c028aaf806a36b84b99758e62fa30c0383ce5c87bdca51576face46ef18e020b

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
26/05/2024, 21:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c028aaf806a36b84b99758e62fa30c0383ce5c87bdca51576face46ef18e020b.exe
Size

1.1MB
MD5

8b68fc6d3cbafbdc9319b57afad93483
SHA1

453906a90ad62dd9b974abd934477fd2779dcdf8
SHA256

c028aaf806a36b84b99758e62fa30c0383ce5c87bdca51576face46ef18e020b
SHA512

9d6ba3428e9199c9a2ed9c4c3b3dec1ec7e853a98583c530cee4957669315da241a195711bc83a436c7f9d635e615c8a12f3e8eaf63642ce44099fff87451ba8
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qw:CcaClSFlG4ZM7QzMX

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2488	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2488	svchcst.exe
2784	svchcst.exe
1636	svchcst.exe
2320	svchcst.exe
2868	svchcst.exe
3064	svchcst.exe
1256	svchcst.exe
2088	svchcst.exe
2404	svchcst.exe
2800	svchcst.exe
2360	svchcst.exe
2572	svchcst.exe
2120	svchcst.exe
2868	svchcst.exe
288	svchcst.exe
1996	svchcst.exe
896	svchcst.exe
2564	svchcst.exe
2452	svchcst.exe
2800	svchcst.exe
2360	svchcst.exe
1876	svchcst.exe
2788	svchcst.exe

Loads dropped DLL 44 IoCs

pid	Process
2604	WScript.exe
2604	WScript.exe
2928	WScript.exe
2928	WScript.exe
884	WScript.exe
884	WScript.exe
292	WScript.exe
292	WScript.exe
2032	WScript.exe
1284	WScript.exe
1284	WScript.exe
1284	WScript.exe
272	WScript.exe
272	WScript.exe
2732	WScript.exe
2732	WScript.exe
2916	WScript.exe
2916	WScript.exe
1908	WScript.exe
1908	WScript.exe
1516	WScript.exe
1516	WScript.exe
2936	WScript.exe
2936	WScript.exe
2720	WScript.exe
2720	WScript.exe
1012	WScript.exe
1012	WScript.exe
1856	WScript.exe
1856	WScript.exe
2272	WScript.exe
2272	WScript.exe
2088	WScript.exe
2088	WScript.exe
3008	WScript.exe
3008	WScript.exe
2600	WScript.exe
2600	WScript.exe
1872	WScript.exe
1872	WScript.exe
1484	WScript.exe
1484	WScript.exe
2460	WScript.exe
2460	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2556	c028aaf806a36b84b99758e62fa30c0383ce5c87bdca51576face46ef18e020b.exe
2488	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2556	c028aaf806a36b84b99758e62fa30c0383ce5c87bdca51576face46ef18e020b.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2556	c028aaf806a36b84b99758e62fa30c0383ce5c87bdca51576face46ef18e020b.exe
2556	c028aaf806a36b84b99758e62fa30c0383ce5c87bdca51576face46ef18e020b.exe
2488	svchcst.exe
2488	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
1636	svchcst.exe
1636	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
3064	svchcst.exe
3064	svchcst.exe
1256	svchcst.exe
1256	svchcst.exe
2088	svchcst.exe
2088	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2360	svchcst.exe
2360	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2120	svchcst.exe
2120	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
288	svchcst.exe
288	svchcst.exe
1996	svchcst.exe
1996	svchcst.exe
896	svchcst.exe
896	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2452	svchcst.exe
2452	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2360	svchcst.exe
2360	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 2604	2556	c028aaf806a36b84b99758e62fa30c0383ce5c87bdca51576face46ef18e020b.exe	28
PID 2556 wrote to memory of 2604	2556	c028aaf806a36b84b99758e62fa30c0383ce5c87bdca51576face46ef18e020b.exe	28
PID 2556 wrote to memory of 2604	2556	c028aaf806a36b84b99758e62fa30c0383ce5c87bdca51576face46ef18e020b.exe	28
PID 2556 wrote to memory of 2604	2556	c028aaf806a36b84b99758e62fa30c0383ce5c87bdca51576face46ef18e020b.exe	28
PID 2604 wrote to memory of 2488	2604	WScript.exe	30
PID 2604 wrote to memory of 2488	2604	WScript.exe	30
PID 2604 wrote to memory of 2488	2604	WScript.exe	30
PID 2604 wrote to memory of 2488	2604	WScript.exe	30
PID 2488 wrote to memory of 2928	2488	svchcst.exe	31
PID 2488 wrote to memory of 2928	2488	svchcst.exe	31
PID 2488 wrote to memory of 2928	2488	svchcst.exe	31
PID 2488 wrote to memory of 2928	2488	svchcst.exe	31
PID 2928 wrote to memory of 2784	2928	WScript.exe	32
PID 2928 wrote to memory of 2784	2928	WScript.exe	32
PID 2928 wrote to memory of 2784	2928	WScript.exe	32
PID 2928 wrote to memory of 2784	2928	WScript.exe	32
PID 2784 wrote to memory of 884	2784	svchcst.exe	33
PID 2784 wrote to memory of 884	2784	svchcst.exe	33
PID 2784 wrote to memory of 884	2784	svchcst.exe	33
PID 2784 wrote to memory of 884	2784	svchcst.exe	33
PID 884 wrote to memory of 1636	884	WScript.exe	34
PID 884 wrote to memory of 1636	884	WScript.exe	34
PID 884 wrote to memory of 1636	884	WScript.exe	34
PID 884 wrote to memory of 1636	884	WScript.exe	34
PID 1636 wrote to memory of 292	1636	svchcst.exe	35
PID 1636 wrote to memory of 292	1636	svchcst.exe	35
PID 1636 wrote to memory of 292	1636	svchcst.exe	35
PID 1636 wrote to memory of 292	1636	svchcst.exe	35
PID 292 wrote to memory of 2320	292	WScript.exe	36
PID 292 wrote to memory of 2320	292	WScript.exe	36
PID 292 wrote to memory of 2320	292	WScript.exe	36
PID 292 wrote to memory of 2320	292	WScript.exe	36
PID 2320 wrote to memory of 2032	2320	svchcst.exe	37
PID 2320 wrote to memory of 2032	2320	svchcst.exe	37
PID 2320 wrote to memory of 2032	2320	svchcst.exe	37
PID 2320 wrote to memory of 2032	2320	svchcst.exe	37
PID 2032 wrote to memory of 2868	2032	WScript.exe	38
PID 2032 wrote to memory of 2868	2032	WScript.exe	38
PID 2032 wrote to memory of 2868	2032	WScript.exe	38
PID 2032 wrote to memory of 2868	2032	WScript.exe	38
PID 2868 wrote to memory of 1284	2868	svchcst.exe	39
PID 2868 wrote to memory of 1284	2868	svchcst.exe	39
PID 2868 wrote to memory of 1284	2868	svchcst.exe	39
PID 2868 wrote to memory of 1284	2868	svchcst.exe	39
PID 1284 wrote to memory of 3064	1284	WScript.exe	40
PID 1284 wrote to memory of 3064	1284	WScript.exe	40
PID 1284 wrote to memory of 3064	1284	WScript.exe	40
PID 1284 wrote to memory of 3064	1284	WScript.exe	40
PID 3064 wrote to memory of 1588	3064	svchcst.exe	41
PID 3064 wrote to memory of 1588	3064	svchcst.exe	41
PID 3064 wrote to memory of 1588	3064	svchcst.exe	41
PID 3064 wrote to memory of 1588	3064	svchcst.exe	41
PID 1284 wrote to memory of 1256	1284	WScript.exe	44
PID 1284 wrote to memory of 1256	1284	WScript.exe	44
PID 1284 wrote to memory of 1256	1284	WScript.exe	44
PID 1284 wrote to memory of 1256	1284	WScript.exe	44
PID 1256 wrote to memory of 272	1256	svchcst.exe	45
PID 1256 wrote to memory of 272	1256	svchcst.exe	45
PID 1256 wrote to memory of 272	1256	svchcst.exe	45
PID 1256 wrote to memory of 272	1256	svchcst.exe	45
PID 272 wrote to memory of 2088	272	WScript.exe	46
PID 272 wrote to memory of 2088	272	WScript.exe	46
PID 272 wrote to memory of 2088	272	WScript.exe	46
PID 272 wrote to memory of 2088	272	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\c028aaf806a36b84b99758e62fa30c0383ce5c87bdca51576face46ef18e020b.exe
"C:\Users\Admin\AppData\Local\Temp\c028aaf806a36b84b99758e62fa30c0383ce5c87bdca51576face46ef18e020b.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2928
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2784
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:292
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1284
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1256
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:272
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2088
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:2732
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2404
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2916
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2800
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:1908
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2360
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:1516
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2572
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:2936
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2120
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:2720
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2868
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:1012
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:288
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:1856
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1996
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:2272
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:896
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:2088
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2564
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:3008
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2452
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:2600
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2800
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:1872
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2360
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:1484
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1876
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        
        PID:2460
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2788
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        
        PID:900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c0b5050d31a3c3086d56cf03dbf39e65

SHA1
2f16721133b7efffc3b7c495803a409b47223c1f

SHA256
4eed6a5c4f010b8604f822c91683ba0cf9c2c1f7fd803bcd9c05bfd36d84f37a

SHA512
be8a9ade498e5b54e7ca07bb3f9f114962847942d282e46e2b4f3e53704b27b47853c7bc60e5fdfc777b6e1fa2f8d34aa0d3321354c8a6b81d1640ce7780d9d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
2a3c75204cb614ebaa2cd841fb564393

SHA1
9ec6cf08a2535a60042b1e81d3ef0854aff554f1

SHA256
1df5e19a10e418751aa3f51d0a62352f9cb7cc8f8e8e0139d1aa14a002af8aa9

SHA512
5920a2677bf5ff5c8354e088ec8edd739fe014f6b198a8dfb9bca98077bdaae038d628259f827d226d1a9d640c53da77d45c6865a101ae82e4a71137b1dec6be

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
9627e3850f4f7495f6d36ebae56aa594

SHA1
001694633bc632a7ae2812ed74828335bec77531

SHA256
0aeaf02fb74a0799c8eccaa37e1586435318608e7945b8084fe87f956822cb25

SHA512
03986ee3b4faf96fdb2bdeb1c41e216c81e1c0f7d4403b69c7e7e39baa45e2806d57fad32904bdf04728eb9db7570d94341e73bf8a1f6ba1964072a65de4e894

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
be85ce7bb02d959078db568ee3a8905d

SHA1
e3598468f1db49d961a98da4deda91a619b56985

SHA256
4d76969f7a746574f6be0eca7b1939230ca7607610f12f82b670f4b7bf829806

SHA512
8ffd0d9432c57b2a445afb0701de88903bee1df5295b7ec14042623bfd5d72d0d3cdf198bbdce55be06439c8ac594ddc9bcf53f425bf9e9c9ebb299f6d8150cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
df56efc5aa49720056952b653a76a0d1

SHA1
82823a83837e69b031a973238d78e0360d113ac7

SHA256
bd6fdd2db5dd3828baa84352f1c382304ce0481755f000a7445e3977c24d0a35

SHA512
ffd2ffc465dcd33cca7fdf4cce8711ce7a5cb6af0933fbf2885b7b4164ea2c19ec1a776f2422996599e28b05a3ff927dd76221b9b4dec49b942941b48962034c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c91530bbaec9815f2db19bd6645b8729

SHA1
ea901a28f06bfbfc1dc9c3391910a87bfaf07020

SHA256
7924a95b4fb309a069dcb92b65632f01f9db2560b224d4812ebb84130994ab8d

SHA512
7ebce2d0627561189c27073f3e43e84e6164c3c4a63fe4172d2c1214fe799795393573038fb3dd75359327e7cca4eec17889749411e289480580f568b02e6588

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2caa2e102cde23b48c1d5a47d901c3ff

SHA1
715fcb390ad3d9016885ab48ea99b2e204d1989b

SHA256
8e1f14065ac316ee2fcefab057390fe8b1ec88d9c35536f0755204ddf0d84ada

SHA512
9f6b298b5becff9b0af67c3181177876366db57d8d48ad3974dffa4f61fe7512b68d770e518d08d59c58d2707c52bd78930d2e36f00ef06f0a26d208e5372ae3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5771c014296ebb077452c34a3ea54708

SHA1
6e6ff6d4e62db0f7295883fcdf1b10a4f69b2b58

SHA256
8abb3ec990928dfb09f067bb1f8b7e99a9487f039c9a5f80ab5306006c746859

SHA512
642db2534af82e398285770d5b6564603b457e1e4e0853cb46322aa24f7a880223a839875e7022d5c21f5eb01730df4e4dffdb426ef6e6c81defeb5f5f774ac5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e4e96c55460da5fa5643648177198d56

SHA1
da09b8271cfd09349b8e79bd8856671e6124d6a0

SHA256
6ca56d2034da62f3a82f84935631e9d90430875cfd9b95382fdf1210758ba761

SHA512
23da2c3c87c8e52aab70931c7ca6f0d04f453cff01bda2fe078a060468d9d7b9e544635eb11976541246eaed2e4cac06e0ed7ed86bce775f95ff5d5f40c5d1bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
25741fab0bc335b1ed971b3134b0edd3

SHA1
9849046efa3f20662f73cefd0d090bef480c9835

SHA256
05963c6d3a7cc5421377a784df6474456fcbd2f95c7190f2ddb4a9ccbfbe7f98

SHA512
6e772baf90739a76c5c477780e2d158502b55d9c898e69402b0a3bfb840949959c6779f9b291c0503a4fcad95369be55b5f3233ded9329d49d5cde3f1a8369e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2ac6316483f16b6b06f7e786c4691123

SHA1
5a82e637adaae4d2038192f7ac90f6e6df20a14f

SHA256
2df4ac610b94151c4c9b6965a4b774504f7ad33dddac03e816c1c6fbfbe8a2b4

SHA512
1121f7fb6959b4a53cedca790f1efa2a931ef23839746e2d1f2849b0e91493d44f32fd0245d65dd43984b27d301e56bb41e6055a152532e3d29eff3f84011225

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a6fb726400e8712e91ee36d201d951f5

SHA1
7a0ad8e4bd728c8f1032fe89bc70061146e424e3

SHA256
0595110954ff919705b3385f3cd3114dff28e51f1e4c77256d03a217143cf93d

SHA512
b4ca85f8b0eb15ed8dd4730ab32ef024c62e08442322fec1ab377103c2ab494f8f3844e72951a3149d2d081855c030bde2be8a612278f40d06a8bfb97956e7d6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
20ee2bda85694579dcbd9d3bde27e315

SHA1
94058540a6a9e9bf10df75cb1d5e79142e441122

SHA256
4a5ec51c877de07f5b5015f805f31c06ef69822c60b22d815252361a5c81c494

SHA512
37c5bb764ecbc6c197b3796ecb861a3cafb1df23b80e00908bcb96a788ae7e3ba9db53d601eecde37cca3dc386eaeb81c6db254af17378307bc96307b1240a25

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
50cdda4df08ae7879f619f14d79a3909

SHA1
b4bf007ae4e8b50cbeb2f5c89c954151be8373e9

SHA256
7760c2a7fe1798fb8d9fc87750fd833875a86a9bcfd81e6341a037c655c02a42

SHA512
80f5cd04b43eb43c89ab1e7385e60bdee18c323edbcf081de9e8ae1d39d75a710a6f0504872cf6dbe47c6b29d2a717dce69c770cd484e571403d3d257094020d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7f972b33644b06a7d7dcb049b32cbfd6

SHA1
864c7e8f4686d8195cd0db3c42604c88f1ff7d5b

SHA256
d29baf6630c38c44881d08616035629ade380bda6e5fb9cbdb80e01752232bb6

SHA512
750d6f1dafd3edc09c8e257d565607fd575c43a64efe9dce4d061b2eac0f27c6759ee61fa5df6cba3c920526f6331b369482489239d899e51d92f159ea9a461f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
6bd46d900e80713c68d0f0c701106983

SHA1
04f19ad5cfa11ee26727b13ecc5c47f882061531

SHA256
0de9da318f547140cb5bc75a3be7ae28891f2888390b674a28da344b4720317d

SHA512
f5f1fcff7e189954995ab13e00aeab59e377c9d883bfebd02b45503614fc7255cf276de60bf3f32ecdc48966cc816916fa6318cefa56b6150fb7e507eb5d185d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d95934e8ea5309e6fd2b8585ce618a15

SHA1
14206203308ac7797441918d27f5c82d02e67b0d

SHA256
dcc38b8f3bd53afa18143502e9d7e546faaf9f6f6b2a5e5de44bf375e811a3ce

SHA512
3b1aba891313bbb7279db9bba18a566524031d1f87091e0b48a295b86768b7e8d300cca89f528031f56333bd67efa1324cea0994169e47e1baaff7c6432a3904

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d2ac552b4deae75f9144b20a04ac628f

SHA1
878fc1e3b4966ea74c71d9956933861ee7e2a3c9

SHA256
5eabaf4c1614235061985e28548ba78a8d668aacd74dde52bc754321938c3b6c

SHA512
e17358ee841e3cd9315d5e6a8a5da9a9bd5a16349c22e49d91f430c8f8fb67e8b04be90631f9fa5c7208f180397821123bd17f8f4712e1e2dd6843fa8ad2dc25

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
aaf113c6b02316008909bd205d51a5d5

SHA1
497d81a8d9abf044821837e4005ade16f3d91cc1

SHA256
f99da108f98325d22fb6125e9901baf9e78396e1c2421057698499b2a3760261

SHA512
e76ce37ddd7e8861b77bd71f1a764f2dc0447e8ce6a37d21e6fca35ae4f1073325ee6e173d30c622b989524526e50c3092f0cefd4c7f82cd33b115249076f74c

Download Submit
memory/2556-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download