a9a34032817f4e60f69eb605bd872d0e2380e4a86a1cc05bd2a7d4fb57f36626

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10/07/2024, 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9a34032817f4e60f69eb605bd872d0e2380e4a86a1cc05bd2a7d4fb57f36626.exe
Size

1.1MB
MD5

29b0df87da22fc91e048535e4cd39734
SHA1

530e44aecc469182b45f40d8adcd7f85f032e9c5
SHA256

a9a34032817f4e60f69eb605bd872d0e2380e4a86a1cc05bd2a7d4fb57f36626
SHA512

246aff82b288cd6364be440ba60accd453d54d03b3994668ec054080d87e4d2b822cae82d939aebd463f94a3d71754ed69ec02ddba7a16db5655dba1347d476c
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QJ:CcaClSFlG4ZM7QzMK

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2568	svchcst.exe

Executes dropped EXE 24 IoCs

pid	Process
2568	svchcst.exe
288	svchcst.exe
408	svchcst.exe
2188	svchcst.exe
2328	svchcst.exe
1168	svchcst.exe
2392	svchcst.exe
2976	svchcst.exe
376	svchcst.exe
2808	svchcst.exe
1408	svchcst.exe
2148	svchcst.exe
1524	svchcst.exe
1704	svchcst.exe
2004	svchcst.exe
2096	svchcst.exe
2300	svchcst.exe
2344	svchcst.exe
2852	svchcst.exe
1000	svchcst.exe
1824	svchcst.exe
2280	svchcst.exe
2168	svchcst.exe
2880	svchcst.exe

Loads dropped DLL 47 IoCs

pid	Process
2776	WScript.exe
2776	WScript.exe
2640	WScript.exe
2640	WScript.exe
2304	WScript.exe
2304	WScript.exe
1640	WScript.exe
1640	WScript.exe
2128	WScript.exe
2128	WScript.exe
2256	WScript.exe
2256	WScript.exe
1072	WScript.exe
1072	WScript.exe
820	WScript.exe
820	WScript.exe
2836	WScript.exe
2836	WScript.exe
2360	WScript.exe
2360	WScript.exe
2924	WScript.exe
2924	WScript.exe
448	WScript.exe
448	WScript.exe
2168	WScript.exe
2168	WScript.exe
1728	WScript.exe
1728	WScript.exe
2328	WScript.exe
2328	WScript.exe
3068	WScript.exe
3008	WScript.exe
3008	WScript.exe
576	WScript.exe
576	WScript.exe
2516	WScript.exe
2516	WScript.exe
2352	WScript.exe
2352	WScript.exe
332	WScript.exe
332	WScript.exe
1640	WScript.exe
1640	WScript.exe
1356	WScript.exe
1356	WScript.exe
788	WScript.exe
788	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2152	a9a34032817f4e60f69eb605bd872d0e2380e4a86a1cc05bd2a7d4fb57f36626.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2152	a9a34032817f4e60f69eb605bd872d0e2380e4a86a1cc05bd2a7d4fb57f36626.exe

Suspicious use of SetWindowsHookEx 50 IoCs

pid	Process
2152	a9a34032817f4e60f69eb605bd872d0e2380e4a86a1cc05bd2a7d4fb57f36626.exe
2152	a9a34032817f4e60f69eb605bd872d0e2380e4a86a1cc05bd2a7d4fb57f36626.exe
2568	svchcst.exe
2568	svchcst.exe
288	svchcst.exe
288	svchcst.exe
408	svchcst.exe
408	svchcst.exe
2188	svchcst.exe
2188	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
376	svchcst.exe
376	svchcst.exe
2808	svchcst.exe
2808	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
1524	svchcst.exe
1524	svchcst.exe
1704	svchcst.exe
1704	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2096	svchcst.exe
2096	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2344	svchcst.exe
2344	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
1000	svchcst.exe
1000	svchcst.exe
1824	svchcst.exe
1824	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2168	svchcst.exe
2168	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 2776	2152	a9a34032817f4e60f69eb605bd872d0e2380e4a86a1cc05bd2a7d4fb57f36626.exe	30
PID 2152 wrote to memory of 2776	2152	a9a34032817f4e60f69eb605bd872d0e2380e4a86a1cc05bd2a7d4fb57f36626.exe	30
PID 2152 wrote to memory of 2776	2152	a9a34032817f4e60f69eb605bd872d0e2380e4a86a1cc05bd2a7d4fb57f36626.exe	30
PID 2152 wrote to memory of 2776	2152	a9a34032817f4e60f69eb605bd872d0e2380e4a86a1cc05bd2a7d4fb57f36626.exe	30
PID 2776 wrote to memory of 2568	2776	WScript.exe	32
PID 2776 wrote to memory of 2568	2776	WScript.exe	32
PID 2776 wrote to memory of 2568	2776	WScript.exe	32
PID 2776 wrote to memory of 2568	2776	WScript.exe	32
PID 2568 wrote to memory of 2640	2568	svchcst.exe	33
PID 2568 wrote to memory of 2640	2568	svchcst.exe	33
PID 2568 wrote to memory of 2640	2568	svchcst.exe	33
PID 2568 wrote to memory of 2640	2568	svchcst.exe	33
PID 2640 wrote to memory of 288	2640	WScript.exe	34
PID 2640 wrote to memory of 288	2640	WScript.exe	34
PID 2640 wrote to memory of 288	2640	WScript.exe	34
PID 2640 wrote to memory of 288	2640	WScript.exe	34
PID 288 wrote to memory of 2304	288	svchcst.exe	35
PID 288 wrote to memory of 2304	288	svchcst.exe	35
PID 288 wrote to memory of 2304	288	svchcst.exe	35
PID 288 wrote to memory of 2304	288	svchcst.exe	35
PID 2304 wrote to memory of 408	2304	WScript.exe	36
PID 2304 wrote to memory of 408	2304	WScript.exe	36
PID 2304 wrote to memory of 408	2304	WScript.exe	36
PID 2304 wrote to memory of 408	2304	WScript.exe	36
PID 408 wrote to memory of 1640	408	svchcst.exe	37
PID 408 wrote to memory of 1640	408	svchcst.exe	37
PID 408 wrote to memory of 1640	408	svchcst.exe	37
PID 408 wrote to memory of 1640	408	svchcst.exe	37
PID 1640 wrote to memory of 2188	1640	WScript.exe	38
PID 1640 wrote to memory of 2188	1640	WScript.exe	38
PID 1640 wrote to memory of 2188	1640	WScript.exe	38
PID 1640 wrote to memory of 2188	1640	WScript.exe	38
PID 2188 wrote to memory of 2128	2188	svchcst.exe	39
PID 2188 wrote to memory of 2128	2188	svchcst.exe	39
PID 2188 wrote to memory of 2128	2188	svchcst.exe	39
PID 2188 wrote to memory of 2128	2188	svchcst.exe	39
PID 2128 wrote to memory of 2328	2128	WScript.exe	40
PID 2128 wrote to memory of 2328	2128	WScript.exe	40
PID 2128 wrote to memory of 2328	2128	WScript.exe	40
PID 2128 wrote to memory of 2328	2128	WScript.exe	40
PID 2328 wrote to memory of 2256	2328	svchcst.exe	41
PID 2328 wrote to memory of 2256	2328	svchcst.exe	41
PID 2328 wrote to memory of 2256	2328	svchcst.exe	41
PID 2328 wrote to memory of 2256	2328	svchcst.exe	41
PID 2256 wrote to memory of 1168	2256	WScript.exe	42
PID 2256 wrote to memory of 1168	2256	WScript.exe	42
PID 2256 wrote to memory of 1168	2256	WScript.exe	42
PID 2256 wrote to memory of 1168	2256	WScript.exe	42
PID 1168 wrote to memory of 1072	1168	svchcst.exe	43
PID 1168 wrote to memory of 1072	1168	svchcst.exe	43
PID 1168 wrote to memory of 1072	1168	svchcst.exe	43
PID 1168 wrote to memory of 1072	1168	svchcst.exe	43
PID 1072 wrote to memory of 2392	1072	WScript.exe	44
PID 1072 wrote to memory of 2392	1072	WScript.exe	44
PID 1072 wrote to memory of 2392	1072	WScript.exe	44
PID 1072 wrote to memory of 2392	1072	WScript.exe	44
PID 2392 wrote to memory of 820	2392	svchcst.exe	45
PID 2392 wrote to memory of 820	2392	svchcst.exe	45
PID 2392 wrote to memory of 820	2392	svchcst.exe	45
PID 2392 wrote to memory of 820	2392	svchcst.exe	45
PID 820 wrote to memory of 2976	820	WScript.exe	46
PID 820 wrote to memory of 2976	820	WScript.exe	46
PID 820 wrote to memory of 2976	820	WScript.exe	46
PID 820 wrote to memory of 2976	820	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\a9a34032817f4e60f69eb605bd872d0e2380e4a86a1cc05bd2a7d4fb57f36626.exe
"C:\Users\Admin\AppData\Local\Temp\a9a34032817f4e60f69eb605bd872d0e2380e4a86a1cc05bd2a7d4fb57f36626.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:288
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:820
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2976
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2836
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:376
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2360
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2808
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:2924
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1408
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:448
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2148
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:2168
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1524
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:1728
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1704
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:3068
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2096
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:3008
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2300
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:576
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2344
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:2516
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2852
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:2352
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1000
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:332
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1824
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:1640
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2280
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:1356
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2168
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        
        PID:788
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2880
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:2328
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
83c278443eccb402c84b7170b854d88f

SHA1
4b877aaff6a076d3d2006ac9532d6ca7d3bb0a39

SHA256
f89c16abc7fdd1e57129363086d4bf86248bae6348ef81d560bfb2e4a59911f7

SHA512
633d1b4b256d3490ebc5ba155ed26a0c50a5be9ea88317d43492eb2343a305048b44596b0ce7d0ab95e9b0ea544e95a076de882b1429f0ccc0611cf1cd33dabd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
81da78e4c29b5abf222c1425d1b8da16

SHA1
c68fae858982c6217d14f0a94f1e424dc47e5abb

SHA256
e1c0bac8ec1a6de7acf76dbaae7862a630d01697c06843f75330f8be29261f38

SHA512
859ff4f8d8119e4a12c83c8aa7a7c392b9bde66358d189f67f0d44ae6777f75dd7f994536d812cb00f0612a9c4444a3775ff729512d50c1a6173f23b5866fdb0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
cd3670279cfd4857ab7ae976f56ad473

SHA1
2b4136cb5f5aa98e7cf48135db771fe497da942f

SHA256
9824342f00af60b70c73fd0b0b08c54f1439d6f6964ce1286a7eec748047041f

SHA512
30e7536c3209027ad3df30edd10d69b666a936c4184f3ad26ebf683ae2d066607b9eda521955af0a3cb235d6d84cc5c6fda747525bef19ec3a5016db66945889

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8e2ae053ceb7062fca84af2a4b776842

SHA1
e0efd0b54009a60e3682ed38deaddd833c8652b6

SHA256
58391f462883b293fdb398c52afb015698a4aa455fde921d706159ccccc6375f

SHA512
71b28f16bbcd83fd3cd69c985cc7482ddb167f287f6f331fc6c2f71b5b9759d6692ad93eb45e3a4039e5234f795076cd090e46c80b2661a00327a19b0ceab7b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c94fda6716d92036e02a0e70b433735f

SHA1
eb4e57b1461e03a201dbfd20dd308ca88694e55d

SHA256
ca8d32856a5ad76e2bf41249ee83a498c238f51d9d3addbd5ca456ee6a6108ba

SHA512
bf4b3613a4d6d2854f7750a73f84579a3022c2aaae770c392c3d4b273cbb2b493028f8109856ba66ee4636bcfac53b61b7f9b689002858a040b62b47d097d24f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2c3b5340da071ac89dded61dffd49fb5

SHA1
77a880658d0b70e5455379099427bfdae8cc0ae8

SHA256
d7433fbea40ea3f87e991ce54c73436c110cfbb83748d554aea8d94051a5224e

SHA512
7e69f14c55afec39149491531c2a499b6253aa71ad448e722912f239fde055826b34383bd8d14773af08ef475b5fe53451a0a93e0bcc46fbeba3872198200f3c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
95cbcc068b61f14455af7f3daea5c57f

SHA1
7121bec25241666a150cd1a58eb7efb0b26eab96

SHA256
205412cd3d890bd070295ebf41e4a831de855a2b755c1a583b4dd2df66d5bc81

SHA512
5ae57031bb2ce71bf93c683f07f82b521918ef8a145a80f8e488e403d7ca97079cb305bb3f9ad93f2b3a99f44954063447a5f9a2c0f6f276a2ef84beff5674a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
99190cc32e9995c46b8a5b9b268a5bbe

SHA1
4ad00bc8655bced61776b40f2cc5bf0180a175d4

SHA256
308f79dad8498e1020104d40c992a2a6b9d4841f2c9c705e4b4401c48764a096

SHA512
f6447cdd779f7e95f6e84469388e55d7c18249f434aadf7cb7d4ec18cded20161a1cd8bb8830186c55ce8a945ab7c7cff08f85787c2616d447a90cb6f4622571

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
251a70f0c55d02e74e34c409c5795274

SHA1
b0eb587b5e8d597ef801848722b790692d804be2

SHA256
f5397f02a6c8c59bc9869c0e5c726c096a69c84ad7f0934608fdbd8bc7e5b9f3

SHA512
023cca65a97265961790183f43605fb3dd47426049f2152e5ed90d2daed98607d1e215cb8cabf54d7d2068f7a86d3b01b1d101823e8ed1acfb09076e69b67c71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f262d0722b88145e786399f42047785d

SHA1
9f4426b6ac52bb0456945b0619fcd355d118a0b7

SHA256
f20592c5d5216a153e7d9fc67c87e2d3346f3781014162462e824a5dbc4c7aef

SHA512
da8aa8fd4f84c224f7c6f3fe483b030e2307f3313c003f17f6b9c943f9ea9d052d9d9297f93fdf49428eedd235ef6d7efe0199e1620e55cb052f2ca3cb492eb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0b07dbb471d7fe60f6b7446050131aa9

SHA1
4e1f1ada445a0bd2f1df1b5fe3ac6fff22c577a1

SHA256
483f571197412d4524e63cd78ae3ccd6a0c934a2178119e6aea3331a7bae6929

SHA512
6ddb5ad7ea76630d076b3e6ff03cf3087f65b035e7de9a4b30c6243641efc9a1c2f2975f05662039e95558aa81e78ecc1694114b22877f1029cb0d551df59ec1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
df56efc5aa49720056952b653a76a0d1

SHA1
82823a83837e69b031a973238d78e0360d113ac7

SHA256
bd6fdd2db5dd3828baa84352f1c382304ce0481755f000a7445e3977c24d0a35

SHA512
ffd2ffc465dcd33cca7fdf4cce8711ce7a5cb6af0933fbf2885b7b4164ea2c19ec1a776f2422996599e28b05a3ff927dd76221b9b4dec49b942941b48962034c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0d949a24f926adc30372787f7bbc5a6f

SHA1
f56010f07b61b7be4e9e7219cff611e49d16574a

SHA256
1b6d07ab2e3aac1514bfb68bf47a4661f5e7407ad41915f9ac838908cec36980

SHA512
b9d267b1019e1c7c395cf3921bc92ad41f9ea778738adaac5c637a9a39a43d8efae64a70cfe36f2d593687a30a82b418677f8733c6481e5fa10fb31c126f6b5c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c778c11e42dc65628b54ed21545ab77e

SHA1
501c6b04c1bae74cb42970225343cea1ec721a96

SHA256
ded9c1ad1634760a47856fda850d22abf2d27038ab7e8964269217cd65b83528

SHA512
f0a5781bf4a3b6cde50912f7cd907c593902552e9f6d0809f4a89444fe994c3bce418f2c7eb31ccbfb199837442b5ce0acb55f3dbe1b18880937b23762c414c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b8523255ccdc0f62913176375329accc

SHA1
145c5b97d58b9b01ec931552a2f0ecfe6d975c8c

SHA256
bafc276a4591bdfcd44ddf27c1af80bd6ee20dc77cc4bc879aa7dbc0af404cf0

SHA512
2f0a25eea4905131cca2f708c03ea91224243df4087b46da8de555fe12af7637c4fb8e7e693bc9aa738a4576e68aa8885fb6b383e532246845f098df830de980

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7ba9ef68689b2d997105004c0231f290

SHA1
2002d1ecb0a11f864f9715739e76c7b52022e7f1

SHA256
91e3ed3231788976ae0e2ef13b8ca8196b19998a060d548b67cdc02c7ad8b924

SHA512
205dc169ffd1156f33ea618ae77c3d45a87ea7272145dd127c6db5d73af02309f251fa8886f0f85bb90a4742c2e781393f4fea576dc9588e9f152f3d7cafe5ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2d2121143d810c81518d6709de1745d7

SHA1
2542f2b45415628a18776f9972b8a193fbd1b04b

SHA256
a55a2c61ab94d4295dfab64e5a08b2f8ed38016d91b33a3347c09c902cf1d02c

SHA512
87fb1fbdb83749915f67831a139b2ca2ff85238729b44ba0aadcf115ff0b8933d75aba34522512c87945a71ec23eaa3aa591e8324953a05b5d1f230669df5b23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7a24d4d5f2b001c5fc7a88a2d8dc08aa

SHA1
884fda72b2df5944aa19aecfdad3230a0d056f34

SHA256
78240d9b7e2389d802fd8f6061221a6ef5b1490449484a64827ad0b2f79b1b2b

SHA512
34c5d01ca981c345a0377d1c70361836793b868fcf6e13ee2fc0399f0f7916ffb62989ae03cfe2ab756ca5195b6fca0264939d57d901f4e1cecbef1e4bebef0c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ec9898e89db4fa4eb78f04758898f02e

SHA1
63cbb74274f633164bcf44b0008483a0a4c89ef7

SHA256
fecc825a107dfb4db6fdc5dbb09fdf57d6fa3d2080d5c5eed0b8db9506dd8d1e

SHA512
500191ad44383b5cac3f4b8b44900447b17154e29badaf53b19a8c58b59c43e95169af272373f919eefb0c81abdbc1877518762333a099196d40f519d91de4ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ab70464e9130a47570d1deb67a76994c

SHA1
0129177d3bffc866a76b3b41db1d0f6f6068fc0d

SHA256
e9808b1cc57f902409a70ac7811ecec8a659943e45f505934ad89f8588edfd0f

SHA512
667e43cc5e857ae25c44f2cbd303e9a6d3d2e49307c8fda50564649d54786e398552d207c533110523b1449e2ad423c14ead0ac37e8eaf61b0ccd74396ac7d6d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ca7c7c0e209e866488ba43c28620e0e6

SHA1
e8563fbc8438455ddb05b35c9dff6ff043e92aab

SHA256
12ab24ee8f1aa3092b0baa3c670a0b521bbe42e7592e1a3e02701260761cfa7f

SHA512
5fc171118fa2e78e7da78cc78290726e6c3cdc758c7314acd620e15b0bcb0b127634e8d73ef21abe74b79b165631599ff3eb73c07205bcacd0fb88d983ecafdb

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
672046b3a26f0b646db40838600c284d

SHA1
c082a4e5e0d3b257c62cfe00067551f0f935177b

SHA256
80f4bc044caf2d9f380ef9c1e417c4532177f937086a87260349075134a260ee

SHA512
3e9dfd871b0186aa0b3e65d6a6bfabafd57525961aea4217f1e80677df770e7803bbb4410fa2331808147e03c4a6ef035742a9c0ecb4cce31f0b8495db3bb3a4

Download Submit
memory/2152-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download