b6ed85c244178707f3f6fc0abea61fcede037a707d4beef41a4d381d6c23f805

Analysis

max time kernel
150s
max time network
129s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30/06/2024, 21:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b6ed85c244178707f3f6fc0abea61fcede037a707d4beef41a4d381d6c23f805.exe
Size

1.1MB
MD5

53b10c82c21876fb4e7824c78209222e
SHA1

73ceb90fda7691077aa33c0bf3d04d52ef7485c7
SHA256

b6ed85c244178707f3f6fc0abea61fcede037a707d4beef41a4d381d6c23f805
SHA512

fa11693fe44ea483089dddc70dc80cf9a884d2c8ea3edc95b47dacb58f482d5621c0cb3cf5e432e8c7b49ffd6ba8db719ed5c264a9f5f13b9612d2146532854b
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QT:CcaClSFlG4ZM7QzMk

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2768	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2768	svchcst.exe
1064	svchcst.exe
2220	svchcst.exe
1812	svchcst.exe
628	svchcst.exe
2192	svchcst.exe
1388	svchcst.exe
1616	svchcst.exe
2576	svchcst.exe
1712	svchcst.exe
1676	svchcst.exe
280	svchcst.exe
2792	svchcst.exe
940	svchcst.exe
2064	svchcst.exe
340	svchcst.exe
2552	svchcst.exe
2076	svchcst.exe
2804	svchcst.exe
1696	svchcst.exe
1676	svchcst.exe
2520	svchcst.exe
1844	svchcst.exe

Loads dropped DLL 42 IoCs

pid	Process
2656	WScript.exe
2656	WScript.exe
2544	WScript.exe
2544	WScript.exe
540	WScript.exe
1212	WScript.exe
1580	WScript.exe
1580	WScript.exe
2416	WScript.exe
2272	WScript.exe
2932	WScript.exe
2932	WScript.exe
3020	WScript.exe
3020	WScript.exe
2472	WScript.exe
2472	WScript.exe
2016	WScript.exe
2016	WScript.exe
2236	WScript.exe
2236	WScript.exe
1968	WScript.exe
1968	WScript.exe
864	WScript.exe
864	WScript.exe
1660	WScript.exe
1660	WScript.exe
2008	WScript.exe
2008	WScript.exe
2152	WScript.exe
2152	WScript.exe
2988	WScript.exe
2988	WScript.exe
2480	WScript.exe
2480	WScript.exe
1748	WScript.exe
1748	WScript.exe
2264	WScript.exe
2264	WScript.exe
1688	WScript.exe
1688	WScript.exe
2432	WScript.exe
2432	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2988	b6ed85c244178707f3f6fc0abea61fcede037a707d4beef41a4d381d6c23f805.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
1064	svchcst.exe
1064	svchcst.exe
1064	svchcst.exe
1064	svchcst.exe
1064	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2988	b6ed85c244178707f3f6fc0abea61fcede037a707d4beef41a4d381d6c23f805.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2988	b6ed85c244178707f3f6fc0abea61fcede037a707d4beef41a4d381d6c23f805.exe
2988	b6ed85c244178707f3f6fc0abea61fcede037a707d4beef41a4d381d6c23f805.exe
2768	svchcst.exe
2768	svchcst.exe
1064	svchcst.exe
1064	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
628	svchcst.exe
628	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
1388	svchcst.exe
1388	svchcst.exe
1616	svchcst.exe
1616	svchcst.exe
2576	svchcst.exe
2576	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
1676	svchcst.exe
1676	svchcst.exe
280	svchcst.exe
280	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
940	svchcst.exe
940	svchcst.exe
2064	svchcst.exe
2064	svchcst.exe
340	svchcst.exe
340	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2076	svchcst.exe
2076	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
1696	svchcst.exe
1696	svchcst.exe
1676	svchcst.exe
1676	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
1844	svchcst.exe
1844	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 2656	2988	b6ed85c244178707f3f6fc0abea61fcede037a707d4beef41a4d381d6c23f805.exe	28
PID 2988 wrote to memory of 2656	2988	b6ed85c244178707f3f6fc0abea61fcede037a707d4beef41a4d381d6c23f805.exe	28
PID 2988 wrote to memory of 2656	2988	b6ed85c244178707f3f6fc0abea61fcede037a707d4beef41a4d381d6c23f805.exe	28
PID 2988 wrote to memory of 2656	2988	b6ed85c244178707f3f6fc0abea61fcede037a707d4beef41a4d381d6c23f805.exe	28
PID 2656 wrote to memory of 2768	2656	WScript.exe	30
PID 2656 wrote to memory of 2768	2656	WScript.exe	30
PID 2656 wrote to memory of 2768	2656	WScript.exe	30
PID 2656 wrote to memory of 2768	2656	WScript.exe	30
PID 2768 wrote to memory of 2544	2768	svchcst.exe	31
PID 2768 wrote to memory of 2544	2768	svchcst.exe	31
PID 2768 wrote to memory of 2544	2768	svchcst.exe	31
PID 2768 wrote to memory of 2544	2768	svchcst.exe	31
PID 2544 wrote to memory of 1064	2544	WScript.exe	32
PID 2544 wrote to memory of 1064	2544	WScript.exe	32
PID 2544 wrote to memory of 1064	2544	WScript.exe	32
PID 2544 wrote to memory of 1064	2544	WScript.exe	32
PID 1064 wrote to memory of 540	1064	svchcst.exe	33
PID 1064 wrote to memory of 540	1064	svchcst.exe	33
PID 1064 wrote to memory of 540	1064	svchcst.exe	33
PID 1064 wrote to memory of 540	1064	svchcst.exe	33
PID 540 wrote to memory of 2220	540	WScript.exe	34
PID 540 wrote to memory of 2220	540	WScript.exe	34
PID 540 wrote to memory of 2220	540	WScript.exe	34
PID 540 wrote to memory of 2220	540	WScript.exe	34
PID 2220 wrote to memory of 1212	2220	svchcst.exe	35
PID 2220 wrote to memory of 1212	2220	svchcst.exe	35
PID 2220 wrote to memory of 1212	2220	svchcst.exe	35
PID 2220 wrote to memory of 1212	2220	svchcst.exe	35
PID 1212 wrote to memory of 1812	1212	WScript.exe	38
PID 1212 wrote to memory of 1812	1212	WScript.exe	38
PID 1212 wrote to memory of 1812	1212	WScript.exe	38
PID 1212 wrote to memory of 1812	1212	WScript.exe	38
PID 1812 wrote to memory of 1580	1812	svchcst.exe	39
PID 1812 wrote to memory of 1580	1812	svchcst.exe	39
PID 1812 wrote to memory of 1580	1812	svchcst.exe	39
PID 1812 wrote to memory of 1580	1812	svchcst.exe	39
PID 1580 wrote to memory of 628	1580	WScript.exe	40
PID 1580 wrote to memory of 628	1580	WScript.exe	40
PID 1580 wrote to memory of 628	1580	WScript.exe	40
PID 1580 wrote to memory of 628	1580	WScript.exe	40
PID 628 wrote to memory of 2416	628	svchcst.exe	41
PID 628 wrote to memory of 2416	628	svchcst.exe	41
PID 628 wrote to memory of 2416	628	svchcst.exe	41
PID 628 wrote to memory of 2416	628	svchcst.exe	41
PID 2416 wrote to memory of 2192	2416	WScript.exe	42
PID 2416 wrote to memory of 2192	2416	WScript.exe	42
PID 2416 wrote to memory of 2192	2416	WScript.exe	42
PID 2416 wrote to memory of 2192	2416	WScript.exe	42
PID 2192 wrote to memory of 2272	2192	svchcst.exe	43
PID 2192 wrote to memory of 2272	2192	svchcst.exe	43
PID 2192 wrote to memory of 2272	2192	svchcst.exe	43
PID 2192 wrote to memory of 2272	2192	svchcst.exe	43
PID 2272 wrote to memory of 1388	2272	WScript.exe	44
PID 2272 wrote to memory of 1388	2272	WScript.exe	44
PID 2272 wrote to memory of 1388	2272	WScript.exe	44
PID 2272 wrote to memory of 1388	2272	WScript.exe	44
PID 1388 wrote to memory of 2932	1388	svchcst.exe	45
PID 1388 wrote to memory of 2932	1388	svchcst.exe	45
PID 1388 wrote to memory of 2932	1388	svchcst.exe	45
PID 1388 wrote to memory of 2932	1388	svchcst.exe	45
PID 2932 wrote to memory of 1616	2932	WScript.exe	46
PID 2932 wrote to memory of 1616	2932	WScript.exe	46
PID 2932 wrote to memory of 1616	2932	WScript.exe	46
PID 2932 wrote to memory of 1616	2932	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\b6ed85c244178707f3f6fc0abea61fcede037a707d4beef41a4d381d6c23f805.exe
"C:\Users\Admin\AppData\Local\Temp\b6ed85c244178707f3f6fc0abea61fcede037a707d4beef41a4d381d6c23f805.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2544
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1064
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1616
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:3020
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2576
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2472
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1712
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:2016
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1676
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:2236
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:280
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:1968
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2792
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:864
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:940
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:1660
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2064
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:2008
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:340
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:2152
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2552
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:2988
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2076
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:2480
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2804
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:1748
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1696
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:2264
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1676
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        
        PID:1688
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2520
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        
        PID:2432
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1844
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        
        PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
66dec81d7f7dc4e36f9d8151fe38056a

SHA1
fc169994b2239eb407778d28d35025f7c9a1658e

SHA256
a09a3c722b494400011829c5645415020d39c8e6ec90f466fc3109a1ba49db2a

SHA512
3e8af1d301ba9228d5afcfaa1e1d3e6f931c5f0ba5e19c74f73b88ddf7c4baa7b24f13533679096f6c94871985de9e47d0f91362ec2ee9132b1e1b772d56fbcc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
bcf15ca951b7efc5e1a81df44baedc9f

SHA1
9399c0ca58a22baa02f53d109cc62ded0afbb260

SHA256
177d6d163d70aa9259561cfa894d6b6f62bc7c7bd35f2dbe3a4f93135f7e2b64

SHA512
fd5fe1c33e866f6852ae96550749e7f7d66466bf69cd4fd6d5aa5d26970581b55ff14f17cf1dff6674e71a2127b38f49710f3e314df0b71f22dcf29bd4556128

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
18daeaff7fc134fc2edabbaea7e7e9f0

SHA1
a6a3002f7828141bac042e08241df957ef348bb4

SHA256
56a26505482cb65715785a972070bd6b72ad56c09ec26f7a97d7b0ac5bf52303

SHA512
6a91ececa4ca5ffbd12c7ca83888a63a7baf2be281610d9b0d83ee9dfcb8f6d04c1466de5ac1b53abe3daaf2998ec40b4b3a1a1d6fc271f35d25523358bd3df0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
33923002ff087d4e9d20dc9167bf4b6f

SHA1
cd218dc8073081f7329889f96e1159c6d11fb8a1

SHA256
f24781ed9f535b0d29cbef666b2e299ee84ab75c48fd47bfdf0e9c2beaa0796e

SHA512
628c465e3ebed9b3ad689a6fa1fe38d3194c69a7446320408c28667acd49a157b853f734325e828a1577810393d0f9e69b6719bd7c201816ef0f06219a26534c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1931659cf1a0b565c26fde26192e60ea

SHA1
290204916cf2bd320dd6af5de4fea33f4b987a23

SHA256
8d4ff60de30d55f81dda162ccf8ad556e3a1c9a9e20260d8a767def90595191a

SHA512
9a90635a350ecaf5d4f9c5787f4079e90d6e2983b87e8dc6db38a2d0121e68422d2fc8c7e322c0b6556cd92870713380edf55950260e9369350e96d4603f390e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1a9d2727f5157f704f57fb2f0e0a7939

SHA1
4085542ccb9a53b29208916307ee515880d6410f

SHA256
46c5d3b8a158fe319dfd325df66634b1bdef724bab79b7007f565e44beb34f31

SHA512
7ec52df630965769dae3e05a1b9fd489c7d5413ea77b28cbe2435e839f80d7eabdbbcc74af4cf544b9f0f57403a505501b08753ffeaec8cf6c32972fc3e72d68

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
aac0fba8016aa15609aa7abb5db077ae

SHA1
f8afa6ff11a91f46eb961727ec6a5fad360fa1c9

SHA256
76a6ce5f2e579dc37db23bb0e1ef5ebdd8b02e6b22b6f8da1a17964db237a8a0

SHA512
26a4910f08563b7c4b1e1abba82fefdefcb43b7d1149d5e6c7dda36db4aa142c4b74bc64263f23a5177804e2191696795e0de5d5368ea6903b398415d435962e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
81da78e4c29b5abf222c1425d1b8da16

SHA1
c68fae858982c6217d14f0a94f1e424dc47e5abb

SHA256
e1c0bac8ec1a6de7acf76dbaae7862a630d01697c06843f75330f8be29261f38

SHA512
859ff4f8d8119e4a12c83c8aa7a7c392b9bde66358d189f67f0d44ae6777f75dd7f994536d812cb00f0612a9c4444a3775ff729512d50c1a6173f23b5866fdb0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
25874246c29e6249372a62c1ffb8a1ae

SHA1
8b271268ba9ae539e8c5ca3233e5f85772899926

SHA256
3d9e506a169afe13ea22a91f88363de0837fc11723beb0425f564262d104bb59

SHA512
bb48d383a7aa5bc14fbe010fd778e40512b1079fa7c66757041b6e79c51bf6a719b058434d6c603db81d8d5bd269f354d153ca899aaae789e25061f005afcdaa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f3159db8bd483868144429c5909d280a

SHA1
a3698b1ebb0e43a564357bb77c3462539a114f87

SHA256
f31b8921a342ba1eecff8852bd1904a17e94e544a1975106b9b5533155ed044c

SHA512
328e166bbd706c7e6848c246909d96779ee2efcdf7bdb0ff47eed24e0267dcca005bb41651b60393ffafbb7b7467d94b22454e8c4be57108ffeb6238e88db916

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
41bdc303960afcda8ebae4f3e29f0b52

SHA1
4cbf649fb04c836614138308a06ecd48dcb2882d

SHA256
da674cdbd4dd762cc32ce0bd2ec36929a626e0e87f7ab7a4a1b1e1ce0123d999

SHA512
800b5b01cc41e7633f203579e7f6ec0a9f6408f7af79dcfa74596be9264dbb8baade6b1439dedb5194496aa27b8b0e2680ce65ad91032138ea0ac2c8a0872cf1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ed579901f90b1388ffc9ea8df66ceb67

SHA1
b211589b25652ab483ebdcccf0deba42ea91e7a1

SHA256
0056c69a6a81d634399b3d74fff17f9dcffc3dd78dc81e3d0e6282203797e816

SHA512
d4652d669a316ba937c1374f04bc6c5e6cb3c9f77526848d849d78696f1ab7d312a1de3f9d955351e1b755f8166b8ad1ccf7a66c98673ebb3ee124d95e43e4df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
230ab78a7571ddf6747d13b615e372a1

SHA1
3e97d97f571e129ccee16a5776ac375fc94466c8

SHA256
b30c1c32ccad680ee7cd8d73c1551bf188798d565f412112d50ce8d411ae3612

SHA512
302cd9c22636fd4f9cd9302221ea2cf5e97c00b59a6a5e3b6c0992d02aa52b4e32c25ca940e79dc1716498a8f00a3d6550b5806ef196a5918026a8dab5f1899f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0bc5229fe93a4eb362d02744b68b096c

SHA1
db1cf7522dab5d9140d3936d0df29c0bebc97aeb

SHA256
e6fd355f829ac1d98de2f8204621ae7cd1eff132eaff3ef8ed69f6df058bcd2a

SHA512
a67e6d4205ba9e40fdaa767d9168e014dcb2dbd2e1500adf6ba2830cd5560c63e8937e74156de1fc1eb811b78b93656e71f2e10787fbc286a424b4cfdd0d6386

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
fa919d999157dae4c3d45db55d3052df

SHA1
08b73118ed2d14f1672bb3d1545d5e5c450d1c25

SHA256
098cc99815dda6b6daaf0b833967a2f1a1133ec83a7acfc6d1b96952daf788d0

SHA512
b34a2a49d589d314276270d7fd776acfda00d7e89bc7eee32f5ab65a04aa5242457a06d397a23409c03cd3782de8e1705c7b23f22886aca498a30a03b7f139ea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f84ff3a95fdf2162e6b19922a05eab17

SHA1
66df0e4581551d87d952a3dfb47942664fbc1d12

SHA256
ef35496fb08a02e62be276d06cbe0a0b33d85aa95f6be7f4acc595519150cf3d

SHA512
dde65c9afedd6fb96255a2a16a2920b68a8eec457731e3acacd4869aeef95169d86ae17aaad90ab4fc0027cb09128ad41b320811ddf50c84d7352a4a7b62253f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a3d9616ad79a4d405508f771b529513c

SHA1
988bdca92d6ff95b276a708157657b5519f5ff60

SHA256
72fd094101ea4429e106ccc3dfa8352d86cface193d1382306933ac954cf40d0

SHA512
290b0d3951361f736ceb4d9ec5ef7cae3d0ed1281aae5c31566755cd71c104b9451a379f2c1674bd7129aef39be15e70b6ca7de66decba6c01b00ad80c2082ce

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
93d9d2663739cd956eb55fb311297d18

SHA1
b4e5b8e05709cd08defb8ba5745735a826266ab6

SHA256
b8976ba287f4b6b071d18902a4d45bcb56efd23c062ac141961e993f3601c958

SHA512
731f324fb49ccab9d1ee8cc296edb343e4e959f667e95c977249c6afd60d9f016c2c59fa1096367e120f436378d620f2a71a6a5b125b08d945dc8f1efb3aa28b

Download Submit
memory/2988-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download