c7b33ef7342eb8e31a2a8688043684b60cbd2f4e182191e0b0844e9801c8ff73

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
29/05/2024, 20:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c7b33ef7342eb8e31a2a8688043684b60cbd2f4e182191e0b0844e9801c8ff73.exe
Size

1.1MB
MD5

75816305344b1c5898d63ff7edea5d0a
SHA1

4e62edabab3fceba618cb580043a7a138f224ef2
SHA256

c7b33ef7342eb8e31a2a8688043684b60cbd2f4e182191e0b0844e9801c8ff73
SHA512

46cbdb0280d34a0f1c6dce4f59713b2ffe06a7db5c7a5a55eb3ec450da10fd8827a8f755b7bbe4c940deca5681ad08631fe784d1928a5dbcea6bae1b9a9b5186
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qh:CcaClSFlG4ZM7QzMS

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2496	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2496	svchcst.exe
2784	svchcst.exe
2816	svchcst.exe
2104	svchcst.exe
2688	svchcst.exe
1864	svchcst.exe
1956	svchcst.exe
2548	svchcst.exe
2220	svchcst.exe
2400	svchcst.exe
1636	svchcst.exe
1228	svchcst.exe
844	svchcst.exe
948	svchcst.exe
2132	svchcst.exe
2200	svchcst.exe
2996	svchcst.exe
2852	svchcst.exe
1860	svchcst.exe
2180	svchcst.exe
304	svchcst.exe
2332	svchcst.exe
1252	svchcst.exe

Loads dropped DLL 46 IoCs

pid	Process
2948	WScript.exe
2948	WScript.exe
2208	WScript.exe
2208	WScript.exe
1628	WScript.exe
1628	WScript.exe
1248	WScript.exe
1248	WScript.exe
380	WScript.exe
380	WScript.exe
3024	WScript.exe
3024	WScript.exe
780	WScript.exe
780	WScript.exe
2776	WScript.exe
2776	WScript.exe
2500	WScript.exe
2500	WScript.exe
1128	WScript.exe
1128	WScript.exe
1568	WScript.exe
1568	WScript.exe
2916	WScript.exe
2916	WScript.exe
1492	WScript.exe
1492	WScript.exe
3048	WScript.exe
3048	WScript.exe
352	WScript.exe
352	WScript.exe
1960	WScript.exe
1960	WScript.exe
2284	WScript.exe
2284	WScript.exe
1048	WScript.exe
1048	WScript.exe
2932	WScript.exe
2932	WScript.exe
928	WScript.exe
928	WScript.exe
2784	WScript.exe
2784	WScript.exe
1284	WScript.exe
1284	WScript.exe
1700	WScript.exe
1700	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
848	c7b33ef7342eb8e31a2a8688043684b60cbd2f4e182191e0b0844e9801c8ff73.exe
848	c7b33ef7342eb8e31a2a8688043684b60cbd2f4e182191e0b0844e9801c8ff73.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
848	c7b33ef7342eb8e31a2a8688043684b60cbd2f4e182191e0b0844e9801c8ff73.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
848	c7b33ef7342eb8e31a2a8688043684b60cbd2f4e182191e0b0844e9801c8ff73.exe
848	c7b33ef7342eb8e31a2a8688043684b60cbd2f4e182191e0b0844e9801c8ff73.exe
2496	svchcst.exe
2496	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
1864	svchcst.exe
1864	svchcst.exe
1956	svchcst.exe
1956	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2400	svchcst.exe
2400	svchcst.exe
1636	svchcst.exe
1636	svchcst.exe
1228	svchcst.exe
1228	svchcst.exe
844	svchcst.exe
844	svchcst.exe
948	svchcst.exe
948	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2200	svchcst.exe
2200	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
1860	svchcst.exe
1860	svchcst.exe
2180	svchcst.exe
2180	svchcst.exe
304	svchcst.exe
304	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 2948	848	c7b33ef7342eb8e31a2a8688043684b60cbd2f4e182191e0b0844e9801c8ff73.exe	28
PID 848 wrote to memory of 2948	848	c7b33ef7342eb8e31a2a8688043684b60cbd2f4e182191e0b0844e9801c8ff73.exe	28
PID 848 wrote to memory of 2948	848	c7b33ef7342eb8e31a2a8688043684b60cbd2f4e182191e0b0844e9801c8ff73.exe	28
PID 848 wrote to memory of 2948	848	c7b33ef7342eb8e31a2a8688043684b60cbd2f4e182191e0b0844e9801c8ff73.exe	28
PID 848 wrote to memory of 3052	848	c7b33ef7342eb8e31a2a8688043684b60cbd2f4e182191e0b0844e9801c8ff73.exe	29
PID 848 wrote to memory of 3052	848	c7b33ef7342eb8e31a2a8688043684b60cbd2f4e182191e0b0844e9801c8ff73.exe	29
PID 848 wrote to memory of 3052	848	c7b33ef7342eb8e31a2a8688043684b60cbd2f4e182191e0b0844e9801c8ff73.exe	29
PID 848 wrote to memory of 3052	848	c7b33ef7342eb8e31a2a8688043684b60cbd2f4e182191e0b0844e9801c8ff73.exe	29
PID 2948 wrote to memory of 2496	2948	WScript.exe	31
PID 2948 wrote to memory of 2496	2948	WScript.exe	31
PID 2948 wrote to memory of 2496	2948	WScript.exe	31
PID 2948 wrote to memory of 2496	2948	WScript.exe	31
PID 2496 wrote to memory of 2208	2496	svchcst.exe	32
PID 2496 wrote to memory of 2208	2496	svchcst.exe	32
PID 2496 wrote to memory of 2208	2496	svchcst.exe	32
PID 2496 wrote to memory of 2208	2496	svchcst.exe	32
PID 2208 wrote to memory of 2784	2208	WScript.exe	33
PID 2208 wrote to memory of 2784	2208	WScript.exe	33
PID 2208 wrote to memory of 2784	2208	WScript.exe	33
PID 2208 wrote to memory of 2784	2208	WScript.exe	33
PID 2784 wrote to memory of 1628	2784	svchcst.exe	34
PID 2784 wrote to memory of 1628	2784	svchcst.exe	34
PID 2784 wrote to memory of 1628	2784	svchcst.exe	34
PID 2784 wrote to memory of 1628	2784	svchcst.exe	34
PID 1628 wrote to memory of 2816	1628	WScript.exe	35
PID 1628 wrote to memory of 2816	1628	WScript.exe	35
PID 1628 wrote to memory of 2816	1628	WScript.exe	35
PID 1628 wrote to memory of 2816	1628	WScript.exe	35
PID 2816 wrote to memory of 1248	2816	svchcst.exe	36
PID 2816 wrote to memory of 1248	2816	svchcst.exe	36
PID 2816 wrote to memory of 1248	2816	svchcst.exe	36
PID 2816 wrote to memory of 1248	2816	svchcst.exe	36
PID 1248 wrote to memory of 2104	1248	WScript.exe	37
PID 1248 wrote to memory of 2104	1248	WScript.exe	37
PID 1248 wrote to memory of 2104	1248	WScript.exe	37
PID 1248 wrote to memory of 2104	1248	WScript.exe	37
PID 2104 wrote to memory of 380	2104	svchcst.exe	38
PID 2104 wrote to memory of 380	2104	svchcst.exe	38
PID 2104 wrote to memory of 380	2104	svchcst.exe	38
PID 2104 wrote to memory of 380	2104	svchcst.exe	38
PID 380 wrote to memory of 2688	380	WScript.exe	39
PID 380 wrote to memory of 2688	380	WScript.exe	39
PID 380 wrote to memory of 2688	380	WScript.exe	39
PID 380 wrote to memory of 2688	380	WScript.exe	39
PID 2688 wrote to memory of 3024	2688	svchcst.exe	40
PID 2688 wrote to memory of 3024	2688	svchcst.exe	40
PID 2688 wrote to memory of 3024	2688	svchcst.exe	40
PID 2688 wrote to memory of 3024	2688	svchcst.exe	40
PID 3024 wrote to memory of 1864	3024	WScript.exe	41
PID 3024 wrote to memory of 1864	3024	WScript.exe	41
PID 3024 wrote to memory of 1864	3024	WScript.exe	41
PID 3024 wrote to memory of 1864	3024	WScript.exe	41
PID 1864 wrote to memory of 780	1864	svchcst.exe	42
PID 1864 wrote to memory of 780	1864	svchcst.exe	42
PID 1864 wrote to memory of 780	1864	svchcst.exe	42
PID 1864 wrote to memory of 780	1864	svchcst.exe	42
PID 780 wrote to memory of 1956	780	WScript.exe	45
PID 780 wrote to memory of 1956	780	WScript.exe	45
PID 780 wrote to memory of 1956	780	WScript.exe	45
PID 780 wrote to memory of 1956	780	WScript.exe	45
PID 1956 wrote to memory of 2776	1956	svchcst.exe	46
PID 1956 wrote to memory of 2776	1956	svchcst.exe	46
PID 1956 wrote to memory of 2776	1956	svchcst.exe	46
PID 1956 wrote to memory of 2776	1956	svchcst.exe	46

C:\Users\Admin\AppData\Local\Temp\c7b33ef7342eb8e31a2a8688043684b60cbd2f4e182191e0b0844e9801c8ff73.exe
"C:\Users\Admin\AppData\Local\Temp\c7b33ef7342eb8e31a2a8688043684b60cbd2f4e182191e0b0844e9801c8ff73.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:848
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2496
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2208
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2784
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:380
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:2776
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2548
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2500
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2220
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:1128
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2400
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:1568
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1636
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:2916
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1228
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:1492
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:844
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:3048
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:948
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:352
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2132
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:1960
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2200
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:2284
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2996
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:1048
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2852
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:2932
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1860
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:928
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2180
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:2784
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:304
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        
        PID:1284
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2332
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        
        PID:1700
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1252
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        
        PID:1136
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a4e2d4727487955ad59bf2d1a6661981

SHA1
e52949b5d7226aaf75d3713ed2ff1283edab2259

SHA256
4b2d44fd28dcc86d4f73784cea9ac601d2e69574ea0fc6214b3481b10687e0e2

SHA512
f3c59196a57237caa7ad762e2e31bb3b95156eb33cdad7d7b28244842a733160a74c6568452252ce2add95980fe653dc5322a3d1722f9d798289557351b5ea55

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3353d1633bca569636039038a518d927

SHA1
780e7b0504ce0c3eb7a2d5ab9cc18b9d0596bd34

SHA256
6f9daffcca457b49869f9b22fe00e63b4c232c9e13998ab908b91909aa446b8d

SHA512
66a8b0877d6c6f196b85b4e8bf7d67da20fd3749543d65b54599233fc68f476445e70f9ad8e54cb3a71676c6b8a51957f11df2442883f1283c6d526884ec0c18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
93bffb400f506fbd69421b6075802c65

SHA1
b9d8c4ea6a8fd739f6cf167e1f58412525f15784

SHA256
2e455d4d9ba6db3056e273b33c3cc67d60d76c4a750b98b2d4d0e2bcc6aa57b1

SHA512
e00a5d4ad19c488dc18e50150fcd50505133666e333f12f9e0cb3a894162951e4195886798de3531561ff99b4a3fbca6fb351f1ff0bcd0e1ac20cd685962ec23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
faa8ef2e758448ccba58a486794e0699

SHA1
85bd05023b75335ca0ff084efcd02e7e9e447e88

SHA256
f4c0222febb3104b66ec8578be36697e28bc8956d3606e711c39b3ad7fcf6b8b

SHA512
8a1074670bbf7942ba1cef24d474aa26b9a66c378cc790a5577bc3d487f7174dad7890d2fdd43eccad42c4da28e282e5909a8f9de120a3ba81ee2847b44a328e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
321085c6e57a8455a3e915906a6c160b

SHA1
9cd284183cd00b8ed9766cf5ba4433bd041c381e

SHA256
0d5abb9f989e8b184b17b159987cacb4be04d476a85a3c684e797cdbded810cb

SHA512
030c762c6548c28805fb3f9d97ed98ff958a379fb5142b7ba6c4cb2a8dd7a59051135e649abd6c16320361b10c374e4a1003c802560fcc244849089255fb7722

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f76c7cf504b872903a1325a57e8baaf9

SHA1
896ac9d8338b41c7673781f07915612c538c385f

SHA256
46436b128cbdb907e9666c1aa6257164f7e5a2ebe1c79b9198b36e50115a8163

SHA512
59c0e9f508682af572185dd2578ad1e62abb99297a99018af7638bc8d2f6693fe00900bd739e00a912088f77624f08034dba041ce1677e2924cb8ab3196b6054

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
072a46f071251f08c67b3aba4c983435

SHA1
371837f885eac20c802901026d2e7aa1d4f6cd5c

SHA256
0d0a8daeceed64600e817a5a0437a39048c52e857868a35d9130d42fdfa896ed

SHA512
e3d35d428a29eec047b0cc43c87aa701eed81e9efe921b4ef13fa2e8e24ef11ce602bd67868b7ad1bdbd9f39eb681a8c95c715479238a2f17c17105ea4653c83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e74576d29f1c1a7185cdf1e12b96a260

SHA1
f76ee203cb56b7dda62a2947ff1e2fc954efa777

SHA256
e31ecb9dcf31c19fbd131b31e5191375f7aeb708ffa678363de99e118715eb65

SHA512
934e3a9171de8fe03c9b398b4e79b3eee77845750ba2b0d16c3a38bc8299d3d72643cedfbb025df848f4c5ab302f5d4b145da13c2ac3ed96bdc1658791d4f5bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
c2d536485bdb5ac9713d73e5f30ff1e3

SHA1
28de172b3479f4cea4e95bb40ddb11fa83cbd7b9

SHA256
3960d04f74c3b3273fff6bb5da7f28216963ac6ff95e74212fb1db763b967cee

SHA512
0594e37236b47346f1db5ac37e03a2f130d8a534af182522a6017853c939ee8c25536e5651856a2b1f6741d61b53c5eb685d1536409a1fbee4d96d917a8cbdd7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f68761d0622df41d256ee6fc39583d8a

SHA1
2dd40e574a86ff4b4be5e6aca6fda4d7fcc33d56

SHA256
b4bf1092c76497e935596e32fcb9119a44acab11e9b80b660ecea53867655245

SHA512
fd70e0b445bcd24117b449853c98a4996063d49f774a55bc5aca087b44cdb5381974551c4fcd2d3d1c82cd708fcb616009519f3914267ea5c37cdda4d31ea3a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
73dd42e0ba8cff47f0542d7d8aa40f90

SHA1
ffbb1b56415be5abcf4613aed3136768f2edbc38

SHA256
c73b4e554a4ae515ae3aa320a19d752e3d848d00ed0cd8f084081ed530b8fc3d

SHA512
efd0075f9e70dd557271bdbcd782a083ae2cde8cd5674bf7f8cf63064847951adfcbaa9c9cff91c57d19c7308d0b7bf4754bfbe8fce6ec0e41d920bde7f5a67e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
04d537393bd27b3c7c25dfd47680e4f8

SHA1
2ba6238e3d8bb7480b552536f11eecfc199391d2

SHA256
797258c7aa9affe19dc98e2bb23addc15fe2da9975c970ea30334b73ef15cfd6

SHA512
b48e7b269380bffc2cd3ed6f99da3d92c7d95029f7a26fbef12a4e15daa7ef05a7004c5c672eb897a259327cb558ed013664225be5993479fef9c484dc4dc09c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
80f51fbcbd7d09e39eea1d4038960e54

SHA1
c7232c209a5b1b449f53f39bbd7b8d72e61d1016

SHA256
9cd2e94745a5a1a2ea491df727e7f1ae34f1737232dbc344b6c1506e3e01829b

SHA512
ac7307a60983fb8d66a322f7b8829716be9491bdf4b66306748c90720d2da3cc9c5cbc6c5fee93d9342da7bf2eb84658b0910ee139dc7dc2532988c2dc2c56f8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
55e802dc1a5bcf4b8d8a68febd0ee19f

SHA1
53f850019be2738274276daa4924c8b97490f02c

SHA256
cd1f11008e1a0e250c326fd418121cebfee9fc5356c8394c1ac2494f68cc4562

SHA512
78a7ee166c1db14efbf3cd06644ea632e9f80574c4291ee27d05c0971d632535ce4b8de5de1613783aea930146c33c8aa41c0fe74913290217a69780f6f6c15d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
58221eb7938e9943c433eca15fb86fbf

SHA1
199183850a2e0e58c171e876f8463a296a66f97c

SHA256
ddb9259ae586e13c98e2ac203c9fb1c4182f1bfc8732a24e7f2111a6a531caca

SHA512
36e05451879d65de8b7fd82f47b307c612577073f85ad63e5c6927c5a78185fbbe7e94f9e5d00c9d893fe06d308a6b9938d7c4791428f36df682c0d7aba3b9ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
11bfc71b42ee23c82088bba3bd0e4175

SHA1
9d0f5377c750ca2b185cc9fc1bffbd6a21155c53

SHA256
2d07e450422bf15376cfae9ac3c03ee2f771d3cf91c40eec8a9af7a596c82114

SHA512
37190c414321d812ea73c0293dbbef53457c5c2bf790e0a0a3cb2f936af61493d3111a3ef679a256bd1f4227de12c0cc55ba47188d843e8e1231624160b41a44

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
db40b6dc68ef98bec54f6c919b49d5a9

SHA1
5eb2e320fd7f2266568ad9e033513384b791f286

SHA256
1aeaa90cb6664105a12b0c92d5756f0cbbf64a98aee5718c988ec4ec3ad9123c

SHA512
9450f5242eb0818e7b7a6788fe2f3f7957c720eb3eee1905d8f1652ea9419ce874b4fb066bcfe54e24c04279f5804301d97e906ae016941ba4dbe62a753bf98d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7e821edb8d329c548837d4ef8e27e470

SHA1
3626fed5bdfaa8191d549b10a89ff4fc3f3030a2

SHA256
a66823763c70000b5a70aa80831d956b19c4dd1d94555f8da86fe0110dfa676f

SHA512
5643fc036f2d1918ab45ab8919106836fa4cdb348c1bc520cfd2fd110bd14fb863efca8c7a1a319e4a491f1b79d29c81d945b6dc7c0e02b1ef2496e3ce81cd30

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
6997e19d0714ec7bf1c5cfdfbd61e31f

SHA1
5ef1d6135fd6cb220fce0a0129c74959635c78c4

SHA256
3f477afa3397a60b0f2b51b79bd886652faa7c786bf346d03b1d628b5c81ea2f

SHA512
40f40363707ad4e23cc49472993dbfe43c69076b3af7019e967d474d4d637505fe858741c5ed3b7102559bbe27de5ed9212ad3c17ef8a4ab09ceedad57363067

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
4873b1f80ac816b1d8c1b57eb6cf90aa

SHA1
1e74616cc7c920d9e58008907efbf01b1ddaefe8

SHA256
9e5faa861fbc1539764a4fb6329bba13effb7fda28e69da388948a8f95dd9071

SHA512
a9469af279e397e01d0dece0720a0e7539ef635fa6622c4b28555c86c3616fe18a0fa59760e72de141d2dc3882970a039fa8bade9c226157e8da9167fd61982a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
dc75bb37231d53aa49e0b2ccb434e44c

SHA1
cf7edfca8e0dc4cbbfd13b311c2e463dffcf2131

SHA256
f7b631ea683b097f3b0592a3e6c2fe33d1b69e2746fc69d3924bebb2b6786b8a

SHA512
8b388683b399a5912491847c85aca3ae24de85ac2f534f19b9661982d8bed4ca2d44402fb4e128769b8d55de8eb130154d550502a0aa8be174513180278c99be

Download Submit
memory/848-10-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download