31a50ca1ac898dc3c271469bed86fad57a2f64d38c30929d0dcca8d954f9923b

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
12/07/2024, 23:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

31a50ca1ac898dc3c271469bed86fad57a2f64d38c30929d0dcca8d954f9923b.exe
Size

1.1MB
MD5

6c8a58f6c846ee1322e8314c1f9f426d
SHA1

6d936700379cad413c399bfa94e71ad61e4e9fbd
SHA256

31a50ca1ac898dc3c271469bed86fad57a2f64d38c30929d0dcca8d954f9923b
SHA512

24caa7ee2067f0edb3bf30741541f0b8fc53386104b4e2cef2bf7fdafdd6c5d8d145f0dd8b840299120778b009a75a5782d07d7b3ddaa136f4a52d23c1c2330d
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qj:CcaClSFlG4ZM7QzMU

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2820	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2820	svchcst.exe
3040	svchcst.exe
1548	svchcst.exe
2696	svchcst.exe
1132	svchcst.exe
2032	svchcst.exe
2560	svchcst.exe
2108	svchcst.exe
2664	svchcst.exe
3036	svchcst.exe
2500	svchcst.exe
2488	svchcst.exe
2576	svchcst.exe
1208	svchcst.exe
324	svchcst.exe
1788	svchcst.exe
2776	svchcst.exe
2936	svchcst.exe
2432	svchcst.exe
2348	svchcst.exe
1540	svchcst.exe
3016	svchcst.exe
328	svchcst.exe

Loads dropped DLL 44 IoCs

pid	Process
1992	WScript.exe
1992	WScript.exe
1676	WScript.exe
1204	WScript.exe
1204	WScript.exe
1204	WScript.exe
1016	WScript.exe
1016	WScript.exe
1288	WScript.exe
1288	WScript.exe
2208	WScript.exe
2208	WScript.exe
1428	WScript.exe
1428	WScript.exe
2096	WScript.exe
2096	WScript.exe
3044	WScript.exe
3044	WScript.exe
1840	WScript.exe
1840	WScript.exe
2204	WScript.exe
2204	WScript.exe
1716	WScript.exe
1716	WScript.exe
1132	WScript.exe
1132	WScript.exe
1692	WScript.exe
1692	WScript.exe
1576	WScript.exe
1576	WScript.exe
2532	WScript.exe
2532	WScript.exe
2152	WScript.exe
2152	WScript.exe
376	WScript.exe
376	WScript.exe
2748	WScript.exe
2748	WScript.exe
2440	WScript.exe
2440	WScript.exe
1512	WScript.exe
1512	WScript.exe
1536	WScript.exe
1536	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1740	31a50ca1ac898dc3c271469bed86fad57a2f64d38c30929d0dcca8d954f9923b.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1740	31a50ca1ac898dc3c271469bed86fad57a2f64d38c30929d0dcca8d954f9923b.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
1740	31a50ca1ac898dc3c271469bed86fad57a2f64d38c30929d0dcca8d954f9923b.exe
1740	31a50ca1ac898dc3c271469bed86fad57a2f64d38c30929d0dcca8d954f9923b.exe
2820	svchcst.exe
2820	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
1548	svchcst.exe
1548	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2108	svchcst.exe
2108	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
3036	svchcst.exe
3036	svchcst.exe
2500	svchcst.exe
2500	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2576	svchcst.exe
2576	svchcst.exe
1208	svchcst.exe
1208	svchcst.exe
324	svchcst.exe
324	svchcst.exe
1788	svchcst.exe
1788	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2348	svchcst.exe
2348	svchcst.exe
1540	svchcst.exe
1540	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
328	svchcst.exe
328	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 1992	1740	31a50ca1ac898dc3c271469bed86fad57a2f64d38c30929d0dcca8d954f9923b.exe	30
PID 1740 wrote to memory of 1992	1740	31a50ca1ac898dc3c271469bed86fad57a2f64d38c30929d0dcca8d954f9923b.exe	30
PID 1740 wrote to memory of 1992	1740	31a50ca1ac898dc3c271469bed86fad57a2f64d38c30929d0dcca8d954f9923b.exe	30
PID 1740 wrote to memory of 1992	1740	31a50ca1ac898dc3c271469bed86fad57a2f64d38c30929d0dcca8d954f9923b.exe	30
PID 1992 wrote to memory of 2820	1992	WScript.exe	33
PID 1992 wrote to memory of 2820	1992	WScript.exe	33
PID 1992 wrote to memory of 2820	1992	WScript.exe	33
PID 1992 wrote to memory of 2820	1992	WScript.exe	33
PID 2820 wrote to memory of 1676	2820	svchcst.exe	34
PID 2820 wrote to memory of 1676	2820	svchcst.exe	34
PID 2820 wrote to memory of 1676	2820	svchcst.exe	34
PID 2820 wrote to memory of 1676	2820	svchcst.exe	34
PID 1676 wrote to memory of 3040	1676	WScript.exe	35
PID 1676 wrote to memory of 3040	1676	WScript.exe	35
PID 1676 wrote to memory of 3040	1676	WScript.exe	35
PID 1676 wrote to memory of 3040	1676	WScript.exe	35
PID 3040 wrote to memory of 1204	3040	svchcst.exe	36
PID 3040 wrote to memory of 1204	3040	svchcst.exe	36
PID 3040 wrote to memory of 1204	3040	svchcst.exe	36
PID 3040 wrote to memory of 1204	3040	svchcst.exe	36
PID 1204 wrote to memory of 1548	1204	WScript.exe	37
PID 1204 wrote to memory of 1548	1204	WScript.exe	37
PID 1204 wrote to memory of 1548	1204	WScript.exe	37
PID 1204 wrote to memory of 1548	1204	WScript.exe	37
PID 1548 wrote to memory of 1016	1548	svchcst.exe	38
PID 1548 wrote to memory of 1016	1548	svchcst.exe	38
PID 1548 wrote to memory of 1016	1548	svchcst.exe	38
PID 1548 wrote to memory of 1016	1548	svchcst.exe	38
PID 1204 wrote to memory of 2696	1204	WScript.exe	39
PID 1204 wrote to memory of 2696	1204	WScript.exe	39
PID 1204 wrote to memory of 2696	1204	WScript.exe	39
PID 1204 wrote to memory of 2696	1204	WScript.exe	39
PID 2696 wrote to memory of 2192	2696	svchcst.exe	40
PID 2696 wrote to memory of 2192	2696	svchcst.exe	40
PID 2696 wrote to memory of 2192	2696	svchcst.exe	40
PID 2696 wrote to memory of 2192	2696	svchcst.exe	40
PID 1016 wrote to memory of 1132	1016	WScript.exe	41
PID 1016 wrote to memory of 1132	1016	WScript.exe	41
PID 1016 wrote to memory of 1132	1016	WScript.exe	41
PID 1016 wrote to memory of 1132	1016	WScript.exe	41
PID 1132 wrote to memory of 1288	1132	svchcst.exe	42
PID 1132 wrote to memory of 1288	1132	svchcst.exe	42
PID 1132 wrote to memory of 1288	1132	svchcst.exe	42
PID 1132 wrote to memory of 1288	1132	svchcst.exe	42
PID 1288 wrote to memory of 2032	1288	WScript.exe	43
PID 1288 wrote to memory of 2032	1288	WScript.exe	43
PID 1288 wrote to memory of 2032	1288	WScript.exe	43
PID 1288 wrote to memory of 2032	1288	WScript.exe	43
PID 2032 wrote to memory of 2208	2032	svchcst.exe	44
PID 2032 wrote to memory of 2208	2032	svchcst.exe	44
PID 2032 wrote to memory of 2208	2032	svchcst.exe	44
PID 2032 wrote to memory of 2208	2032	svchcst.exe	44
PID 2208 wrote to memory of 2560	2208	WScript.exe	45
PID 2208 wrote to memory of 2560	2208	WScript.exe	45
PID 2208 wrote to memory of 2560	2208	WScript.exe	45
PID 2208 wrote to memory of 2560	2208	WScript.exe	45
PID 2560 wrote to memory of 1428	2560	svchcst.exe	46
PID 2560 wrote to memory of 1428	2560	svchcst.exe	46
PID 2560 wrote to memory of 1428	2560	svchcst.exe	46
PID 2560 wrote to memory of 1428	2560	svchcst.exe	46
PID 1428 wrote to memory of 2108	1428	WScript.exe	47
PID 1428 wrote to memory of 2108	1428	WScript.exe	47
PID 1428 wrote to memory of 2108	1428	WScript.exe	47
PID 1428 wrote to memory of 2108	1428	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\31a50ca1ac898dc3c271469bed86fad57a2f64d38c30929d0dcca8d954f9923b.exe
"C:\Users\Admin\AppData\Local\Temp\31a50ca1ac898dc3c271469bed86fad57a2f64d38c30929d0dcca8d954f9923b.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1676
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3040
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2108
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:2096
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2664
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:3044
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3036
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:1840
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2500
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:2204
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2488
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:1716
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2576
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:1132
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1208
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:1692
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:324
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:1576
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1788
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:2532
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2776
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:2152
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2936
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:376
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2432
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:2748
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2348
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:2440
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1540
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:1512
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3016
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        
        PID:1536
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:328
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        
        PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0667072f0b99c114be29b17a58be850a

SHA1
8ec8d5ba1f5842c2f07a4332fb04ba60b0bc7143

SHA256
002841eff29a50e5cf34cf60cfb5bbbf780c4d2f8809016ab22a0e084fc10d07

SHA512
5e0c61897463fd935f2e0420389e4d7c6b08232e63175ccc96db2b6f3d294e9196bc5efd6445ccc8f460efc0791c13ea040b36ce3130f12e414a3ab7b678dfd9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
2cc635dde72a08bd3d5a2f3e6b20651e

SHA1
30fcfb8427f260ab4a91ffbd666620a48b0339cf

SHA256
7782622e5d39ecf637bd16ea83d95f05bfce6200e1da00a2c9c5b9e9751581b7

SHA512
37b5f2e431b4fc5d2aad7dc325d8d9484b702b23076068907da5673e16e5756e80a45f2b79a5e28f021957cf8d5390ceb38bfca08c14e4b8dc6c415e81756a60

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f68761d0622df41d256ee6fc39583d8a

SHA1
2dd40e574a86ff4b4be5e6aca6fda4d7fcc33d56

SHA256
b4bf1092c76497e935596e32fcb9119a44acab11e9b80b660ecea53867655245

SHA512
fd70e0b445bcd24117b449853c98a4996063d49f774a55bc5aca087b44cdb5381974551c4fcd2d3d1c82cd708fcb616009519f3914267ea5c37cdda4d31ea3a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
28167c064311357a30cc6de51b34120d

SHA1
cd6e8343bf5fa014ded5905fd8c6037eda277818

SHA256
e1a76a59c230fb740b85443e95d9db97f660e6d57f8f79060c51d3fb21f7af2a

SHA512
a8ca9a0804c9cb2c87148d82b2ffb169d766b6ea91b4106363b24d555c9a58594915364b6cb61a1757723e96f7095f06859ab83a6e1055d43c8e78e9b52c8b57

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3fe126921f6537cf36cd507b1649ffbb

SHA1
445c8796d072bb5829f0af8421e3eb7da34add70

SHA256
b4af7c7ab452f12e0ea38532d00cfa19cf99247ef169e5e698acd882e72750a6

SHA512
5d8527210f01cc30bda93521cdbd9828d03f2af3e2810996ad8c60cf62a35e415c0e54a34e00847ae30bf2718e8c431b65ed4f509c11986a8eb54ed6ed64ac94

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
152cdcb10a0dcbdcaeb00bd4b08b2f94

SHA1
d957bd7eff64e6b13d3a088c0ae764eaeedf0ad2

SHA256
5525126f60e1b6cf4d353d30db46873836712e3964020d1dbca2694b6dc3d599

SHA512
c2e61516af9e5c14978792ec3b5e20aa84d5f6d9607322575d2f0448a67b6a10911ebf350f51e24e19f40840897251c891cda2c651c0881fccc9e0006d1a2f99

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0e6005a9dcb5a78d6fdd54527602f926

SHA1
90adc62e99f3c94c643596af0e17b5853b91fe1f

SHA256
847552b1ad30bd72f24acfe4afa5c326d3e79d7c2f147c958d72e92daca716da

SHA512
b4acfd81c1e926fcd305690aa3780bbec50460bcf947d17c20d6445faca4e774294b9da3a144207ccb3855e3ea2008a2d82ef691f32a4db6c7c3eb8202c6b568

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a66ca64afe431b7c50358bd05ba54e34

SHA1
f34d905ac06b3c07f936352bff4db70469f5057c

SHA256
3a2a423d9df888fadef3786fdbf7fb0125eb8e1d08b22a707b6efa4bc00b7f43

SHA512
90ea8413b1fce013f8e902e0e3efbbfd1ec30c7f26ca2fb05e390a847d22a1181eeb60dccf6e3f8fec5aeff2568506977ab47018a54d328078ab14407f3eeb09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
25741fab0bc335b1ed971b3134b0edd3

SHA1
9849046efa3f20662f73cefd0d090bef480c9835

SHA256
05963c6d3a7cc5421377a784df6474456fcbd2f95c7190f2ddb4a9ccbfbe7f98

SHA512
6e772baf90739a76c5c477780e2d158502b55d9c898e69402b0a3bfb840949959c6779f9b291c0503a4fcad95369be55b5f3233ded9329d49d5cde3f1a8369e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d5a26bd3b4366107ffbb4663050f6576

SHA1
09a5b81e452620340fcc2343a146ac5469576d44

SHA256
6e6abc76efb5447d4e9b20d07396db93d0368e6f81f558217f81a4dedc437eef

SHA512
527fe34594e983df77843639208f832c63f24a23e6e72fabc3e27eb1cce2e08e4306f3a5ebd288142f9684c6730431fe09f2c60f699a0825dc8270e961abbb10

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1cd04c63c025f0297f2ae60e978d92a1

SHA1
047246564f4b2ab71494a82cef25f5bcdeb63469

SHA256
c5d481502d8e9429512066a0eb058459e0d7d60fbfc4aed5169b3ea47966c9ed

SHA512
dede45f2ae3b7da526e64e82f5e550d9f29d7ad0409fe97a0067bcd8ad70859a8f05441dcad0f2364710f8d9bf58997ffea6874b4797948b61486570394325a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
cb0341aeae10d75c2dbe57697aec5d4a

SHA1
3ecad62cb85dbaae505abbfda883ea3babe16381

SHA256
49b7f354358c207701030acfc90927204a985f45a69f4b9d9a1393618e6d5a6d

SHA512
27b4d9b985bf80ce4f7bc208605e5a8320040be5ef8a63215b0fa6c30f252a1932dc2307985057a67e3c1bcc1d5f91feb574674072ef040a32e1cb17764b7b80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0ea8a2bcd5314b0f721b4a88a7b79ca6

SHA1
81429311c5ed23fa4d456445ae322b7ff8fcab71

SHA256
88c2381bab6d6e4be70802361fb3d34b7046674b1d5b33de08d7a0c8ed6bd30b

SHA512
98c7ffd735369da26e7334232538df216cf6eb86fbaf75cdb26e231eebe86635961b3389ee30ced7e532aa68ff12d75f76bfae5fa2ca1fcc48f4ca04a0a9fc14

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
3497709e461c0ffabdecdb6cd0d8f76b

SHA1
ffc2241a55bd605f05ed121e8efa06a621d52893

SHA256
a4711006eaf6b3acc9374e06219b20d0472f921adf56e2bc39c46d8bd02b7d80

SHA512
e80113972d93152cde743da6eef682c9c7f4b0cf6bc6dbbb25101f6fe1b69e2188c3ca0029a8172c53f4bd6628a5cb785a907e63fc106c52ed5e9f135b5c8e80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b55d6756cbc024ecfa8c1b1a81c95ef4

SHA1
62c7d17f477d4194a91ad3f0cd55fe19d4046033

SHA256
4c17c388c14a174d7c579530d1fe404fe765ef4b265a178082d38380feef095a

SHA512
d8602302e208c370ee1589aea77dc16645bf81949f1977475a3548285fa754727078a3f4e36e583d1005a33a445597928ca8316c939c45128190d08fb895297c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
52571223221d891075f41211ad404c5a

SHA1
c6af2791e99d25f57f33e3d2ac87badc205d0c0a

SHA256
189090e2f328a4ccf92d4b0a2c7250b228a065afb5325862a2aeb828d8d7afb5

SHA512
08db189abf7780f381f59e497944107860d89cc12e68dfb10cda79977b52a1f286913892d1ba62dc81d803f719e682dca7bd51defe477e8b911b78e79c213797

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
fbf44b4ff09cf0f7e87d67181381164d

SHA1
b31082f635c57bed7eb77fafbe6da31e4e9e7b36

SHA256
8e2c99e816c86099f015bbe0bd5894d08f23413ea56ecccb526fd3b92b5cfed2

SHA512
effaa5e3810d8f22cee7998f883e3e56841f6bc4306ded4f752667e8e64a6ec2ae86af3b36d20b57252b8775b705e9fc35ad335567ecd4e462b15819cc282722

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
4dd3b4b4ef8107cf89b78616d9960cc2

SHA1
afe6dae6a8140c063f842f05039531252f33adf8

SHA256
29def34aa5614df76ce2b8e994776070b77fd5a417801ee7e004fbc306d23b59

SHA512
f99f144f3a650dcc8b5a35cf95acadf7755ff32b77b048a2412639dfe2b4c1738ef307c9a49b6897106df010df92d47e46f5f32bfb0569611e45289847844590

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
33a3d7fcbfca0845f3e331479c6f5e65

SHA1
b3f7ca9b8cbb1adc25a8dec34643296e8d3686d2

SHA256
021455b6d492fd19e133e48a8d3e302c99dac70e04bbb767ff77ec6ce5d109be

SHA512
8d7b5848f7ff6271fc70a81a70ded279877cd54f13112827ad58b6071fd9745ba8c811798790e038a844b8543da2acae7dc05b0c3a2b90c34d652335c84aca26

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
dcb3a382a819fe182d1d8ad9a7424f2c

SHA1
bc6cad0c89f519ffbb880d86325f3848cd285810

SHA256
e702669f69299be84ae0979dc93b92515820039c5ef45904bd153ddef72cf940

SHA512
931fbd3090f85912654d756e8e5cc191132fe19554a61aa77e7bf8a7c75be1be23933b2ba57c533bef27a9070888edca8f2f87e3b607492263e525f955525717

Download Submit
memory/1740-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download