af226616ff0103d8ad65f857ba21e0c4c2eb3ec45fba475564998fda75c2723c

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30/05/2024, 19:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af226616ff0103d8ad65f857ba21e0c4c2eb3ec45fba475564998fda75c2723c.exe
Size

1.1MB
MD5

cdef04efc558ad2f334bd8fd887f9e02
SHA1

dc7b978828a8cb9c37bc16ec1dca2f461ab23ad8
SHA256

af226616ff0103d8ad65f857ba21e0c4c2eb3ec45fba475564998fda75c2723c
SHA512

8eccee22a34b50d28db3c2b6da20d5cb3043a172a4ba104d72911a9ebfb4007005506452b1b1eb9c5cfa5ad64bfc45498c67d1c4320e7903dc3dd87028abb108
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QP:CcaClSFlG4ZM7QzMo

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2732	svchcst.exe

Executes dropped EXE 24 IoCs

pid	Process
2732	svchcst.exe
2560	svchcst.exe
1416	svchcst.exe
2788	svchcst.exe
2304	svchcst.exe
948	svchcst.exe
1124	svchcst.exe
2208	svchcst.exe
2712	svchcst.exe
2460	svchcst.exe
2176	svchcst.exe
1416	svchcst.exe
1608	svchcst.exe
2616	svchcst.exe
2420	svchcst.exe
444	svchcst.exe
2884	svchcst.exe
1768	svchcst.exe
2708	svchcst.exe
1556	svchcst.exe
2804	svchcst.exe
2008	svchcst.exe
1656	svchcst.exe
1628	svchcst.exe

Loads dropped DLL 36 IoCs

pid	Process
3004	WScript.exe
3004	WScript.exe
2716	WScript.exe
1588	WScript.exe
1588	WScript.exe
2844	WScript.exe
2844	WScript.exe
2888	WScript.exe
904	WScript.exe
904	WScript.exe
2852	WScript.exe
2036	WScript.exe
2036	WScript.exe
1204	WScript.exe
1204	WScript.exe
1204	WScript.exe
2032	WScript.exe
560	WScript.exe
560	WScript.exe
560	WScript.exe
468	WScript.exe
468	WScript.exe
1132	WScript.exe
1132	WScript.exe
1632	WScript.exe
1632	WScript.exe
2552	WScript.exe
2552	WScript.exe
1240	WScript.exe
1240	WScript.exe
2040	WScript.exe
2040	WScript.exe
1040	WScript.exe
1040	WScript.exe
676	WScript.exe
676	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1712	af226616ff0103d8ad65f857ba21e0c4c2eb3ec45fba475564998fda75c2723c.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1712	af226616ff0103d8ad65f857ba21e0c4c2eb3ec45fba475564998fda75c2723c.exe

Suspicious use of SetWindowsHookEx 50 IoCs

pid	Process
1712	af226616ff0103d8ad65f857ba21e0c4c2eb3ec45fba475564998fda75c2723c.exe
1712	af226616ff0103d8ad65f857ba21e0c4c2eb3ec45fba475564998fda75c2723c.exe
2732	svchcst.exe
2732	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
1416	svchcst.exe
1416	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
948	svchcst.exe
948	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
2208	svchcst.exe
2208	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2460	svchcst.exe
2460	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
1416	svchcst.exe
1416	svchcst.exe
1608	svchcst.exe
1608	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2420	svchcst.exe
2420	svchcst.exe
444	svchcst.exe
444	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
1768	svchcst.exe
1768	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
1556	svchcst.exe
1556	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2008	svchcst.exe
2008	svchcst.exe
1656	svchcst.exe
1656	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 3004	1712	af226616ff0103d8ad65f857ba21e0c4c2eb3ec45fba475564998fda75c2723c.exe	28
PID 1712 wrote to memory of 3004	1712	af226616ff0103d8ad65f857ba21e0c4c2eb3ec45fba475564998fda75c2723c.exe	28
PID 1712 wrote to memory of 3004	1712	af226616ff0103d8ad65f857ba21e0c4c2eb3ec45fba475564998fda75c2723c.exe	28
PID 1712 wrote to memory of 3004	1712	af226616ff0103d8ad65f857ba21e0c4c2eb3ec45fba475564998fda75c2723c.exe	28
PID 3004 wrote to memory of 2732	3004	WScript.exe	30
PID 3004 wrote to memory of 2732	3004	WScript.exe	30
PID 3004 wrote to memory of 2732	3004	WScript.exe	30
PID 3004 wrote to memory of 2732	3004	WScript.exe	30
PID 2732 wrote to memory of 2716	2732	svchcst.exe	31
PID 2732 wrote to memory of 2716	2732	svchcst.exe	31
PID 2732 wrote to memory of 2716	2732	svchcst.exe	31
PID 2732 wrote to memory of 2716	2732	svchcst.exe	31
PID 2716 wrote to memory of 2560	2716	WScript.exe	32
PID 2716 wrote to memory of 2560	2716	WScript.exe	32
PID 2716 wrote to memory of 2560	2716	WScript.exe	32
PID 2716 wrote to memory of 2560	2716	WScript.exe	32
PID 2560 wrote to memory of 1588	2560	svchcst.exe	33
PID 2560 wrote to memory of 1588	2560	svchcst.exe	33
PID 2560 wrote to memory of 1588	2560	svchcst.exe	33
PID 2560 wrote to memory of 1588	2560	svchcst.exe	33
PID 1588 wrote to memory of 1416	1588	WScript.exe	34
PID 1588 wrote to memory of 1416	1588	WScript.exe	34
PID 1588 wrote to memory of 1416	1588	WScript.exe	34
PID 1588 wrote to memory of 1416	1588	WScript.exe	34
PID 1416 wrote to memory of 2416	1416	svchcst.exe	35
PID 1416 wrote to memory of 2416	1416	svchcst.exe	35
PID 1416 wrote to memory of 2416	1416	svchcst.exe	35
PID 1416 wrote to memory of 2416	1416	svchcst.exe	35
PID 1588 wrote to memory of 2788	1588	WScript.exe	36
PID 1588 wrote to memory of 2788	1588	WScript.exe	36
PID 1588 wrote to memory of 2788	1588	WScript.exe	36
PID 1588 wrote to memory of 2788	1588	WScript.exe	36
PID 2788 wrote to memory of 2844	2788	svchcst.exe	37
PID 2788 wrote to memory of 2844	2788	svchcst.exe	37
PID 2788 wrote to memory of 2844	2788	svchcst.exe	37
PID 2788 wrote to memory of 2844	2788	svchcst.exe	37
PID 2844 wrote to memory of 2304	2844	WScript.exe	38
PID 2844 wrote to memory of 2304	2844	WScript.exe	38
PID 2844 wrote to memory of 2304	2844	WScript.exe	38
PID 2844 wrote to memory of 2304	2844	WScript.exe	38
PID 2304 wrote to memory of 696	2304	svchcst.exe	39
PID 2304 wrote to memory of 696	2304	svchcst.exe	39
PID 2304 wrote to memory of 696	2304	svchcst.exe	39
PID 2304 wrote to memory of 696	2304	svchcst.exe	39
PID 2844 wrote to memory of 948	2844	WScript.exe	40
PID 2844 wrote to memory of 948	2844	WScript.exe	40
PID 2844 wrote to memory of 948	2844	WScript.exe	40
PID 2844 wrote to memory of 948	2844	WScript.exe	40
PID 948 wrote to memory of 2888	948	svchcst.exe	41
PID 948 wrote to memory of 2888	948	svchcst.exe	41
PID 948 wrote to memory of 2888	948	svchcst.exe	41
PID 948 wrote to memory of 2888	948	svchcst.exe	41
PID 2888 wrote to memory of 1124	2888	WScript.exe	42
PID 2888 wrote to memory of 1124	2888	WScript.exe	42
PID 2888 wrote to memory of 1124	2888	WScript.exe	42
PID 2888 wrote to memory of 1124	2888	WScript.exe	42
PID 1124 wrote to memory of 904	1124	svchcst.exe	43
PID 1124 wrote to memory of 904	1124	svchcst.exe	43
PID 1124 wrote to memory of 904	1124	svchcst.exe	43
PID 1124 wrote to memory of 904	1124	svchcst.exe	43
PID 904 wrote to memory of 2208	904	WScript.exe	46
PID 904 wrote to memory of 2208	904	WScript.exe	46
PID 904 wrote to memory of 2208	904	WScript.exe	46
PID 904 wrote to memory of 2208	904	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\af226616ff0103d8ad65f857ba21e0c4c2eb3ec45fba475564998fda75c2723c.exe
"C:\Users\Admin\AppData\Local\Temp\af226616ff0103d8ad65f857ba21e0c4c2eb3ec45fba475564998fda75c2723c.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2716
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2560
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        
        PID:696
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1124
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:904
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2208
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        
        PID:2852
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2712
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:2036
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2460
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        
        PID:2576
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2176
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:1204
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1416
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2032
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2616
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1608
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:560
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2420
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:444
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:468
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2884
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:1132
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1768
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:1632
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2708
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:2552
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1556
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:1240
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2804
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:2040
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2008
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:1040
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1656
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:676
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1628
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        
        PID:708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e0e0a1f6d22e3905753a9c1ed053cbff

SHA1
52c11b8049f4015d7825fc1fcbd0d5eadb29a6e4

SHA256
2eca9ba67f160c00268003e7239f9cfc5da0f10b6a0b3c82538ef2a0874b871d

SHA512
3eb98287cc8115cb648626272eaa6cc77cb57fcd614f0e969d3af3977a8e09e0f7f6f3ee6ef9322e096bf0cec546f681a6983030a10e972b538d42e2bd17740c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
4334f78105e472e1dfcfdf52b4067a3c

SHA1
8be10fbf77f8834badd92d7b976850fa3480fdb1

SHA256
3cf200a9079bdd9ad40b358266c69dc191e8e3255be634cc86974e48bebed9e2

SHA512
d24ff15ddb9dbd6d71cbe49c44753c5ed9065948db1ebaa0d23cd8bfd1684f3caf70384511ae9580f1866d62f01b166eeaca7f3e4011dfb689a05ac06cdf164d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
297aff64991480fd92a4ce9fb4d40807

SHA1
c586f7003f854f442db26448516e59826dfe41e9

SHA256
5137a62e031c71093a7d6c2684519614bb5eed80fd8daa92912f085a6ab82b8a

SHA512
f7a2fae80f26e6fb846ec9675c5a03932c8bd842d75f68cdb05c2f18e9397ed32774ce0a1f495e5618a5ce1b37e088c8991a69fb999559d1e2b0dd360cc96b4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ed546bb522a06b2fe1964359d1c00489

SHA1
f645b56f6b42e6e187d97e90006e64493e168dfd

SHA256
770b107915197c74e581cfd8ea4047ad94180a81a2e6422eb5a8139839645257

SHA512
bc0172ea605aeb832088b2e5d3cd3c4ba9f052a1f4afaa3696e8672f3e6a5776537472d56805f0dea9d8474ffca77d9b574331c9dc57bc7a6e029e01169de0b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
53586000e76ee6942df430b8716b4616

SHA1
97afd48071b6043c0a04b823875956b98a8d33bd

SHA256
486e66f5aafdb179f41e1d1f39c8fb5662bfad43d5d53dfa89405a04b0d42d69

SHA512
3a9a94289a667899d5ba7db41486854b9234929ecaa9d9aaff3188740cc084c0a633702be218f4b1a8afbfbd8a4e1a892eebbdfde1a7d3fb9c27c3482aa03bd7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
70e226fbd8b4b3f2ddf8a8753a77586a

SHA1
a81a39d08f77479d0ee65599dd2749031c32fc19

SHA256
3eb2bfca11e83ada63c9e426764e07267c058964f959ca5e0c3f0f8933e40026

SHA512
f8c3f2f4172e8cabb856cbc2527dae48cba6d740a8ad9844bb32013ccba200b4c03dfdbe3713d9caa5f7416b8729cba4d516a73989b388c952ab08205b3cd4b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b5e11596fa3b5ec67af0232750a3cadb

SHA1
80cb25f5250390b6b2130c8b4eefc9872cc4939d

SHA256
d6429bbb3e3d5c86f30efdb3aa599d47eb8f130c1d0f2a6345e3e9387f7670b3

SHA512
06c71dd481c8936cb5c8a259111986a31b94e7bf73267a081e2162e16b3bffc633a257b5dcf2fd64c7bcc95a20ee841d5d07ca2ea5a16b7f862aec9cde5f17f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d44632a3e4cce7689f6de0096ea7b712

SHA1
62726ae2641d71b6a218793f1ca8c00c81443eda

SHA256
013ba01f27689a865f4497bdab298b8914e8c235beac2311020fa928649a7603

SHA512
ed9934194e0211fca3d30bb16802ae080086a71d4b8b065afecea339f06f4d5dc43f51786059d6ccaf7718a54dde8b050268068ed6a416dacfa6c79a8ba0881a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5ef4272f4d6f345fc8cc1b2f059c81b4

SHA1
78bcb559f775d70e10396e1d6d7b95c28d2645d1

SHA256
19f8d5209b4a5789cdfd5b67cb0b9f6c3546c62912bcb1ef1c69a15602beb652

SHA512
002693255c600456d965b5a7e36f780deec4d80cd9fe56f7f974b8762e2b140002a1dabf4b059d6163c9cc00a0e1e9da71899e13347fb4bb2985bbc7058469cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ae63ded87a90f9812749cac189d07a57

SHA1
5a37ba565ce8c2445ff71f7c3d7adc38cb68627f

SHA256
6251cc562aff44a7222fe555019800d44c515c0319748fae595621d92f5d9236

SHA512
293cf9a753b1456071db8840910ec3ee7a0a00342caeb27a3bf7c150b54e51a22673e8262fd4376bad6c29eff3b3a77c1c47c1e10c49abffaba899b9193d9429

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2c6490a42a6a0c40ff0c4e23b3e1aa2f

SHA1
673399038e095a86936267b5014fc7d216ee5c0a

SHA256
4b5b75f23c5d2765bccf9691327947fcdd4e1e17e6da73c1b1c47dab8db99b3d

SHA512
8ffd13c3e9ecd8c522703bf13f839b3925bf3dd0418c33e8b4edc5cd07ca53d76d21e3d8f2e47622d51cc73ac3eed7dd2f7308bb332cde1bd1e6f1cb8f8bb8d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f262d0722b88145e786399f42047785d

SHA1
9f4426b6ac52bb0456945b0619fcd355d118a0b7

SHA256
f20592c5d5216a153e7d9fc67c87e2d3346f3781014162462e824a5dbc4c7aef

SHA512
da8aa8fd4f84c224f7c6f3fe483b030e2307f3313c003f17f6b9c943f9ea9d052d9d9297f93fdf49428eedd235ef6d7efe0199e1620e55cb052f2ca3cb492eb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
bced24313b4cd5d996d61144135a6d42

SHA1
302006eee6d203bfcae75add6205c1c25b280e45

SHA256
4457b3934b3b4676e50c978ed432753780a1120e968303ae403e2a8afa437018

SHA512
292dc9c4170991e574b5bd7b7ad0dd606105c1d2b6214defc848089f40e6842bfafdc47c560278384ab11c95f85197c65109ab9bf9f95f43d67c49d913d2ef1c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
4ce146627eb441a9ecdc98370ba03ba0

SHA1
5e3a1ab52ef4717adb4da0f3b368872d69fd3829

SHA256
c4a146a200d572992c8a425f8af699f4336337d668646ee9dd1bc8db5638cc50

SHA512
45ce8e6d093bbbff846338f74291ff06ee7262b3c38de12237c9f72a842abd1908f61768dc9e12e51aa8f17954e5cbc9df852fd5a53a643b6106e33ede0ba915

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
94164f1e1ae28ce5ceac1ff5ff5d9252

SHA1
e893b184c590b3f664ad1c2a4993dafd1e05c50e

SHA256
720978cc346f592c60ec1565930a6a0d438f3f373c309f33eeeced47f29ac24d

SHA512
a6360d123902fb6df45538dda5b4b4d9ef5ca89b634b559fdc6acc18e8a6bb95f19caa4a284de832bdd8b4697de1d8b881f503c0aa91e5c0fa0ee18acee2de84

Download Submit
memory/1712-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download