14d3cbd401d6491c497b4a44efbf3e88bc7511dd108de12fd669da610613f7ff

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/06/2024, 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14d3cbd401d6491c497b4a44efbf3e88bc7511dd108de12fd669da610613f7ff.exe
Size

1.1MB
MD5

bcdc520d26dd15f178b19372f9d01427
SHA1

f2e2b05595b4c9b9adc2ac82e4a2ce4f8023dffc
SHA256

14d3cbd401d6491c497b4a44efbf3e88bc7511dd108de12fd669da610613f7ff
SHA512

606cbce3a6f2764f1bebe246d4715151f68deede066eed2e587cda20b28137d1553135bfa9a83b4df2ad18dbddcdf13ffddef77a782358a3c801b6589fced34a
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qe:CcaClSFlG4ZM7QzMF

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2804	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2804	svchcst.exe
1432	svchcst.exe
1872	svchcst.exe
2176	svchcst.exe
324	svchcst.exe
1136	svchcst.exe
1240	svchcst.exe
1716	svchcst.exe
2816	svchcst.exe
2380	svchcst.exe
2232	svchcst.exe
1660	svchcst.exe
2912	svchcst.exe
1692	svchcst.exe
2344	svchcst.exe
1808	svchcst.exe
1716	svchcst.exe
2512	svchcst.exe
1996	svchcst.exe
1072	svchcst.exe
1032	svchcst.exe
2544	svchcst.exe
704	svchcst.exe

Loads dropped DLL 41 IoCs

pid	Process
2624	WScript.exe
2624	WScript.exe
2480	WScript.exe
2548	WScript.exe
1948	WScript.exe
2088	WScript.exe
600	WScript.exe
1560	WScript.exe
1560	WScript.exe
2312	WScript.exe
2312	WScript.exe
2892	WScript.exe
2892	WScript.exe
2904	WScript.exe
2904	WScript.exe
1576	WScript.exe
1576	WScript.exe
2788	WScript.exe
2788	WScript.exe
2092	WScript.exe
2092	WScript.exe
2420	WScript.exe
2420	WScript.exe
860	WScript.exe
860	WScript.exe
2288	WScript.exe
2288	WScript.exe
1848	WScript.exe
1848	WScript.exe
2284	WScript.exe
2284	WScript.exe
2620	WScript.exe
2620	WScript.exe
2832	WScript.exe
2832	WScript.exe
2180	WScript.exe
2180	WScript.exe
2432	WScript.exe
2432	WScript.exe
360	WScript.exe
360	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2944	14d3cbd401d6491c497b4a44efbf3e88bc7511dd108de12fd669da610613f7ff.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
1432	svchcst.exe
1432	svchcst.exe
1432	svchcst.exe
1432	svchcst.exe
1432	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2944	14d3cbd401d6491c497b4a44efbf3e88bc7511dd108de12fd669da610613f7ff.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2944	14d3cbd401d6491c497b4a44efbf3e88bc7511dd108de12fd669da610613f7ff.exe
2944	14d3cbd401d6491c497b4a44efbf3e88bc7511dd108de12fd669da610613f7ff.exe
2804	svchcst.exe
2804	svchcst.exe
1432	svchcst.exe
1432	svchcst.exe
1872	svchcst.exe
1872	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
324	svchcst.exe
324	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1240	svchcst.exe
1240	svchcst.exe
1716	svchcst.exe
1716	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2380	svchcst.exe
2380	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
1692	svchcst.exe
1692	svchcst.exe
2344	svchcst.exe
2344	svchcst.exe
1808	svchcst.exe
1808	svchcst.exe
1716	svchcst.exe
1716	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
1996	svchcst.exe
1996	svchcst.exe
1072	svchcst.exe
1072	svchcst.exe
1032	svchcst.exe
1032	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
704	svchcst.exe
704	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 2624	2944	14d3cbd401d6491c497b4a44efbf3e88bc7511dd108de12fd669da610613f7ff.exe	28
PID 2944 wrote to memory of 2624	2944	14d3cbd401d6491c497b4a44efbf3e88bc7511dd108de12fd669da610613f7ff.exe	28
PID 2944 wrote to memory of 2624	2944	14d3cbd401d6491c497b4a44efbf3e88bc7511dd108de12fd669da610613f7ff.exe	28
PID 2944 wrote to memory of 2624	2944	14d3cbd401d6491c497b4a44efbf3e88bc7511dd108de12fd669da610613f7ff.exe	28
PID 2624 wrote to memory of 2804	2624	WScript.exe	30
PID 2624 wrote to memory of 2804	2624	WScript.exe	30
PID 2624 wrote to memory of 2804	2624	WScript.exe	30
PID 2624 wrote to memory of 2804	2624	WScript.exe	30
PID 2804 wrote to memory of 2480	2804	svchcst.exe	31
PID 2804 wrote to memory of 2480	2804	svchcst.exe	31
PID 2804 wrote to memory of 2480	2804	svchcst.exe	31
PID 2804 wrote to memory of 2480	2804	svchcst.exe	31
PID 2480 wrote to memory of 1432	2480	WScript.exe	32
PID 2480 wrote to memory of 1432	2480	WScript.exe	32
PID 2480 wrote to memory of 1432	2480	WScript.exe	32
PID 2480 wrote to memory of 1432	2480	WScript.exe	32
PID 1432 wrote to memory of 2548	1432	svchcst.exe	33
PID 1432 wrote to memory of 2548	1432	svchcst.exe	33
PID 1432 wrote to memory of 2548	1432	svchcst.exe	33
PID 1432 wrote to memory of 2548	1432	svchcst.exe	33
PID 2548 wrote to memory of 1872	2548	WScript.exe	34
PID 2548 wrote to memory of 1872	2548	WScript.exe	34
PID 2548 wrote to memory of 1872	2548	WScript.exe	34
PID 2548 wrote to memory of 1872	2548	WScript.exe	34
PID 1872 wrote to memory of 1948	1872	svchcst.exe	35
PID 1872 wrote to memory of 1948	1872	svchcst.exe	35
PID 1872 wrote to memory of 1948	1872	svchcst.exe	35
PID 1872 wrote to memory of 1948	1872	svchcst.exe	35
PID 1948 wrote to memory of 2176	1948	WScript.exe	36
PID 1948 wrote to memory of 2176	1948	WScript.exe	36
PID 1948 wrote to memory of 2176	1948	WScript.exe	36
PID 1948 wrote to memory of 2176	1948	WScript.exe	36
PID 2176 wrote to memory of 2088	2176	svchcst.exe	37
PID 2176 wrote to memory of 2088	2176	svchcst.exe	37
PID 2176 wrote to memory of 2088	2176	svchcst.exe	37
PID 2176 wrote to memory of 2088	2176	svchcst.exe	37
PID 2088 wrote to memory of 324	2088	WScript.exe	38
PID 2088 wrote to memory of 324	2088	WScript.exe	38
PID 2088 wrote to memory of 324	2088	WScript.exe	38
PID 2088 wrote to memory of 324	2088	WScript.exe	38
PID 324 wrote to memory of 600	324	svchcst.exe	39
PID 324 wrote to memory of 600	324	svchcst.exe	39
PID 324 wrote to memory of 600	324	svchcst.exe	39
PID 324 wrote to memory of 600	324	svchcst.exe	39
PID 600 wrote to memory of 1136	600	WScript.exe	40
PID 600 wrote to memory of 1136	600	WScript.exe	40
PID 600 wrote to memory of 1136	600	WScript.exe	40
PID 600 wrote to memory of 1136	600	WScript.exe	40
PID 1136 wrote to memory of 1560	1136	svchcst.exe	41
PID 1136 wrote to memory of 1560	1136	svchcst.exe	41
PID 1136 wrote to memory of 1560	1136	svchcst.exe	41
PID 1136 wrote to memory of 1560	1136	svchcst.exe	41
PID 1560 wrote to memory of 1240	1560	WScript.exe	42
PID 1560 wrote to memory of 1240	1560	WScript.exe	42
PID 1560 wrote to memory of 1240	1560	WScript.exe	42
PID 1560 wrote to memory of 1240	1560	WScript.exe	42
PID 1240 wrote to memory of 2312	1240	svchcst.exe	43
PID 1240 wrote to memory of 2312	1240	svchcst.exe	43
PID 1240 wrote to memory of 2312	1240	svchcst.exe	43
PID 1240 wrote to memory of 2312	1240	svchcst.exe	43
PID 2312 wrote to memory of 1716	2312	WScript.exe	46
PID 2312 wrote to memory of 1716	2312	WScript.exe	46
PID 2312 wrote to memory of 1716	2312	WScript.exe	46
PID 2312 wrote to memory of 1716	2312	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\14d3cbd401d6491c497b4a44efbf3e88bc7511dd108de12fd669da610613f7ff.exe
"C:\Users\Admin\AppData\Local\Temp\14d3cbd401d6491c497b4a44efbf3e88bc7511dd108de12fd669da610613f7ff.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2480
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1432
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:324
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:600
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1716
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2892
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2816
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2904
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2380
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:1576
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2232
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:2788
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1660
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:2092
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2912
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:2420
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1692
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:860
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2344
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:2288
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1808
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:1848
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1716
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:2284
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2512
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:2620
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1996
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:2832
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1072
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:2180
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1032
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        
        PID:2432
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2544
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        
        PID:360
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:704
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        
        PID:404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
298f56408ef5bfe14b938d85e57c843d

SHA1
691d78c4c4887333b4679d3e340a7a04caad13a3

SHA256
b5738b726b24c9d220bd7256e4abb2e97215d50416bf67983cc82dc83b46298a

SHA512
227bf6d7e70568144112dc142ef60fa38f2b5f39196e3d3377a120b78fa86382726021f024bf5413548df0ce1734bb905d28e56de4dd80c6f21c05ab2a5ef83e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
cd34ba54e0dd84bc94990092afc183a9

SHA1
938feedabe63e3e7c6cbb6a405512e21a7ebe449

SHA256
44358f1aedf540acf9e56069e4cc6d4e6a2445ccba362dad9ec4e2f59e0178ab

SHA512
1c261ac13591d4d1cd3692dae12de7fb393134b014dbc766b2946b6ea983e74cef7984bb7003241d5221dea9df78e5f5fe31a839ad7d8453a79db887c8d09958

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
44c38fa25d3a9963483b583388b6f47b

SHA1
e9b37eb8bcbe2ddda96178ee7502616660cfce57

SHA256
004b640ccc72e36c16e85661847b12fff228d63de834042accadde333aa33e36

SHA512
c39bd240b263314169cef9af85a8e8a89146e96400026936b68a69a7c732d301c16561971dbeaee752e2618f2a592bff5a6a91ee75893522e77f574176887905

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
3fa79614b42682f3c91bfa08f76b6633

SHA1
72626c0931c2c9864a6d8a236c117247f3ddbde8

SHA256
74d40b8f086fff0f4318ac5b46ffb58a2d40dbbf3ad54d43034563a1f5d2fac9

SHA512
ba93b022c037afb399a837d6ac4a1458f7f97d063f7b8ed11b82f3fae4ec37c39bec202f6af4dafa247e219fa77695e209855498b5e57f9a59dcd43632a35b5f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3612d3ea6472851cf27d0650f30a8461

SHA1
6deb8050a9d5911a2bcaa1dff30442b243389423

SHA256
2952c41a53b0569f4005c91e142940e5e96ab915146591fd27e380826de74370

SHA512
274ea073a41fbb585172d72f0f3c37132154378212b24cf3609f2bb450d631741c438035f81046ec36f08e62f287949079776d359cd42602ad097cfc0689f49c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f3159db8bd483868144429c5909d280a

SHA1
a3698b1ebb0e43a564357bb77c3462539a114f87

SHA256
f31b8921a342ba1eecff8852bd1904a17e94e544a1975106b9b5533155ed044c

SHA512
328e166bbd706c7e6848c246909d96779ee2efcdf7bdb0ff47eed24e0267dcca005bb41651b60393ffafbb7b7467d94b22454e8c4be57108ffeb6238e88db916

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
81911744d71ed066085116eec2026095

SHA1
47cfe383cd90c80f367d20667fa26cd160507a8f

SHA256
3154f7fe0c77b8441733285f257a444605ca5badb1148288aa7275033f75d3f5

SHA512
e64925ee682737251c7d5f42a378a4f6c23a50a07a6811882547567725b59c172da356b235afc977d4c1e8209f5c1ba696b9dd54e7739f67a71c099c031d7396

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
632419f9e97777f0bcd1af67443cadae

SHA1
52edb2e30a2b1156ff9f77c0fe7435bc1a616ac8

SHA256
50e39163065b39c8cac4f381ff35c00972adde6c6fcd6d9cf555d1b0b8b68554

SHA512
b9b188d33cab5023dd410c0d6c01b5b200c003b432d44fe47da9b6ca1d4a5fa6fd3e869baeac6c8f5d7fae063e6128ee9c96b9258e10e550093e199cccaca2b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
28167c064311357a30cc6de51b34120d

SHA1
cd6e8343bf5fa014ded5905fd8c6037eda277818

SHA256
e1a76a59c230fb740b85443e95d9db97f660e6d57f8f79060c51d3fb21f7af2a

SHA512
a8ca9a0804c9cb2c87148d82b2ffb169d766b6ea91b4106363b24d555c9a58594915364b6cb61a1757723e96f7095f06859ab83a6e1055d43c8e78e9b52c8b57

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e4e96c55460da5fa5643648177198d56

SHA1
da09b8271cfd09349b8e79bd8856671e6124d6a0

SHA256
6ca56d2034da62f3a82f84935631e9d90430875cfd9b95382fdf1210758ba761

SHA512
23da2c3c87c8e52aab70931c7ca6f0d04f453cff01bda2fe078a060468d9d7b9e544635eb11976541246eaed2e4cac06e0ed7ed86bce775f95ff5d5f40c5d1bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
08e59d2d672728796d1d263f61b8e693

SHA1
e2cf49b43ffba5735bf7d9aa4e1da8c5a1a4a243

SHA256
f0504a6142a9709ba8612a4e55816d410dc92778bedea66d34316e77edd2f923

SHA512
328bc5a9404388f3ef192bb0e4da20cc34b9eacd974299461b5cc2f37ce7d7f9bb494e933fe7e8bca0baa037b40778b06965e76ce258b596b60e88bd6b2f4253

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
297aff64991480fd92a4ce9fb4d40807

SHA1
c586f7003f854f442db26448516e59826dfe41e9

SHA256
5137a62e031c71093a7d6c2684519614bb5eed80fd8daa92912f085a6ab82b8a

SHA512
f7a2fae80f26e6fb846ec9675c5a03932c8bd842d75f68cdb05c2f18e9397ed32774ce0a1f495e5618a5ce1b37e088c8991a69fb999559d1e2b0dd360cc96b4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
4185144afed2669792602bfb4c9ca8b6

SHA1
38c2222b3b936903ee85a059f4e5f397d626f59e

SHA256
f1d37c46f6e5dc427bb2a3eaa07ebf1dd4f4e468200a7ed17f7ccd063161f3f4

SHA512
4baa224cb2cdefd3369d44c8ff79832d9f46e8b9900d60d1232714fe6124ba77d288c0ea43bb25c650b6b6335174573fa4b96340ce7003cbdd48267426551e7b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ce3535ba88909594a767dd5ff0aa0f53

SHA1
4c80ac25731a266ec63751ec8e1df4d6ba91c5f1

SHA256
dab750d4509aa84416be7ad64ace704083040791cc2edd764e41ff19eaa6fe4d

SHA512
f22730fc2b8d7238238da7d58e90d3c9582e6bcf1ecefd8ea80c09a4220aee5fbad4ff2ff1a8caea99f7ba9cdda5f9a3f87cddbb03a494815192d8152858f26f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e4e7015670602a06bafc1b5d920bc033

SHA1
823122b0f477033381991ebde46b275da4463771

SHA256
63497a4a849beb6b06bdaa618d535c257af862f09c3d055fc8b867b45f114f9a

SHA512
ca9825a189139231e830fb78423c663360de9a3a62c907cf458d9d1619a14977522bc2b70adfa84987a34ac4b188569671d260a32b437690d823f5a6893eb69b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
dee308a1d4ca759593f9502cc9f6bd74

SHA1
983ae27c6682295ddccf34ffb9635a1ff2c3b5ef

SHA256
fdd8005e9f295fa77e0a786e1dd8e8fd4a398bda71adf34411855a66e17ecfbd

SHA512
1d82614aa6d578ee54fab43698676aaa3abea6fac5f9229187fc3249bbc0e48dd21c341682e8dd70b75dd4879d25f96f2abf4d0c2370d033e7de4136fde8426c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
6464459f493d69048517c7cda529823d

SHA1
8385601dfb33802ccf2337ec9a73022e99d5fb42

SHA256
33f80a0624293cfdae3bb12a9d6101e03b9860d0476b4450ddc985c80fb7d5aa

SHA512
4ec76650aec3b3369e84e54e258d251d66e48e16e10a68a3c8cecf4fc4f4b62db5dccd9c820172d92256935591677314abe198f34cececf8de7bd013cafe733b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
38d186a1bdfd9973f3aba56ad78e8d7a

SHA1
75b7426e06f0936c3322a7ef592e119f6af40f5d

SHA256
f5f74929b64b0786bf3fad4150ec893bb729530b9ee12cd7509505573ce15a18

SHA512
361791fcf3bc6d2e861d31b26b3e3c65ef5b5fe48b0cca458759443ee1eeae1f5976b504d30f4090403b169b7c4c1550bdd08828864356fde1a1abb8dd3ded6c

Download Submit
memory/2944-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download