3508bc352da8964ac34011fe39e48fda64d5576ce1c6faca507d063c053be625

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
10/04/2024, 06:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3508bc352da8964ac34011fe39e48fda64d5576ce1c6faca507d063c053be625.exe
Size

1.1MB
MD5

b181e1e0dadc34795bd14e23726ff86f
SHA1

729104c13ede6b6de7a49ed27b2d6b30c9081f10
SHA256

3508bc352da8964ac34011fe39e48fda64d5576ce1c6faca507d063c053be625
SHA512

fb9da33486521ee96fa422c6b46d47bbd13c554791bb012ddaedf21a598011a80d51b5a9a38148e3dfb600112960e2f966f0bbe41eb68d5a5103d2712766fb86
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QL:CcaClSFlG4ZM7QzMc

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2728	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2728	svchcst.exe
2148	svchcst.exe
2744	svchcst.exe
2068	svchcst.exe
752	svchcst.exe
868	svchcst.exe
1784	svchcst.exe
1468	svchcst.exe
2736	svchcst.exe
2448	svchcst.exe
1584	svchcst.exe
1376	svchcst.exe
944	svchcst.exe
2004	svchcst.exe
1312	svchcst.exe
1164	svchcst.exe
668	svchcst.exe
1204	svchcst.exe
292	svchcst.exe
2776	svchcst.exe
2760	svchcst.exe
1220	svchcst.exe
2052	svchcst.exe

Loads dropped DLL 40 IoCs

pid	Process
2208	WScript.exe
2208	WScript.exe
1960	WScript.exe
1960	WScript.exe
2952	WScript.exe
2952	WScript.exe
2812	WScript.exe
2812	WScript.exe
2012	WScript.exe
328	WScript.exe
1204	WScript.exe
1056	WScript.exe
1056	WScript.exe
2516	WScript.exe
2516	WScript.exe
1708	WScript.exe
1708	WScript.exe
1568	WScript.exe
2228	WScript.exe
2228	WScript.exe
1132	WScript.exe
1132	WScript.exe
1840	WScript.exe
1840	WScript.exe
3056	WScript.exe
3056	WScript.exe
1140	WScript.exe
1140	WScript.exe
2528	WScript.exe
2528	WScript.exe
2500	WScript.exe
2500	WScript.exe
2404	WScript.exe
2404	WScript.exe
2848	WScript.exe
2848	WScript.exe
1244	WScript.exe
1244	WScript.exe
1288	WScript.exe
1288	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
948	3508bc352da8964ac34011fe39e48fda64d5576ce1c6faca507d063c053be625.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
948	3508bc352da8964ac34011fe39e48fda64d5576ce1c6faca507d063c053be625.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
948	3508bc352da8964ac34011fe39e48fda64d5576ce1c6faca507d063c053be625.exe
948	3508bc352da8964ac34011fe39e48fda64d5576ce1c6faca507d063c053be625.exe
2728	svchcst.exe
2728	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
752	svchcst.exe
752	svchcst.exe
868	svchcst.exe
868	svchcst.exe
1784	svchcst.exe
1784	svchcst.exe
1468	svchcst.exe
1468	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1376	svchcst.exe
1376	svchcst.exe
944	svchcst.exe
944	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
1312	svchcst.exe
1312	svchcst.exe
1164	svchcst.exe
1164	svchcst.exe
668	svchcst.exe
668	svchcst.exe
1204	svchcst.exe
1204	svchcst.exe
292	svchcst.exe
292	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2760	svchcst.exe
2760	svchcst.exe
1220	svchcst.exe
1220	svchcst.exe
2052	svchcst.exe
2052	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 948 wrote to memory of 2208	948	3508bc352da8964ac34011fe39e48fda64d5576ce1c6faca507d063c053be625.exe	28
PID 948 wrote to memory of 2208	948	3508bc352da8964ac34011fe39e48fda64d5576ce1c6faca507d063c053be625.exe	28
PID 948 wrote to memory of 2208	948	3508bc352da8964ac34011fe39e48fda64d5576ce1c6faca507d063c053be625.exe	28
PID 948 wrote to memory of 2208	948	3508bc352da8964ac34011fe39e48fda64d5576ce1c6faca507d063c053be625.exe	28
PID 2208 wrote to memory of 2728	2208	WScript.exe	30
PID 2208 wrote to memory of 2728	2208	WScript.exe	30
PID 2208 wrote to memory of 2728	2208	WScript.exe	30
PID 2208 wrote to memory of 2728	2208	WScript.exe	30
PID 2728 wrote to memory of 1960	2728	svchcst.exe	31
PID 2728 wrote to memory of 1960	2728	svchcst.exe	31
PID 2728 wrote to memory of 1960	2728	svchcst.exe	31
PID 2728 wrote to memory of 1960	2728	svchcst.exe	31
PID 1960 wrote to memory of 2148	1960	WScript.exe	32
PID 1960 wrote to memory of 2148	1960	WScript.exe	32
PID 1960 wrote to memory of 2148	1960	WScript.exe	32
PID 1960 wrote to memory of 2148	1960	WScript.exe	32
PID 2148 wrote to memory of 2952	2148	svchcst.exe	33
PID 2148 wrote to memory of 2952	2148	svchcst.exe	33
PID 2148 wrote to memory of 2952	2148	svchcst.exe	33
PID 2148 wrote to memory of 2952	2148	svchcst.exe	33
PID 2952 wrote to memory of 2744	2952	WScript.exe	34
PID 2952 wrote to memory of 2744	2952	WScript.exe	34
PID 2952 wrote to memory of 2744	2952	WScript.exe	34
PID 2952 wrote to memory of 2744	2952	WScript.exe	34
PID 2744 wrote to memory of 2812	2744	svchcst.exe	35
PID 2744 wrote to memory of 2812	2744	svchcst.exe	35
PID 2744 wrote to memory of 2812	2744	svchcst.exe	35
PID 2744 wrote to memory of 2812	2744	svchcst.exe	35
PID 2812 wrote to memory of 2068	2812	WScript.exe	36
PID 2812 wrote to memory of 2068	2812	WScript.exe	36
PID 2812 wrote to memory of 2068	2812	WScript.exe	36
PID 2812 wrote to memory of 2068	2812	WScript.exe	36
PID 2068 wrote to memory of 2012	2068	svchcst.exe	37
PID 2068 wrote to memory of 2012	2068	svchcst.exe	37
PID 2068 wrote to memory of 2012	2068	svchcst.exe	37
PID 2068 wrote to memory of 2012	2068	svchcst.exe	37
PID 2012 wrote to memory of 752	2012	WScript.exe	38
PID 2012 wrote to memory of 752	2012	WScript.exe	38
PID 2012 wrote to memory of 752	2012	WScript.exe	38
PID 2012 wrote to memory of 752	2012	WScript.exe	38
PID 752 wrote to memory of 328	752	svchcst.exe	39
PID 752 wrote to memory of 328	752	svchcst.exe	39
PID 752 wrote to memory of 328	752	svchcst.exe	39
PID 752 wrote to memory of 328	752	svchcst.exe	39
PID 328 wrote to memory of 868	328	WScript.exe	40
PID 328 wrote to memory of 868	328	WScript.exe	40
PID 328 wrote to memory of 868	328	WScript.exe	40
PID 328 wrote to memory of 868	328	WScript.exe	40
PID 868 wrote to memory of 1204	868	svchcst.exe	41
PID 868 wrote to memory of 1204	868	svchcst.exe	41
PID 868 wrote to memory of 1204	868	svchcst.exe	41
PID 868 wrote to memory of 1204	868	svchcst.exe	41
PID 1204 wrote to memory of 1784	1204	WScript.exe	42
PID 1204 wrote to memory of 1784	1204	WScript.exe	42
PID 1204 wrote to memory of 1784	1204	WScript.exe	42
PID 1204 wrote to memory of 1784	1204	WScript.exe	42
PID 1784 wrote to memory of 1056	1784	svchcst.exe	43
PID 1784 wrote to memory of 1056	1784	svchcst.exe	43
PID 1784 wrote to memory of 1056	1784	svchcst.exe	43
PID 1784 wrote to memory of 1056	1784	svchcst.exe	43
PID 1056 wrote to memory of 1468	1056	WScript.exe	46
PID 1056 wrote to memory of 1468	1056	WScript.exe	46
PID 1056 wrote to memory of 1468	1056	WScript.exe	46
PID 1056 wrote to memory of 1468	1056	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\3508bc352da8964ac34011fe39e48fda64d5576ce1c6faca507d063c053be625.exe
"C:\Users\Admin\AppData\Local\Temp\3508bc352da8964ac34011fe39e48fda64d5576ce1c6faca507d063c053be625.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:948
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1960
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2148
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:328
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1468
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2736
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2516
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2448
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:1708
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1584
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:1568
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1376
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:2228
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:944
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:1132
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2004
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:1840
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1312
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:3056
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1164
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:1140
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:668
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:2528
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1204
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:2500
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:292
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:2404
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2776
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:2848
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2760
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:1244
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1220
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        
        PID:1288
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2052
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        
        PID:868
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        
        PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
49586bddf88b5db5b4106eee55d7e03b

SHA1
3001fb71136b5c8d307695de4f651ccd9b4dcebc

SHA256
bf9c7a65973ae0ee9e2da4bae47ba378234e45820598034a3672edfb233e002d

SHA512
6933b416d4af6997e31e7277ddbf5820f421f01763ee6560e50a0dfb8323e8c66312511b4093d16540c17521f338b239e79d67c70fcda4ff793363e1366d4011

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0192d17fea0102bde8e142aabd30379e

SHA1
f625075beef58c06ca68d43a3ba5cc1caa8efdfd

SHA256
98e8ea7a93d93f491f56d4026b5683e7fdeff25fe26f518e2e81a1319ef49719

SHA512
43002329c61c0fedc908a1838c1868573a5f6f64b4bad3295182b341562cd4b17710ce021e75157830b5b29d29141ae394b3addae4f8c180259f02cb44648163

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
85fa416be0b995c6e53ce5e2df106d8a

SHA1
bcffe6d0eb7594897fb6c1c1e6e409bacd04f009

SHA256
f08a191ea7850c2d2e0fa0cd1f40254eecb8dcb63a9dfa94cc8a97f609c49293

SHA512
5d92938d833d0555e94027148d0d9fc064274885bb4992f4e5840e7be03b629a3d2dc3703f9a7aa7614cb46ee19f9cfe26c69cc2e3a162f4be9045e5da18efbf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
06a252a9516053e44ec8e64f1ebf0533

SHA1
29ac97e0cdade946c4feb81ad3f78d70953a2277

SHA256
6b8a799c3d4b977adb7220f6790b2ac09080ca3ccde5a2c33c83b33ea905928c

SHA512
0775aabeef7c910e03efc40f96143025a2ee3544dd656c78d09ef63c85d040037752aabe72fdf3b636ee31422ae8de01b73c85e27247203d5efc1635eaf15b2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
14f29a0990cf385ffd7137f973b8b7a5

SHA1
ff20b1e4e665b2171213098168bf8f6b2b23ed2a

SHA256
f00f4266e4091045dc18bcdf57d16e7b171e2b5c964e31019f9cae5ecb72264e

SHA512
e03c65006d238b42fbc941c6dc2d92ec7fe15da6b50f5efa09701568b3af359c630b4a68affb4eeaf9484d2f350bcbaea46c931c7f6c15abc2ae6863d235ac83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6491ffe6ef75436d9e660280f5c7fa8f

SHA1
aa563dfffa849153924e8a50f5b562663d1549b5

SHA256
61926578340a542bb64c6abd62437790f27fe9f3c91f6e7bc3268fe318333382

SHA512
7caf0a3528181a867f6a7d1e705531db6eb12a82faa881fde4693b6d1f57be05e589c9276fc6364204494cd9c65f355a35d1dafb0d02582346057b5c4b8c2193

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ee35194fa07bea6145178b37a18edb25

SHA1
7cbe9989cbc0090cc0ab534c7aa77d64d959e489

SHA256
e323603a594cf3a7e03aea20d2ab69a17040a02f256ac1e3fe02f8a36889a483

SHA512
d292e22575da17d694a33d6132cea65ca1c58a16bd2532dd24db161d2a77cf233039ed1b66b48868210f4d0ffff16678db3be341eca044432b8087b520e59f71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5f762b3b2477d92959f29d768008d453

SHA1
ceaa2b37d64bcffd7f862a75e1d0fb06edbddb97

SHA256
5827d14409ed9f3361d81904d50e067223457590dda163a680ce4216e495a3d5

SHA512
fd1445d89a0fa5d185ce51442c402d9906fa8bf7c1458a862568ad0649dfa22c5f90ed243b98339ec9706541d244b0217f1cd05e715dc49067e059fe08d80420

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f080eefd41c0fca1c404d5133fb5c957

SHA1
bef3f9c014eca7cf4dc001f3d85befd3681d4bcc

SHA256
758f74e1aa31de598fbf37f70ffd76f936c0b5dd2227b17c0d8e9ac4506f3aaf

SHA512
e2066e4082f51d4064bfd68eff48c97c481bbb524bb0fa2da0b5ae25bda730811d2933480a72d91a8e5c10ac794f0e793fb8323892332eb9b7c43890ee25c4d7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c91530bbaec9815f2db19bd6645b8729

SHA1
ea901a28f06bfbfc1dc9c3391910a87bfaf07020

SHA256
7924a95b4fb309a069dcb92b65632f01f9db2560b224d4812ebb84130994ab8d

SHA512
7ebce2d0627561189c27073f3e43e84e6164c3c4a63fe4172d2c1214fe799795393573038fb3dd75359327e7cca4eec17889749411e289480580f568b02e6588

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
4e9605159361f93230fef3cc5ad4301c

SHA1
64e6d5673487e049cc4e96650b507641062ca1bf

SHA256
2abd0c0ae088f6c911f23add50e985c447f1c62c8a45f848698b08d6e6dd20e7

SHA512
5cf02982826cc6e08ea33c4ce5d186ad4277493480cf08c2df56a7deea87e58a6df3a95097c96409a89317528933e0999d4ccddc2403024bd04b6e1c312f42fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d7e57302723e6adcd36bc753c7cb3d1b

SHA1
24f5af99f2988b5fa7383dae1f53347b597956a3

SHA256
abf7ef48d31eaabd0227b0a91a44e8b53e9fbadff16ef2d9c2b131776898977e

SHA512
0aee51cab495d2df1e1957f85cbfa1a8ca95fad5fa669d2f0918a0e4be4d090c868582935136684d872695bdd075523ad1386639690e9d7016201b6985a9c8a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
463784728a0ab2b8cc52ee1ed0e5258e

SHA1
620a618c31439d36e8539e50359713befcc28e92

SHA256
a34e1ed304dca4f58275bdd5daaf071d1767db7bb7ccc6bf2aea2df5e2be023b

SHA512
52f9736297fbaf65179d35e01c7a15d516d2ff8b5c949a45046bc668bbe94b5da63aea4d5920ebfc1a884721f16fdcae75ea08ca9a6aa78297a44051ed979c7f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
41db790e2bec879385061977555f7230

SHA1
c9a2a56e9d5ab9c6da832e88903797c9139f4afe

SHA256
15d59aeb3aef5da2a87325edd938fbcd60006009f325213087ed0bbdca97f32a

SHA512
563056724f251069fd79c8c7ed46f79a27e912259376b1a298ec196e0fb894a88ffc4ddb4696405c58cf5fbd179d7cee41c1ffedc5083e61abc42133782b7072

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
da53fc9076fde51a37268206ee1d09b9

SHA1
361cb8641cd348762e476b2481c5cfa8f16f49de

SHA256
6f0c9c1f1731e2b877ce153943a23b5c077938dc1c614920928fc0f5328dd76b

SHA512
334fcc2d5a98fef4c3afc0ef39f0813b5b15f3469569c6dfd03638b4c8dc1ecfc6cc2942d4afa915ee856f26c1e67340e1a87284a5a1e22bfb831cb0498c71e3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7ea599f19b357c5bf44d836e8381e633

SHA1
41286142877c122b420d991d68781c433d75a028

SHA256
51db51c94a615460c4b0fdbdf7f63d6df756d7c765f9304ccee4aed0dacb6499

SHA512
d9adae8ccbd75886c691e838e51a4d0fa0c8fe3c3f4dc348b26089b7ef2b1720cc9fc60e149b5daa6953cb9c57165bd9c4ff26fbf2337566ba7b890de8d2bbdb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b3aecc79306bd672695d0b030d225db3

SHA1
57dfa7d69817012f224194e603c00717b412b863

SHA256
04642e80818df39c22c4ec61f437024be3f6b2190763b7354beb5480957c409b

SHA512
f69477191a48b668171031b57a369c03da6fb4c7a8ffdea7173fdef7161275d8017e9f9fd5e45a2e555306d24ab871f27d9556c7db224fa1a1235903028c19dc

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
56f8937367c8f9c464ba97f045bd4ac0

SHA1
0175a9ee84d77e184e4a8d0430e1faa5866fe805

SHA256
57ad9379c3784650b4cfc1ed9d03a21e7320a5a9df5577fe844327e6b9b37388

SHA512
34be940671bb7bd1a4732da184254c1ccc608e2cd5f019a6f9d0a74a23677cf5d7712c19cc87086a621e52b88f0e164f08e6068ed7f56fcd5e870a208dcf6a44

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d71c4fa94ed4307a031b65d3b7961cc2

SHA1
bc72a15919b1ac3e6cfcd41d4ff6f07c0443d64a

SHA256
c5203bba04681330b0fbcfb1e37c5aed83fbc816006818fa7e991d0144700efd

SHA512
d0a91bc8b7150e56efd913a8571243809165c3490bbd07f3c75bb200dd8c4453003d49107363e5a98149087168234c270296b031d352408ae3003fb86684064a

Download Submit