8a0b87ae1da62d03f7ec89ad41c333ae02a0088fe6429de168b578defecf489b

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
21/07/2024, 20:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a0b87ae1da62d03f7ec89ad41c333ae02a0088fe6429de168b578defecf489b.exe
Size

1.1MB
MD5

0726548110e97d62eca6baaf0568d904
SHA1

de55e77592dfcdcbbb5bd119adff8d7b664bdc91
SHA256

8a0b87ae1da62d03f7ec89ad41c333ae02a0088fe6429de168b578defecf489b
SHA512

ed33c1c9f5b2e1aeb1148e65f2ae58ba9c26cabe57612a862e1bb6fb6daa085762e8f87a44a7232877d1a6fe9f8104ba5ed333ab92950185f27c88ad72d031d4
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QD:CcaClSFlG4ZM7QzME

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2940	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2940	svchcst.exe
1272	svchcst.exe
2584	svchcst.exe
908	svchcst.exe
2972	svchcst.exe
912	svchcst.exe
1964	svchcst.exe
2748	svchcst.exe
2388	svchcst.exe
1396	svchcst.exe
1968	svchcst.exe
2928	svchcst.exe
3036	svchcst.exe
612	svchcst.exe
1752	svchcst.exe
1608	svchcst.exe
2200	svchcst.exe
2884	svchcst.exe
1156	svchcst.exe
1684	svchcst.exe
2896	svchcst.exe
1992	svchcst.exe
1400	svchcst.exe

Loads dropped DLL 46 IoCs

pid	Process
2356	WScript.exe
2356	WScript.exe
1252	WScript.exe
1252	WScript.exe
1764	WScript.exe
1764	WScript.exe
1432	WScript.exe
1432	WScript.exe
2932	WScript.exe
2932	WScript.exe
876	WScript.exe
876	WScript.exe
2268	WScript.exe
2268	WScript.exe
2992	WScript.exe
2992	WScript.exe
2828	WScript.exe
2828	WScript.exe
1484	WScript.exe
1484	WScript.exe
1872	WScript.exe
1872	WScript.exe
2584	WScript.exe
2584	WScript.exe
2468	WScript.exe
2468	WScript.exe
2696	WScript.exe
2696	WScript.exe
2192	WScript.exe
2192	WScript.exe
3000	WScript.exe
3000	WScript.exe
2880	WScript.exe
2880	WScript.exe
2232	WScript.exe
2232	WScript.exe
2620	WScript.exe
2620	WScript.exe
2512	WScript.exe
2512	WScript.exe
952	WScript.exe
952	WScript.exe
2904	WScript.exe
2904	WScript.exe
1928	WScript.exe
1928	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
264	8a0b87ae1da62d03f7ec89ad41c333ae02a0088fe6429de168b578defecf489b.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
264	8a0b87ae1da62d03f7ec89ad41c333ae02a0088fe6429de168b578defecf489b.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
264	8a0b87ae1da62d03f7ec89ad41c333ae02a0088fe6429de168b578defecf489b.exe
264	8a0b87ae1da62d03f7ec89ad41c333ae02a0088fe6429de168b578defecf489b.exe
2940	svchcst.exe
2940	svchcst.exe
1272	svchcst.exe
1272	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
908	svchcst.exe
908	svchcst.exe
2972	svchcst.exe
2972	svchcst.exe
912	svchcst.exe
912	svchcst.exe
1964	svchcst.exe
1964	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2388	svchcst.exe
2388	svchcst.exe
1396	svchcst.exe
1396	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
3036	svchcst.exe
3036	svchcst.exe
612	svchcst.exe
612	svchcst.exe
1752	svchcst.exe
1752	svchcst.exe
1608	svchcst.exe
1608	svchcst.exe
2200	svchcst.exe
2200	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
1156	svchcst.exe
1156	svchcst.exe
1684	svchcst.exe
1684	svchcst.exe
2896	svchcst.exe
2896	svchcst.exe
1992	svchcst.exe
1992	svchcst.exe
1400	svchcst.exe
1400	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 264 wrote to memory of 2356	264	8a0b87ae1da62d03f7ec89ad41c333ae02a0088fe6429de168b578defecf489b.exe	30
PID 264 wrote to memory of 2356	264	8a0b87ae1da62d03f7ec89ad41c333ae02a0088fe6429de168b578defecf489b.exe	30
PID 264 wrote to memory of 2356	264	8a0b87ae1da62d03f7ec89ad41c333ae02a0088fe6429de168b578defecf489b.exe	30
PID 264 wrote to memory of 2356	264	8a0b87ae1da62d03f7ec89ad41c333ae02a0088fe6429de168b578defecf489b.exe	30
PID 2356 wrote to memory of 2940	2356	WScript.exe	33
PID 2356 wrote to memory of 2940	2356	WScript.exe	33
PID 2356 wrote to memory of 2940	2356	WScript.exe	33
PID 2356 wrote to memory of 2940	2356	WScript.exe	33
PID 2940 wrote to memory of 1252	2940	svchcst.exe	34
PID 2940 wrote to memory of 1252	2940	svchcst.exe	34
PID 2940 wrote to memory of 1252	2940	svchcst.exe	34
PID 2940 wrote to memory of 1252	2940	svchcst.exe	34
PID 1252 wrote to memory of 1272	1252	WScript.exe	35
PID 1252 wrote to memory of 1272	1252	WScript.exe	35
PID 1252 wrote to memory of 1272	1252	WScript.exe	35
PID 1252 wrote to memory of 1272	1252	WScript.exe	35
PID 1272 wrote to memory of 1764	1272	svchcst.exe	36
PID 1272 wrote to memory of 1764	1272	svchcst.exe	36
PID 1272 wrote to memory of 1764	1272	svchcst.exe	36
PID 1272 wrote to memory of 1764	1272	svchcst.exe	36
PID 1764 wrote to memory of 2584	1764	WScript.exe	37
PID 1764 wrote to memory of 2584	1764	WScript.exe	37
PID 1764 wrote to memory of 2584	1764	WScript.exe	37
PID 1764 wrote to memory of 2584	1764	WScript.exe	37
PID 2584 wrote to memory of 1432	2584	svchcst.exe	38
PID 2584 wrote to memory of 1432	2584	svchcst.exe	38
PID 2584 wrote to memory of 1432	2584	svchcst.exe	38
PID 2584 wrote to memory of 1432	2584	svchcst.exe	38
PID 1432 wrote to memory of 908	1432	WScript.exe	39
PID 1432 wrote to memory of 908	1432	WScript.exe	39
PID 1432 wrote to memory of 908	1432	WScript.exe	39
PID 1432 wrote to memory of 908	1432	WScript.exe	39
PID 908 wrote to memory of 2932	908	svchcst.exe	40
PID 908 wrote to memory of 2932	908	svchcst.exe	40
PID 908 wrote to memory of 2932	908	svchcst.exe	40
PID 908 wrote to memory of 2932	908	svchcst.exe	40
PID 2932 wrote to memory of 2972	2932	WScript.exe	41
PID 2932 wrote to memory of 2972	2932	WScript.exe	41
PID 2932 wrote to memory of 2972	2932	WScript.exe	41
PID 2932 wrote to memory of 2972	2932	WScript.exe	41
PID 2972 wrote to memory of 876	2972	svchcst.exe	42
PID 2972 wrote to memory of 876	2972	svchcst.exe	42
PID 2972 wrote to memory of 876	2972	svchcst.exe	42
PID 2972 wrote to memory of 876	2972	svchcst.exe	42
PID 876 wrote to memory of 912	876	WScript.exe	43
PID 876 wrote to memory of 912	876	WScript.exe	43
PID 876 wrote to memory of 912	876	WScript.exe	43
PID 876 wrote to memory of 912	876	WScript.exe	43
PID 912 wrote to memory of 2268	912	svchcst.exe	44
PID 912 wrote to memory of 2268	912	svchcst.exe	44
PID 912 wrote to memory of 2268	912	svchcst.exe	44
PID 912 wrote to memory of 2268	912	svchcst.exe	44
PID 2268 wrote to memory of 1964	2268	WScript.exe	45
PID 2268 wrote to memory of 1964	2268	WScript.exe	45
PID 2268 wrote to memory of 1964	2268	WScript.exe	45
PID 2268 wrote to memory of 1964	2268	WScript.exe	45
PID 1964 wrote to memory of 2992	1964	svchcst.exe	46
PID 1964 wrote to memory of 2992	1964	svchcst.exe	46
PID 1964 wrote to memory of 2992	1964	svchcst.exe	46
PID 1964 wrote to memory of 2992	1964	svchcst.exe	46
PID 2992 wrote to memory of 2748	2992	WScript.exe	47
PID 2992 wrote to memory of 2748	2992	WScript.exe	47
PID 2992 wrote to memory of 2748	2992	WScript.exe	47
PID 2992 wrote to memory of 2748	2992	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\8a0b87ae1da62d03f7ec89ad41c333ae02a0088fe6429de168b578defecf489b.exe
"C:\Users\Admin\AppData\Local\Temp\8a0b87ae1da62d03f7ec89ad41c333ae02a0088fe6429de168b578defecf489b.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:264
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2940
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1252
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1272
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:908
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:912
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2748
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2828
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2388
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:1484
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1396
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:1872
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1968
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:2584
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2928
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:2468
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3036
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:2696
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:612
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:2192
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1752
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:3000
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1608
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:2880
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2200
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:2232
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2884
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:2620
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1156
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:2512
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1684
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:952
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2896
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        
        PID:2904
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1992
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        
        PID:1928
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1400
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        
        PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
81d356ac818af60aa4caebca9347aded

SHA1
48ca29c8dda80478d8ad1e848402fe2ccdacb18b

SHA256
10ec10fa948e4518f9c17c95022678e458ce5a8727df963fc6ad1896974fa255

SHA512
49b355cb05ca6f0c189bbbabf49d282cf4079e8d40529bc4d38419a5a043372d89a38506426bdf732ec5dd5be2a0589f38bb6592f2209fef8410b81484038390

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
22ee4efbc67fc70b9f9d483cf169e846

SHA1
5e0a01490f92c7a77457c1df61c009cdc5c641dd

SHA256
abd4fb5ee308e65770cced9ea111c1dcfc48e0571cfcb79284f4fbbab293e161

SHA512
7638f6551734a6256e6d7666a9811368ee2894afeb442f65c6da0680fe8134059c52f552e36b2539774c4e3e5fc0cc1ae027e3ef872b5bb5d4b8e0f6687ce238

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
251a70f0c55d02e74e34c409c5795274

SHA1
b0eb587b5e8d597ef801848722b790692d804be2

SHA256
f5397f02a6c8c59bc9869c0e5c726c096a69c84ad7f0934608fdbd8bc7e5b9f3

SHA512
023cca65a97265961790183f43605fb3dd47426049f2152e5ed90d2daed98607d1e215cb8cabf54d7d2068f7a86d3b01b1d101823e8ed1acfb09076e69b67c71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f3159db8bd483868144429c5909d280a

SHA1
a3698b1ebb0e43a564357bb77c3462539a114f87

SHA256
f31b8921a342ba1eecff8852bd1904a17e94e544a1975106b9b5533155ed044c

SHA512
328e166bbd706c7e6848c246909d96779ee2efcdf7bdb0ff47eed24e0267dcca005bb41651b60393ffafbb7b7467d94b22454e8c4be57108ffeb6238e88db916

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5c256ba320c7487a2c3cdb62bea97bb5

SHA1
2a28e5d7bd4483a40fb6035f1ec6fcf1d66cb2fc

SHA256
854aeaf6ba44537fc01088f8c336552a1aab4c6df84938d241c8616b6f0802e4

SHA512
bb55f293471dda9b074664d4cf2dad094f8f0c2479c1fd754dd85199d1d1b1012cfa3b050711ac0b59368d6bf1756cfcadcaff1e47d4f103a093a0b77782fdc0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b5e11596fa3b5ec67af0232750a3cadb

SHA1
80cb25f5250390b6b2130c8b4eefc9872cc4939d

SHA256
d6429bbb3e3d5c86f30efdb3aa599d47eb8f130c1d0f2a6345e3e9387f7670b3

SHA512
06c71dd481c8936cb5c8a259111986a31b94e7bf73267a081e2162e16b3bffc633a257b5dcf2fd64c7bcc95a20ee841d5d07ca2ea5a16b7f862aec9cde5f17f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7a01dad1af2b3e0327e1d352436bbcd7

SHA1
10612930777b11e8edeb9bd33c74a6a2404c9d6b

SHA256
185fe22d4d1af7aee3fd8cf94dcfe20c5daf320764d2c96c2ad5f2cff4cd1655

SHA512
1fee128690213b1ffd6c1f95d9894f52c2b0374ca99b16795028fab6b364298c1d678c3f92775c410c0fe7a1a71a33d3db5635e5bb6c71449feb60c9f5316616

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d9ab21af2046aedc3484d569036c3ef7

SHA1
ade5e9eb5b1180a77a2164e61f74beb411cdfb56

SHA256
90b8f17e573879b63c512e7c0dd6ff9454d177163e2d95d0090b2ef22ae5ec79

SHA512
cb8c202cd3d66ee897982e42257320dfef0a23eb96b9a3189869e9a0ce030d4baaa8c0a6fc5e197d2d19d742b0d7b3f34adb12933192dd6e4b1388433755d1ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1a94fff9bade36e4d067e0fcefb1a8f5

SHA1
1713c3fc499a56cd97035e44405e0b5e1a0a586b

SHA256
1977a5ac15e88252efdd11b9aace6de92383e71132a94273b0e890e92ae91048

SHA512
89a7dd6811f9491a14bf49f1cbce3e869107d2e0d410fa3d3c867ce68d573d6f8e6ada98ac3635fc620c96c61676b5cef2563b5fbea14f617c1fa61bce4f3ac7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
99c82369839776d3d954a85361e76565

SHA1
fe01d71a20a80f468e5fa4df991eacca97e650a1

SHA256
ecfe1904a389f25b460a8eec64349498fde06733fa12cd5ae8e0c49a9699154f

SHA512
5deb6fd1534298cbc80f4653e60b9dcaba6cfd4af1f3b1e5369929472ab4f8cba7d50d3f63d7154170b5ea84f40f7511f1839f2e89340c6942fede255c93b69f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
99c57715b2378e47614ee0c87f9a42cd

SHA1
82b1c2d3e11491291ebf2d51013bc2a3fb3ce358

SHA256
01019c503b4f186fd333f45c0c5cf045762225c1a2c860020ebcd64e5c8ffa2f

SHA512
ebb386b7529b61ad29c1ef557402781c70f221c6be32dd5922f1172b15515dc14865ce93315d78836a75f6e4d391a41d1b4a906e08b5802ed7f0521958217967

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f648fa003fc825b165754d60f43259dd

SHA1
d610bd1f53623a236a2f9bc4344d97a345e694d3

SHA256
11ecd53d614b6c300656c79a246b7bb991698b913b62f8af48742da14513395b

SHA512
c594e77481d39468af230fa60e7e7e6ffaf27f409f13baf6d45de80acd6bb1dde6c53c42472f839a400457c861b5424ba686764f1bc648ecfd92b4c4563752f7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
cd8b9bd9ca518293a3004a19bbc31976

SHA1
2494d004ec7355a5e22176cf743ee3194e6f4633

SHA256
8c6b71597c77683f2ee5c54fd33b9418a9f1c6a1cbdef6cc2fce988573b8c8c6

SHA512
eb483e860bd1820dce85e2d741e276a3b8fb0a2b2869157f6e8e6fd655d2cd52e59abe4a577760d5d949f8d75aa956cbc209e05ec0890456cd78501ed8c2f60c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f042f82e70e2b1b71bdd1c89f70bd7d8

SHA1
01371d071cfea5844b2f2398edcb26574cf3bf52

SHA256
4b7e53ad41452b9bc06040725a05186ff64989bc2e893593dca06d4b91b9219a

SHA512
29f7a9edc332408fc8a8bcfcab432e15b12fd4384c12706d39c102f92a544b88711e1b492df73d0c2566c370b51b0a6f39743c64a130935bccf9874bc0be9833

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7f2f1242675968c11dcfe33f932c40fd

SHA1
a1953016ed201f919fbae27ce2f62ec14abc377d

SHA256
f8031f25664f3d7fff56ac8086835f65caaf5619309121f8b1aca77c0b2e60b7

SHA512
74ed41fd3ec9de5cc33dc8e342164c1be5ead94034ff1e9f1ad7eef459809cbc12828cb1d3bfdbef1e8573b38c653e62dd574c11113c9a5248a1d58a3cfee875

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a5b098787092e21ef6d40f7b4ab6fb42

SHA1
39edd46eefb0724f18497e8831b141e1d71b2083

SHA256
e66324983e0087ab9271a5445aca905cca1269726a398635e7629b9c6a7f32d0

SHA512
ddcc2a336849fc53adf680055bf876599ce86967f00d0b629907983db9c4348d802c7f26825f09870210aecd76a20f6da30cb5f8d073c7a99a264fc463beef28

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
486f92127d910bac3cedcc12cbb99eba

SHA1
3a47bbda2520b97e5e73a982a1cded1e42ef5458

SHA256
24dcee870410c097f9f34f2a7604ff4ec93121e0ee93b61dd5a809c04d17bc1e

SHA512
24c588264e88e71c45dc6fd8bcc3f5cced792c918f88948b32aca49e676e6f0b9548fa6ceae3c9ab53d49f8331726ce9ae17827bde75a15c31d2d3340be15ef8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
36a2612f677d7a9de811f762602ac47b

SHA1
a3cda0cb393441038380df814578b289f82cd521

SHA256
1ab877558c3a10f08289f871432ce7d26c81eddc5609c5c18470483c284fd1df

SHA512
95eb8eabd1fa72d7fa7b27682f195fb25a44c55a0a4076b4894395672eff9f94fe49c1983d9fe4c5a436ff07d73e6e22941224ddf829d0db6811c9ed382b6e1f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c777dd731f37adadb46a8baed27ff2d7

SHA1
bd44309d73829d820a09a1badbf8940701ba700c

SHA256
2c5f548c012741f981ab894977e4a12a8dc87b296b7ab6bbf22735e14ac8d089

SHA512
5d61fab3a27c75e765a01a1307de1a5a3e720328c44f1ddad401397122b14980686ec0e2e6598f289eeab808b4b3468a62113c1eb7e8363ab1f0e9b55e25b767

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7f190a2204926e20a18cfd51b4b793aa

SHA1
ada28a4479cf1fec48a6469d3985da74dd77153d

SHA256
48204a6420ae23e3a24a2eb733267fd2132979dfb46d23553cca617adb2f6a2f

SHA512
dccce8122ff18497bce57885694c72bbf08262559c2312f30d607257ca80f4abd9405722a3ce036af87007cb5961abcdf9c46c6d7af19a1af117a24fe17a0697

Download Submit
memory/264-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download