2ac074e1abb0cd237d9306ef9d24f8fdf7e9f62d25534e0c6e0655590490a132

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26/05/2024, 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ac074e1abb0cd237d9306ef9d24f8fdf7e9f62d25534e0c6e0655590490a132.exe
Size

1.1MB
MD5

d82c61be6e50cd1da8b6dcc1349753a5
SHA1

1e06757cd6e1247f3a5b312b5c3327695383ac41
SHA256

2ac074e1abb0cd237d9306ef9d24f8fdf7e9f62d25534e0c6e0655590490a132
SHA512

e20b9d8c595cce888bf167eace5448a03b06594a38bda9bb4e9a9195ffcc2cdb9aa0ac376af48d4276b0c85de48edefd7da357883d54693a61fe4650f3231213
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Q9:CcaClSFlG4ZM7QzMG

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2784	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2784	svchcst.exe
1820	svchcst.exe
928	svchcst.exe
1160	svchcst.exe
868	svchcst.exe
2980	svchcst.exe
1116	svchcst.exe
1696	svchcst.exe
2940	svchcst.exe
2204	svchcst.exe
948	svchcst.exe
2876	svchcst.exe
2052	svchcst.exe
1988	svchcst.exe
2816	svchcst.exe
3056	svchcst.exe
1700	svchcst.exe
2688	svchcst.exe
2540	svchcst.exe
1528	svchcst.exe
1296	svchcst.exe
2088	svchcst.exe
1432	svchcst.exe

Loads dropped DLL 41 IoCs

pid	Process
2892	WScript.exe
2892	WScript.exe
2468	WScript.exe
2468	WScript.exe
1616	WScript.exe
1616	WScript.exe
2712	WScript.exe
2712	WScript.exe
1984	WScript.exe
1984	WScript.exe
1148	WScript.exe
544	WScript.exe
544	WScript.exe
544	WScript.exe
1672	WScript.exe
2560	WScript.exe
2560	WScript.exe
1320	WScript.exe
2732	WScript.exe
536	WScript.exe
536	WScript.exe
780	WScript.exe
780	WScript.exe
280	WScript.exe
280	WScript.exe
880	WScript.exe
880	WScript.exe
2904	WScript.exe
2904	WScript.exe
2320	WScript.exe
2320	WScript.exe
1672	WScript.exe
1672	WScript.exe
2972	WScript.exe
2972	WScript.exe
792	WScript.exe
792	WScript.exe
1080	WScript.exe
1080	WScript.exe
528	WScript.exe
528	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2332	2ac074e1abb0cd237d9306ef9d24f8fdf7e9f62d25534e0c6e0655590490a132.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
1820	svchcst.exe
1820	svchcst.exe
1820	svchcst.exe
1820	svchcst.exe
1820	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2332	2ac074e1abb0cd237d9306ef9d24f8fdf7e9f62d25534e0c6e0655590490a132.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2332	2ac074e1abb0cd237d9306ef9d24f8fdf7e9f62d25534e0c6e0655590490a132.exe
2332	2ac074e1abb0cd237d9306ef9d24f8fdf7e9f62d25534e0c6e0655590490a132.exe
2784	svchcst.exe
2784	svchcst.exe
1820	svchcst.exe
1820	svchcst.exe
928	svchcst.exe
928	svchcst.exe
1160	svchcst.exe
1160	svchcst.exe
868	svchcst.exe
868	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
1116	svchcst.exe
1116	svchcst.exe
1696	svchcst.exe
1696	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2204	svchcst.exe
2204	svchcst.exe
948	svchcst.exe
948	svchcst.exe
2876	svchcst.exe
2876	svchcst.exe
2052	svchcst.exe
2052	svchcst.exe
1988	svchcst.exe
1988	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
1700	svchcst.exe
1700	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
1528	svchcst.exe
1528	svchcst.exe
1296	svchcst.exe
1296	svchcst.exe
2088	svchcst.exe
2088	svchcst.exe
1432	svchcst.exe
1432	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 2892	2332	2ac074e1abb0cd237d9306ef9d24f8fdf7e9f62d25534e0c6e0655590490a132.exe	28
PID 2332 wrote to memory of 2892	2332	2ac074e1abb0cd237d9306ef9d24f8fdf7e9f62d25534e0c6e0655590490a132.exe	28
PID 2332 wrote to memory of 2892	2332	2ac074e1abb0cd237d9306ef9d24f8fdf7e9f62d25534e0c6e0655590490a132.exe	28
PID 2332 wrote to memory of 2892	2332	2ac074e1abb0cd237d9306ef9d24f8fdf7e9f62d25534e0c6e0655590490a132.exe	28
PID 2892 wrote to memory of 2784	2892	WScript.exe	30
PID 2892 wrote to memory of 2784	2892	WScript.exe	30
PID 2892 wrote to memory of 2784	2892	WScript.exe	30
PID 2892 wrote to memory of 2784	2892	WScript.exe	30
PID 2784 wrote to memory of 2468	2784	svchcst.exe	31
PID 2784 wrote to memory of 2468	2784	svchcst.exe	31
PID 2784 wrote to memory of 2468	2784	svchcst.exe	31
PID 2784 wrote to memory of 2468	2784	svchcst.exe	31
PID 2468 wrote to memory of 1820	2468	WScript.exe	32
PID 2468 wrote to memory of 1820	2468	WScript.exe	32
PID 2468 wrote to memory of 1820	2468	WScript.exe	32
PID 2468 wrote to memory of 1820	2468	WScript.exe	32
PID 1820 wrote to memory of 1616	1820	svchcst.exe	33
PID 1820 wrote to memory of 1616	1820	svchcst.exe	33
PID 1820 wrote to memory of 1616	1820	svchcst.exe	33
PID 1820 wrote to memory of 1616	1820	svchcst.exe	33
PID 1616 wrote to memory of 928	1616	WScript.exe	34
PID 1616 wrote to memory of 928	1616	WScript.exe	34
PID 1616 wrote to memory of 928	1616	WScript.exe	34
PID 1616 wrote to memory of 928	1616	WScript.exe	34
PID 928 wrote to memory of 2712	928	svchcst.exe	35
PID 928 wrote to memory of 2712	928	svchcst.exe	35
PID 928 wrote to memory of 2712	928	svchcst.exe	35
PID 928 wrote to memory of 2712	928	svchcst.exe	35
PID 2712 wrote to memory of 1160	2712	WScript.exe	36
PID 2712 wrote to memory of 1160	2712	WScript.exe	36
PID 2712 wrote to memory of 1160	2712	WScript.exe	36
PID 2712 wrote to memory of 1160	2712	WScript.exe	36
PID 1160 wrote to memory of 1984	1160	svchcst.exe	37
PID 1160 wrote to memory of 1984	1160	svchcst.exe	37
PID 1160 wrote to memory of 1984	1160	svchcst.exe	37
PID 1160 wrote to memory of 1984	1160	svchcst.exe	37
PID 1984 wrote to memory of 868	1984	WScript.exe	38
PID 1984 wrote to memory of 868	1984	WScript.exe	38
PID 1984 wrote to memory of 868	1984	WScript.exe	38
PID 1984 wrote to memory of 868	1984	WScript.exe	38
PID 868 wrote to memory of 1148	868	svchcst.exe	39
PID 868 wrote to memory of 1148	868	svchcst.exe	39
PID 868 wrote to memory of 1148	868	svchcst.exe	39
PID 868 wrote to memory of 1148	868	svchcst.exe	39
PID 1148 wrote to memory of 2980	1148	WScript.exe	40
PID 1148 wrote to memory of 2980	1148	WScript.exe	40
PID 1148 wrote to memory of 2980	1148	WScript.exe	40
PID 1148 wrote to memory of 2980	1148	WScript.exe	40
PID 2980 wrote to memory of 544	2980	svchcst.exe	41
PID 2980 wrote to memory of 544	2980	svchcst.exe	41
PID 2980 wrote to memory of 544	2980	svchcst.exe	41
PID 2980 wrote to memory of 544	2980	svchcst.exe	41
PID 544 wrote to memory of 1116	544	WScript.exe	42
PID 544 wrote to memory of 1116	544	WScript.exe	42
PID 544 wrote to memory of 1116	544	WScript.exe	42
PID 544 wrote to memory of 1116	544	WScript.exe	42
PID 1116 wrote to memory of 2924	1116	svchcst.exe	43
PID 1116 wrote to memory of 2924	1116	svchcst.exe	43
PID 1116 wrote to memory of 2924	1116	svchcst.exe	43
PID 1116 wrote to memory of 2924	1116	svchcst.exe	43
PID 544 wrote to memory of 1696	544	WScript.exe	46
PID 544 wrote to memory of 1696	544	WScript.exe	46
PID 544 wrote to memory of 1696	544	WScript.exe	46
PID 544 wrote to memory of 1696	544	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\2ac074e1abb0cd237d9306ef9d24f8fdf7e9f62d25534e0c6e0655590490a132.exe
"C:\Users\Admin\AppData\Local\Temp\2ac074e1abb0cd237d9306ef9d24f8fdf7e9f62d25534e0c6e0655590490a132.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2468
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1820
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:928
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1116
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1696
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:1672
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2940
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2560
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2204
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:1320
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:948
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:2732
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2876
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:536
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2052
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:780
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1988
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:280
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2816
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:880
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3056
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:2904
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1700
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:2320
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2688
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:1672
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2540
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:2972
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1528
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:792
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1296
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:1080
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2088
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        
        PID:528
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1432
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        
        PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
f3f0fa6d975dd47641bd1af6c7451734

SHA1
1add4089f61331529bf37a831627d18234f8fc3a

SHA256
06e3c5143add339665ddc8225f19db893714d4e1cc1996ca46e68e2679549ed5

SHA512
c4d3663c630982f355a466dbc4ec8a7d707f6a7ecb777c0c7ecd894d134bf814385b022437c30bda5cb1454c55bb7d8b7514c1236c3e54a295b45c33f6bc1f01

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6a10838e65cf3aedda11230ee7f407b7

SHA1
7878e96feb82d309b74e4fe98ad256d3bfd63d08

SHA256
79b9776ab8d5f525f63ccab50ff6d79e7a7daeb47894ce971b63ab072314009e

SHA512
7fd419656935cef9e30f36f618df90399b015dc281dea6b30f12ba7bf2c07a58e7aa570ea5fd1f04b3643be33eb1d8521787c94384cb7ef0ec8d5459a8c50eaa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3436c1c6420b4dd3e950884257e8b45d

SHA1
4889f8460c4c1b1fc3f357a03df6ca7fac272fbf

SHA256
88d11bc6a0ed417ee8dbbc8ec0894c9b616480afec00a30256ca41150aab17b8

SHA512
7960190b3738a018b0c04804e673662b6227bc397fa6a6ca2b1b1041ed7403f4dbe80f7aa6d63484f1f49c98361f27dd425b95b4c6fafedafb5f1e864b3adeb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
463784728a0ab2b8cc52ee1ed0e5258e

SHA1
620a618c31439d36e8539e50359713befcc28e92

SHA256
a34e1ed304dca4f58275bdd5daaf071d1767db7bb7ccc6bf2aea2df5e2be023b

SHA512
52f9736297fbaf65179d35e01c7a15d516d2ff8b5c949a45046bc668bbe94b5da63aea4d5920ebfc1a884721f16fdcae75ea08ca9a6aa78297a44051ed979c7f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d6998fa6acf02bf81ca3b787bf2aac86

SHA1
c3c08503b40c243120c2815bec43823d1457c93f

SHA256
5f2a7d05a52819de3a4caa28c4b355ca484eea50de6ed9ce8078d244de25e365

SHA512
068536d1ae495d6610534c4536f6024b33bac2e935cb37f99668affefcb8d1fcd8c420e150b6e5807a58157eec83b24cc9017e7cb7b597a7523decdfbaf2a8e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1931659cf1a0b565c26fde26192e60ea

SHA1
290204916cf2bd320dd6af5de4fea33f4b987a23

SHA256
8d4ff60de30d55f81dda162ccf8ad556e3a1c9a9e20260d8a767def90595191a

SHA512
9a90635a350ecaf5d4f9c5787f4079e90d6e2983b87e8dc6db38a2d0121e68422d2fc8c7e322c0b6556cd92870713380edf55950260e9369350e96d4603f390e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ab52ce62f84a24d48d9cebec5331b1c6

SHA1
6fcb810a46e83020e55af419752f5583f9dcb9ba

SHA256
908bec6021a78b90a02c6123db4ac62b590ea738e97fa35aac7c4dce624f3244

SHA512
8823f3f60863692a8fd2be8610670b06077ea7c948b7c46f9a1ab712276b27e48c19d0a394e7f51c0fbdf753f989af4cac5dab078e4f04ee5ee6a50427368cd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1ddf68547078713a6bd04e589e87bc2f

SHA1
cdfb5481f8214590744133c77204eff54e733b90

SHA256
a5954677872e02157f5c6921ef883fbc22a4f7940d17403a9a0658931d4971fc

SHA512
194d12570a7d4e8e9341f56d23fda7ff49e131e818b93633b75c6ef05b6972b8428294bb95529af25cf75cbe2d86756dab000be200466a30a64922e764ebfc2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
44c38fa25d3a9963483b583388b6f47b

SHA1
e9b37eb8bcbe2ddda96178ee7502616660cfce57

SHA256
004b640ccc72e36c16e85661847b12fff228d63de834042accadde333aa33e36

SHA512
c39bd240b263314169cef9af85a8e8a89146e96400026936b68a69a7c732d301c16561971dbeaee752e2618f2a592bff5a6a91ee75893522e77f574176887905

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
619955d43a58558c766025119a5a66cb

SHA1
cfb43d2b9cb68699667ca8d4929e71b25ed115ab

SHA256
a129bff17a859b7b2d6681f519c985c661797dd508ac249d30f02a0a78858cee

SHA512
20f9499cddf2fb824365830736255a1dce689da0e94fa8e999ee4e28883e65637410710ea01204b5f3d48213f697461288da2b7a535511da87f848b1e6e83bc6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
aa6578debd9e5045ad239d59ebeb6d15

SHA1
2a25e6293914cd6ada6649f34506c8bcf35494aa

SHA256
7acb095ca5298eb1d1e2ba7f02c1b876d7d28684762a9d180ae2ed8c9e68beb2

SHA512
150796c7aad73d1732103e41bd01d3c181b4a0afd37b673d184d5c6c643622704e7692b668e231a319549c2bb378f4d83c7ede82caf81dd15c934b81936e22b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
014d4c1dd74cc6e50f8e723922c6a401

SHA1
98aaceee09f965673e253c53790832060856440f

SHA256
b999d3c108843f7bdbe9762d949fa1860ec77c471cc426aa26b9919a42b9e1de

SHA512
4461892c8dc8fee9874f58c9eead66a28c12056ca35379444189d982c7a91bb13c445890614d856442588d41cd49e50161a662db02ff6c14d779bfe8d9766b1b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b7c6d6019fe0e20249f7b155e7507a16

SHA1
6f6f387851dd7929682f01536631e95ae4f98bb9

SHA256
e47d2cbbc89944d28c65eab69fd0a75ea873574240d5c837b786bce704426292

SHA512
433776bdf0ac321b3e0058faafbb53fa36f0878066e134006cc0598b49e91a24e66c457383143b45941ddd2b33b6c2c72d20fd8d62892c857103ef18cfbb96a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
190f70e9560c7a82760b3c2c3d05358d

SHA1
6660af148ef7aafeaaa2723a9c7a7b13a0e04e8e

SHA256
727a56c6c53c82b713417609ecb689b2bfd79513cc6a0860f7c2ec749215d2da

SHA512
391b9521199ca288555f46885c130fdb37db7931a21a4c50f5c2fa9785f1263bd7b7586854eb99970152dc758e17644fab9c6bec03eff143145e93ff773bd73a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e867be865d5dd78faf3ea034c0719871

SHA1
a91ea4ce79ac470a278c984c560456b2cf3a595c

SHA256
9105b0b327ffb78160f4f162b1dbfe145d7c1b605a66fdea05fe5e34b0bc0108

SHA512
8734c22e5d1c2ba41b4c150fcc45032eb2acccea3613737368c99ffd07a267acb75300c73653d7209ea6cc9a1950828fa31f2eefee5087cdccae26f5a734a22f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
fdb875636d59dfa836dee3ba97d3d10d

SHA1
0b5dcf75502c11f80818e16d13f66ff4a2b48a98

SHA256
860cb34406cf879af057c026224dd198ab425c70f9f2e171f7585a6188d9c692

SHA512
7267d9a023b398a6ce65841e6a67f9cd8bf9b74d510f2386f8dcb9e56b06a0fd2357610a05e76ea7b69f7cc6acd6113326b490caa56d6314b7a5890bc6f031a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d9d4707d778440ab9afed27f0605ec63

SHA1
699ef608039636fa3aed883188cf2cdd6cddf180

SHA256
70becc6ac8683bf9b2712276d7c8101ad4b270d75eae2ebaa59346ece6dce121

SHA512
550c83d4381a6fdfa8f9272d5dbc6fae7e463e8407a071eaf7e08f5639e4c66f4b41460db0c0d8dd6a64321d24c05ccd7761caeee95ed9b6465244755946f7dd

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
212f6e12780a5c3a88b41b6016e32e0b

SHA1
2adee9ddaaf4134bc8a416886416a1ed2c55526f

SHA256
461879e625a8e2fd607e4489e669f3a2bc13cb7ff173c56cf8e17eadb021917e

SHA512
90d2557eb2ddc90762090c41ea9bcefd804fdc6dd579daaa42ac743b864e475dfdd396ffd09953e87eb0a882b209e7cc0e53f19f4dda002f7880c4297a65ba54

Download Submit
memory/2332-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download