cc5f4791d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1ca638ab56e1883ffe75969d1d8c4a61

SHA1
2f32fe1ad07a21f4aade2693ef174e30427e4f26

SHA256
ab716890ffa3b303c706ba2fc2ff48ba57e82b94b3bb3198cbb5700d74218c9d

SHA512
91f259046507902e077ac73aa23005f33cb3f93b6822e325bf3dd785b7616128bae36e13ba016f6a67cdddedef644d9cf44d49bba7d989dc5e59b93d446d626c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d9ab21af2046aedc3484d569036c3ef7

SHA1
ade5e9eb5b1180a77a2164e61f74beb411cdfb56

SHA256
90b8f17e573879b63c512e7c0dd6ff9454d177163e2d95d0090b2ef22ae5ec79

SHA512
cb8c202cd3d66ee897982e42257320dfef0a23eb96b9a3189869e9a0ce030d4baaa8c0a6fc5e197d2d19d742b0d7b3f34adb12933192dd6e4b1388433755d1ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1a94fff9bade36e4d067e0fcefb1a8f5

SHA1
1713c3fc499a56cd97035e44405e0b5e1a0a586b

SHA256
1977a5ac15e88252efdd11b9aace6de92383e71132a94273b0e890e92ae91048

SHA512
89a7dd6811f9491a14bf49f1cbce3e869107d2e0d410fa3d3c867ce68d573d6f8e6ada98ac3635fc620c96c61676b5cef2563b5fbea14f617c1fa61bce4f3ac7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7c7211c6ab078878929bb3683f705560

SHA1
5a52049f54692294392837b5922d865e9c407022

SHA256
bb9e2a89c0fc9574eac35f2b2c4bc696f3642fc96ff2fd1f6a2d3467784fbeff

SHA512
4d9b5d0053b0f57651c08084c87416d2ae8613b9ea74651e51f251e5d806f36c194735e4f6f3152d7c72592f60f2a7e971ee82c60410762472942823b1956c38

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ae75c3a96c26ddc15e3c678434b18374

SHA1
7abb4cd173f5c8565c891bc5305922439e880fed

SHA256
1b84f073d7c021672b1951a420b183f570b94f4d7c14c86698b22bbd353bf965

SHA512
e817ab91d4d73840a290ff2e999a5136328b315afa16ec831b6ddabea08cf07d8dd61b332cbeded13bde712e7c87538228ff8d163c0f659da84134f04e5a3b7e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b42266100fb9f5e0b7be593aac3c37cf

SHA1
7cd55f31fd2871d09de73a6f62e3a7e1a53327b2

SHA256
1a6710caaf3886be368f3205ee8c9905e10f8ed754d80598c80f1455a700d846

SHA512
d3e5a4f7395d6196403e60214239043b2da6e546cbe080f74c3a680a6f4a7fe1374988df0a1aa84dbc0e41199efd8fb11050d1d1295f3b45811935d740a5108b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d6cd120698b7d6f09e3007303bb8750d

SHA1
a2ddf69e2417b82ec842cfa3e3940d12d3fb192d

SHA256
2ff1c416e7646f70da33c8993a55ee1b03ffe4c8b6f147f9c312d299be86be44

SHA512
8f770745249b2bb96784af5fb9e2a945c75aeb88fa8008e4e86286980c54cd212c69dd3fdfc7c18d00f932b877faac7d48492fc87c983ca102342efbc7167289

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9795e269d3490cdaa42901eebc376d9a

SHA1
ae6470508343af128698254527d3a80e15301e55

SHA256
75d19853b89808e0f51b7a51b3f257216e849236cacfdef801a4f734115dbc81

SHA512
4f07c4be0e8cd2bafeb8f4d1e8442d1220278912d2a07f0fee00ebb1d24b916c460569d072dfdb5b27b47eda8f6b68b7f82ffaa439d4d56f08c2dc2e0b0134b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a7358ca3d49822e70fff75a2d23576fc

SHA1
eadafb69be6175d6bf8e2c4b8933b6b262c772b0

SHA256
b73ecb09be0bf6b8d9c1e9e37c3302e3509792eef32a0ba39ec3b67ea837611e

SHA512
8be5ae718c35edacec831dccdd6eeef4f77d0905fbfe4cb25175ff70799a5f4299ac3d639669789d6a50394988eac98555fe3828e2b3a50116f4d3d58efa9a6f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
041d1ce9ec929bc268a36833863b7403

SHA1
c027c717bcb53656d1e40f0862cf8647882e213c

SHA256
e4dae09cb31ad92097695a7389079266ab2cdcd432f844063d552802cb1e93c2

SHA512
db0081f537d23f7c3416111b23de04d2151eff393015c5b781636eda2c7d23140ae685232392e0c21ea2bdba66a76a91a67f3199da3d5bd54e428b471fcb6915

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
481cb6195bc92c524db134f0ed42d4c2

SHA1
49b70c03e47d620bfbf9e97c440f4c0cabee03df

SHA256
c182665905487d6fd1b71f59e4edf8f4e22b906b4da417979c56f81204844f45

SHA512
3d8a8f6900ea9eddf48ae19b7d7176d090275c9b95feb20f68c709aadf2d612f3ddb7dd09cbe8e843cbabf9732a09073a277d85f258d835cd26377fe81010af4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
3d02c4203753bca8adde008c22050f65

SHA1
dccfdc97db39b5f606edb43f99001aeeb84273de

SHA256
1e8af97535c36a0f2443f825c8689386e8c3812e3b9d748408bda730b862eac7

SHA512
aea5b37439e945d9b40ce651f6f8fa12878a7ef5cf9b9d56c7a1f6965d23a446476022d14cdf1eada20367b278e9e652e886e8033ef3624f5dcba6c314e63371

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
91466ab87dea50c57f313e2c4a012b22

SHA1
eb733f760648c96abd64f28d64d30c2c0404aee6

SHA256
aa15954596ebc1487a4498acf0e0885b991d95d14246b1b31090d4095f86285f

SHA512
5bf7d15441a4679cdf85d235ac817b52bd1de8c2c34827726b86e7ed5767e6ba9f2e6110522f7d6994cc9558a667a66d01863753cd761105ce06003592ea98dc

Download Submit
memory/1084-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download