de66054c543d977517ef0b2dade427ee1ecd475097fe20cd64efe99bd650c642

Analysis

max time kernel
149s
max time network
126s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
21/04/2024, 18:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de66054c543d977517ef0b2dade427ee1ecd475097fe20cd64efe99bd650c642.exe
Size

1.1MB
MD5

e7b315e164924d3aee6791a8bdd43bbe
SHA1

9f4aec64839c821653bd69d43847817f5953f870
SHA256

de66054c543d977517ef0b2dade427ee1ecd475097fe20cd64efe99bd650c642
SHA512

bcc4304311ec90cfdc1fd310e0dbfe32f7a4eb9472f850944d294f56efe2d96e57a50cb2f63752dc57f68ce391bc897f72375bd8e7bcf5795cb21bdf366c85ab
SSDEEP

24576:aH0pl8myX9BgT2QoXFkrzkmmlSgRZko0lG4Z8r7Qfbkiu5Q4:alaClSXlG4ZM7QzMr

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2404	svchcst.exe

Executes dropped EXE 25 IoCs

pid	Process
2404	svchcst.exe
2788	svchcst.exe
2460	svchcst.exe
1972	svchcst.exe
2692	svchcst.exe
1244	svchcst.exe
2164	svchcst.exe
2408	svchcst.exe
2476	svchcst.exe
2744	svchcst.exe
1264	svchcst.exe
2252	svchcst.exe
2196	svchcst.exe
1952	svchcst.exe
692	svchcst.exe
352	svchcst.exe
2100	svchcst.exe
2640	svchcst.exe
2432	svchcst.exe
1908	svchcst.exe
2252	svchcst.exe
860	svchcst.exe
3048	svchcst.exe
1420	svchcst.exe
1000	svchcst.exe

Loads dropped DLL 37 IoCs

pid	Process
2528	WScript.exe
2528	WScript.exe
1640	WScript.exe
2296	WScript.exe
2296	WScript.exe
2200	WScript.exe
2200	WScript.exe
2200	WScript.exe
1704	WScript.exe
2264	WScript.exe
3056	WScript.exe
2488	WScript.exe
2488	WScript.exe
1760	WScript.exe
1760	WScript.exe
1760	WScript.exe
788	WScript.exe
3020	WScript.exe
3020	WScript.exe
1904	WScript.exe
1904	WScript.exe
2492	WScript.exe
2492	WScript.exe
1444	WScript.exe
1444	WScript.exe
2648	WScript.exe
2648	WScript.exe
2756	WScript.exe
2756	WScript.exe
1496	WScript.exe
1496	WScript.exe
2660	WScript.exe
2660	WScript.exe
668	WScript.exe
668	WScript.exe
3012	WScript.exe
3012	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2480	de66054c543d977517ef0b2dade427ee1ecd475097fe20cd64efe99bd650c642.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2480	de66054c543d977517ef0b2dade427ee1ecd475097fe20cd64efe99bd650c642.exe

Suspicious use of SetWindowsHookEx 52 IoCs

pid	Process
2480	de66054c543d977517ef0b2dade427ee1ecd475097fe20cd64efe99bd650c642.exe
2480	de66054c543d977517ef0b2dade427ee1ecd475097fe20cd64efe99bd650c642.exe
2404	svchcst.exe
2404	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2460	svchcst.exe
2460	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
1244	svchcst.exe
1244	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
1264	svchcst.exe
2252	svchcst.exe
1264	svchcst.exe
2252	svchcst.exe
2196	svchcst.exe
2196	svchcst.exe
1952	svchcst.exe
1952	svchcst.exe
692	svchcst.exe
692	svchcst.exe
352	svchcst.exe
352	svchcst.exe
2100	svchcst.exe
2100	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
1908	svchcst.exe
1908	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
860	svchcst.exe
860	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
1420	svchcst.exe
1420	svchcst.exe
1000	svchcst.exe
1000	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 2528	2480	de66054c543d977517ef0b2dade427ee1ecd475097fe20cd64efe99bd650c642.exe	28
PID 2480 wrote to memory of 2528	2480	de66054c543d977517ef0b2dade427ee1ecd475097fe20cd64efe99bd650c642.exe	28
PID 2480 wrote to memory of 2528	2480	de66054c543d977517ef0b2dade427ee1ecd475097fe20cd64efe99bd650c642.exe	28
PID 2480 wrote to memory of 2528	2480	de66054c543d977517ef0b2dade427ee1ecd475097fe20cd64efe99bd650c642.exe	28
PID 2528 wrote to memory of 2404	2528	WScript.exe	30
PID 2528 wrote to memory of 2404	2528	WScript.exe	30
PID 2528 wrote to memory of 2404	2528	WScript.exe	30
PID 2528 wrote to memory of 2404	2528	WScript.exe	30
PID 2404 wrote to memory of 1640	2404	svchcst.exe	31
PID 2404 wrote to memory of 1640	2404	svchcst.exe	31
PID 2404 wrote to memory of 1640	2404	svchcst.exe	31
PID 2404 wrote to memory of 1640	2404	svchcst.exe	31
PID 1640 wrote to memory of 2788	1640	WScript.exe	32
PID 1640 wrote to memory of 2788	1640	WScript.exe	32
PID 1640 wrote to memory of 2788	1640	WScript.exe	32
PID 1640 wrote to memory of 2788	1640	WScript.exe	32
PID 2788 wrote to memory of 2296	2788	svchcst.exe	33
PID 2788 wrote to memory of 2296	2788	svchcst.exe	33
PID 2788 wrote to memory of 2296	2788	svchcst.exe	33
PID 2788 wrote to memory of 2296	2788	svchcst.exe	33
PID 2296 wrote to memory of 2460	2296	WScript.exe	34
PID 2296 wrote to memory of 2460	2296	WScript.exe	34
PID 2296 wrote to memory of 2460	2296	WScript.exe	34
PID 2296 wrote to memory of 2460	2296	WScript.exe	34
PID 2460 wrote to memory of 1356	2460	svchcst.exe	35
PID 2460 wrote to memory of 1356	2460	svchcst.exe	35
PID 2460 wrote to memory of 1356	2460	svchcst.exe	35
PID 2460 wrote to memory of 1356	2460	svchcst.exe	35
PID 2296 wrote to memory of 1972	2296	WScript.exe	36
PID 2296 wrote to memory of 1972	2296	WScript.exe	36
PID 2296 wrote to memory of 1972	2296	WScript.exe	36
PID 2296 wrote to memory of 1972	2296	WScript.exe	36
PID 1972 wrote to memory of 2200	1972	svchcst.exe	37
PID 1972 wrote to memory of 2200	1972	svchcst.exe	37
PID 1972 wrote to memory of 2200	1972	svchcst.exe	37
PID 1972 wrote to memory of 2200	1972	svchcst.exe	37
PID 2200 wrote to memory of 2692	2200	WScript.exe	38
PID 2200 wrote to memory of 2692	2200	WScript.exe	38
PID 2200 wrote to memory of 2692	2200	WScript.exe	38
PID 2200 wrote to memory of 2692	2200	WScript.exe	38
PID 2692 wrote to memory of 912	2692	svchcst.exe	39
PID 2692 wrote to memory of 912	2692	svchcst.exe	39
PID 2692 wrote to memory of 912	2692	svchcst.exe	39
PID 2692 wrote to memory of 912	2692	svchcst.exe	39
PID 2200 wrote to memory of 1244	2200	WScript.exe	40
PID 2200 wrote to memory of 1244	2200	WScript.exe	40
PID 2200 wrote to memory of 1244	2200	WScript.exe	40
PID 2200 wrote to memory of 1244	2200	WScript.exe	40
PID 1244 wrote to memory of 1704	1244	svchcst.exe	41
PID 1244 wrote to memory of 1704	1244	svchcst.exe	41
PID 1244 wrote to memory of 1704	1244	svchcst.exe	41
PID 1244 wrote to memory of 1704	1244	svchcst.exe	41
PID 1704 wrote to memory of 2164	1704	WScript.exe	42
PID 1704 wrote to memory of 2164	1704	WScript.exe	42
PID 1704 wrote to memory of 2164	1704	WScript.exe	42
PID 1704 wrote to memory of 2164	1704	WScript.exe	42
PID 2164 wrote to memory of 2264	2164	svchcst.exe	43
PID 2164 wrote to memory of 2264	2164	svchcst.exe	43
PID 2164 wrote to memory of 2264	2164	svchcst.exe	43
PID 2164 wrote to memory of 2264	2164	svchcst.exe	43
PID 2264 wrote to memory of 2408	2264	WScript.exe	46
PID 2264 wrote to memory of 2408	2264	WScript.exe	46
PID 2264 wrote to memory of 2408	2264	WScript.exe	46
PID 2264 wrote to memory of 2408	2264	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\de66054c543d977517ef0b2dade427ee1ecd475097fe20cd64efe99bd650c642.exe
"C:\Users\Admin\AppData\Local\Temp\de66054c543d977517ef0b2dade427ee1ecd475097fe20cd64efe99bd650c642.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2404
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1640
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2788
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2408
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        
        PID:3056
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2476
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:2488
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2744
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:1760
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2252
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2196
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1952
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:788
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:692
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:3020
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:352
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:1904
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2100
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:2492
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2640
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:1444
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2432
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:2648
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1908
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:2756
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2252
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:1496
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:860
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:2660
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3048
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:668
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1420
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:3012
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1000
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        
        PID:700
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
052d0351a5a2283ca385805bf30cc37b

SHA1
0f86c2c33b5641b89bcc430a98956447cb8f6f06

SHA256
643f8c0adfd63b72f9419f5b077829fa7f6d454b738cbcaeead63cd1feb4a9af

SHA512
6e4f1c407fa96a3ed03b416fcf4cb300f7ecefd2e67ddc0d45407b0f97f254ffa55cf34fac7c8ed1e69ece8704fae1d483612948dab8fb6d0c9d39e06bbb23ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
942eacd293e961197fc730f46ef3263d

SHA1
fdb79349eceba2e71005716afdde7f53d104e579

SHA256
60bb27be0777b9f89fd1784d7ace2b3c423b3c907f7c95a017f1523db19cb3f3

SHA512
eb6820f4d6cb738ff8357286c76df7ce5255516548fa7700c610f52ddd93e19c087fa4447ebb73c5187e05299768b834a5487158f87397ac8451e0e85b29f965

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1c0ff223574a58a062d6e26c4b0bb7cd

SHA1
b61341ae86f6fd2a2e76592a2fc693479b62f37c

SHA256
b9baaa35fb2544dd650a875b31c12ae5393b345528009fc8c438296ac71da48b

SHA512
b89b388955e99d95ea0a6be87df42a49823ca71ab65505e19689b8ecc56484246bc36abaac9b7b76874b8c287a33645932573b90786886e0289dff05a6874cc5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3fe126921f6537cf36cd507b1649ffbb

SHA1
445c8796d072bb5829f0af8421e3eb7da34add70

SHA256
b4af7c7ab452f12e0ea38532d00cfa19cf99247ef169e5e698acd882e72750a6

SHA512
5d8527210f01cc30bda93521cdbd9828d03f2af3e2810996ad8c60cf62a35e415c0e54a34e00847ae30bf2718e8c431b65ed4f509c11986a8eb54ed6ed64ac94

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
780c5b88f55c3463a252f361d53f98db

SHA1
244e739c7401ce41027d7786f4a48f4806a9939b

SHA256
d8b383df125f83a39c299a3134c88e981cf47755ddd6b44310f70231305c6bb0

SHA512
b12e3266edea4f9dff105ed8617c81a29f9873d646b6b326c5c29c0c590049dd85458b8ff7541957f9ab995896e7bfd08b171959e592ccc6edbedf998fdf1045

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2af86d83545125b952334759f8554ae3

SHA1
ddfef7be6fbd8d8185c772a9a78eb18617a9637b

SHA256
7dd3660d7e87e64f451b4d1882d07c1733ce38d828770910453cc1b7f457d11d

SHA512
38d2854f941ff77a2fec871ba6513df9862fe4f86778b22053b4c3e25995b192f4ab943051a2c613cc3e78d275bc543b0dff09149cb4620e307809d20beae17b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3f88ed4a802ff96db44e34ad53ac06c2

SHA1
446fe4e265af02ea012b5a8d5d0e7a0c9867f1ed

SHA256
04a5abb92c689fa7b9d768a067b1d9bd16c0a5d856c67c7f7881d62662ae0911

SHA512
f1afaf53ee96969d58902836b841ca7feed9769c81d9b2d63b72db5d7cf04d6a659b50869f8dba0d650aa6833d892261c0c3dd918e8bfbed13237e6333c47fdf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5c256ba320c7487a2c3cdb62bea97bb5

SHA1
2a28e5d7bd4483a40fb6035f1ec6fcf1d66cb2fc

SHA256
854aeaf6ba44537fc01088f8c336552a1aab4c6df84938d241c8616b6f0802e4

SHA512
bb55f293471dda9b074664d4cf2dad094f8f0c2479c1fd754dd85199d1d1b1012cfa3b050711ac0b59368d6bf1756cfcadcaff1e47d4f103a093a0b77782fdc0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d0a7594dbfff2934bae6e22de9f233fe

SHA1
b2a276918a0f5fb2da4440d77ec65c3c644dcf74

SHA256
b5ba466f75e4b160d164ce3886c42fe86c339961f2f303cfdba40d2c711bc61d

SHA512
3d0c5b27841efaa0286d2b58d1749c1efe45ce115cbcb2af1473e29ec3791501a278c90f087e995279518b3c3aec687edca8937f77ff2520ed6b8d3dff6c0a63

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5ef4272f4d6f345fc8cc1b2f059c81b4

SHA1
78bcb559f775d70e10396e1d6d7b95c28d2645d1

SHA256
19f8d5209b4a5789cdfd5b67cb0b9f6c3546c62912bcb1ef1c69a15602beb652

SHA512
002693255c600456d965b5a7e36f780deec4d80cd9fe56f7f974b8762e2b140002a1dabf4b059d6163c9cc00a0e1e9da71899e13347fb4bb2985bbc7058469cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
08e59d2d672728796d1d263f61b8e693

SHA1
e2cf49b43ffba5735bf7d9aa4e1da8c5a1a4a243

SHA256
f0504a6142a9709ba8612a4e55816d410dc92778bedea66d34316e77edd2f923

SHA512
328bc5a9404388f3ef192bb0e4da20cc34b9eacd974299461b5cc2f37ce7d7f9bb494e933fe7e8bca0baa037b40778b06965e76ce258b596b60e88bd6b2f4253

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
330994dd1430428e0e83a3e5e27e0422

SHA1
10844829268ba861f57f3e1a0c146cbe302d8d49

SHA256
f3f6934759b78b8513fd4aad7ca59538726aa7de09e23fdb552e6251653c741d

SHA512
4b34c6b7b23dbf6c67da814beac84c939cdaf6d9b8c5623073d579d2cba2182096dec7ae4c8597a0c549540f696682c4799bde574d5ed137f04ee69b09d994c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e988304f38e91781c126f920e424880f

SHA1
8c3b762a1484ba6eb78593a2f711e6404a469740

SHA256
e294b1c9da51cd6c8d296b790783f67821dc4fa81abbe30703942daba2afd85b

SHA512
8007e1a190afa593e2b1cb1b5d1ffb04dcd62a2940b1d892bdd880692f69147427f8a33772f60a93e03076732ee632c9747edd12151a4ba28efd7bd488c77b3a

Download Submit
memory/352-178-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/352-174-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/668-245-0x0000000005A80000-0x0000000005BDF000-memory.dmp

Filesize
1.4MB

Download
memory/692-165-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/692-168-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/860-234-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/860-231-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1244-78-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1244-82-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1264-135-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1264-139-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1444-199-0x0000000005960000-0x0000000005ABF000-memory.dmp

Filesize
1.4MB

Download
memory/1444-230-0x0000000005960000-0x0000000005ABF000-memory.dmp

Filesize
1.4MB

Download
memory/1496-225-0x0000000005CA0000-0x0000000005DFF000-memory.dmp

Filesize
1.4MB

Download
memory/1640-28-0x0000000004580000-0x00000000046DF000-memory.dmp

Filesize
1.4MB

Download
memory/1704-124-0x0000000005B40000-0x0000000005C9F000-memory.dmp

Filesize
1.4MB

Download
memory/1760-187-0x0000000005EE0000-0x000000000603F000-memory.dmp

Filesize
1.4MB

Download
memory/1760-137-0x0000000004700000-0x000000000485F000-memory.dmp

Filesize
1.4MB

Download
memory/1904-179-0x0000000005B90000-0x0000000005CEF000-memory.dmp

Filesize
1.4MB

Download
memory/1908-216-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1908-213-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1952-154-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1952-160-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1972-58-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1972-51-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2100-188-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2100-184-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2164-94-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2164-89-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2196-142-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2196-150-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2200-115-0x0000000004510000-0x000000000466F000-memory.dmp

Filesize
1.4MB

Download
memory/2252-224-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2252-217-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2252-177-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2252-138-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2404-24-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2408-105-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2408-98-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2432-207-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2432-204-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2460-48-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2460-44-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2476-116-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2480-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2480-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2492-189-0x00000000045A0000-0x00000000046FF000-memory.dmp

Filesize
1.4MB

Download
memory/2528-15-0x0000000004510000-0x000000000466F000-memory.dmp

Filesize
1.4MB

Download
memory/2528-13-0x0000000004510000-0x000000000466F000-memory.dmp

Filesize
1.4MB

Download
memory/2640-197-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2640-194-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2648-240-0x0000000004700000-0x000000000485F000-memory.dmp

Filesize
1.4MB

Download
memory/2648-208-0x0000000004700000-0x000000000485F000-memory.dmp

Filesize
1.4MB

Download
memory/2660-235-0x0000000005A20000-0x0000000005B7F000-memory.dmp

Filesize
1.4MB

Download
memory/2692-69-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2692-61-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2744-130-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2744-125-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2788-32-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2788-36-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3020-173-0x0000000005E20000-0x0000000005F7F000-memory.dmp

Filesize
1.4MB

Download
memory/3020-198-0x0000000005E20000-0x0000000005F7F000-memory.dmp

Filesize
1.4MB

Download
memory/3048-241-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3048-244-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download