3cd73b4b96452c98a8c64a318c48c623586300c24c982be205dffb2a950f46a4

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 04:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3cd73b4b96452c98a8c64a318c48c623586300c24c982be205dffb2a950f46a4.exe
Size

1.1MB
MD5

886fb349bd176d1c19ea9634985fe839
SHA1

f58323b6a60c2d165e3494240c3627b75240900f
SHA256

3cd73b4b96452c98a8c64a318c48c623586300c24c982be205dffb2a950f46a4
SHA512

026bedc0cd0ad1e916cff963b36a77d3f478c27125dcec69db89814b5bfbed667a5c8030d3232e0e1a9c82c45d00c2f556f5e233f257d39927077af1e1188ce5
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Q/:CcaClSFlG4ZM7QzMY

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2564	svchcst.exe

Executes dropped EXE 27 IoCs

pid	Process
2564	svchcst.exe
2648	svchcst.exe
2280	svchcst.exe
2244	svchcst.exe
1396	svchcst.exe
2200	svchcst.exe
332	svchcst.exe
2080	svchcst.exe
2908	svchcst.exe
2536	svchcst.exe
2576	svchcst.exe
1020	svchcst.exe
2172	svchcst.exe
1668	svchcst.exe
2024	svchcst.exe
1932	svchcst.exe
3004	svchcst.exe
1656	svchcst.exe
1912	svchcst.exe
564	svchcst.exe
2392	svchcst.exe
2940	svchcst.exe
2288	svchcst.exe
1228	svchcst.exe
2760	svchcst.exe
2580	svchcst.exe
1884	svchcst.exe

Loads dropped DLL 40 IoCs

pid	Process
2508	WScript.exe
2508	WScript.exe
2476	WScript.exe
1252	WScript.exe
1252	WScript.exe
2456	WScript.exe
2228	WScript.exe
2228	WScript.exe
564	WScript.exe
2084	WScript.exe
2084	WScript.exe
1680	WScript.exe
2084	WScript.exe
2760	WScript.exe
2084	WScript.exe
2084	WScript.exe
2896	WScript.exe
1452	WScript.exe
1452	WScript.exe
1452	WScript.exe
1240	WScript.exe
1240	WScript.exe
608	WScript.exe
608	WScript.exe
1124	WScript.exe
1124	WScript.exe
2892	WScript.exe
2892	WScript.exe
1676	WScript.exe
1676	WScript.exe
2644	WScript.exe
2644	WScript.exe
328	WScript.exe
328	WScript.exe
3040	WScript.exe
3040	WScript.exe
1996	WScript.exe
1996	WScript.exe
2748	WScript.exe
2748	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2908	3cd73b4b96452c98a8c64a318c48c623586300c24c982be205dffb2a950f46a4.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2908	3cd73b4b96452c98a8c64a318c48c623586300c24c982be205dffb2a950f46a4.exe

Suspicious use of SetWindowsHookEx 56 IoCs

pid	Process
2908	3cd73b4b96452c98a8c64a318c48c623586300c24c982be205dffb2a950f46a4.exe
2908	3cd73b4b96452c98a8c64a318c48c623586300c24c982be205dffb2a950f46a4.exe
2564	svchcst.exe
2564	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2244	svchcst.exe
2244	svchcst.exe
1396	svchcst.exe
1396	svchcst.exe
2200	svchcst.exe
2200	svchcst.exe
332	svchcst.exe
332	svchcst.exe
2080	svchcst.exe
2080	svchcst.exe
2908	svchcst.exe
2908	svchcst.exe
2536	svchcst.exe
2536	svchcst.exe
2576	svchcst.exe
2576	svchcst.exe
1020	svchcst.exe
1020	svchcst.exe
2172	svchcst.exe
2172	svchcst.exe
1668	svchcst.exe
1668	svchcst.exe
2024	svchcst.exe
2024	svchcst.exe
1932	svchcst.exe
1932	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
1656	svchcst.exe
1656	svchcst.exe
1912	svchcst.exe
1912	svchcst.exe
564	svchcst.exe
564	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2288	svchcst.exe
2288	svchcst.exe
1228	svchcst.exe
1228	svchcst.exe
2760	svchcst.exe
2760	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 2508	2908	3cd73b4b96452c98a8c64a318c48c623586300c24c982be205dffb2a950f46a4.exe	28
PID 2908 wrote to memory of 2508	2908	3cd73b4b96452c98a8c64a318c48c623586300c24c982be205dffb2a950f46a4.exe	28
PID 2908 wrote to memory of 2508	2908	3cd73b4b96452c98a8c64a318c48c623586300c24c982be205dffb2a950f46a4.exe	28
PID 2908 wrote to memory of 2508	2908	3cd73b4b96452c98a8c64a318c48c623586300c24c982be205dffb2a950f46a4.exe	28
PID 2508 wrote to memory of 2564	2508	WScript.exe	30
PID 2508 wrote to memory of 2564	2508	WScript.exe	30
PID 2508 wrote to memory of 2564	2508	WScript.exe	30
PID 2508 wrote to memory of 2564	2508	WScript.exe	30
PID 2564 wrote to memory of 2476	2564	svchcst.exe	31
PID 2564 wrote to memory of 2476	2564	svchcst.exe	31
PID 2564 wrote to memory of 2476	2564	svchcst.exe	31
PID 2564 wrote to memory of 2476	2564	svchcst.exe	31
PID 2476 wrote to memory of 2648	2476	WScript.exe	32
PID 2476 wrote to memory of 2648	2476	WScript.exe	32
PID 2476 wrote to memory of 2648	2476	WScript.exe	32
PID 2476 wrote to memory of 2648	2476	WScript.exe	32
PID 2648 wrote to memory of 1252	2648	svchcst.exe	33
PID 2648 wrote to memory of 1252	2648	svchcst.exe	33
PID 2648 wrote to memory of 1252	2648	svchcst.exe	33
PID 2648 wrote to memory of 1252	2648	svchcst.exe	33
PID 1252 wrote to memory of 2280	1252	WScript.exe	34
PID 1252 wrote to memory of 2280	1252	WScript.exe	34
PID 1252 wrote to memory of 2280	1252	WScript.exe	34
PID 1252 wrote to memory of 2280	1252	WScript.exe	34
PID 2280 wrote to memory of 2456	2280	svchcst.exe	35
PID 2280 wrote to memory of 2456	2280	svchcst.exe	35
PID 2280 wrote to memory of 2456	2280	svchcst.exe	35
PID 2280 wrote to memory of 2456	2280	svchcst.exe	35
PID 2456 wrote to memory of 2244	2456	WScript.exe	36
PID 2456 wrote to memory of 2244	2456	WScript.exe	36
PID 2456 wrote to memory of 2244	2456	WScript.exe	36
PID 2456 wrote to memory of 2244	2456	WScript.exe	36
PID 2244 wrote to memory of 2228	2244	svchcst.exe	37
PID 2244 wrote to memory of 2228	2244	svchcst.exe	37
PID 2244 wrote to memory of 2228	2244	svchcst.exe	37
PID 2244 wrote to memory of 2228	2244	svchcst.exe	37
PID 2228 wrote to memory of 1396	2228	WScript.exe	38
PID 2228 wrote to memory of 1396	2228	WScript.exe	38
PID 2228 wrote to memory of 1396	2228	WScript.exe	38
PID 2228 wrote to memory of 1396	2228	WScript.exe	38
PID 1396 wrote to memory of 564	1396	svchcst.exe	39
PID 1396 wrote to memory of 564	1396	svchcst.exe	39
PID 1396 wrote to memory of 564	1396	svchcst.exe	39
PID 1396 wrote to memory of 564	1396	svchcst.exe	39
PID 2228 wrote to memory of 2200	2228	WScript.exe	40
PID 2228 wrote to memory of 2200	2228	WScript.exe	40
PID 2228 wrote to memory of 2200	2228	WScript.exe	40
PID 2228 wrote to memory of 2200	2228	WScript.exe	40
PID 2200 wrote to memory of 1680	2200	svchcst.exe	41
PID 2200 wrote to memory of 1680	2200	svchcst.exe	41
PID 2200 wrote to memory of 1680	2200	svchcst.exe	41
PID 2200 wrote to memory of 1680	2200	svchcst.exe	41
PID 564 wrote to memory of 332	564	WScript.exe	42
PID 564 wrote to memory of 332	564	WScript.exe	42
PID 564 wrote to memory of 332	564	WScript.exe	42
PID 564 wrote to memory of 332	564	WScript.exe	42
PID 332 wrote to memory of 2084	332	svchcst.exe	43
PID 332 wrote to memory of 2084	332	svchcst.exe	43
PID 332 wrote to memory of 2084	332	svchcst.exe	43
PID 332 wrote to memory of 2084	332	svchcst.exe	43
PID 2084 wrote to memory of 2080	2084	WScript.exe	46
PID 2084 wrote to memory of 2080	2084	WScript.exe	46
PID 2084 wrote to memory of 2080	2084	WScript.exe	46
PID 2084 wrote to memory of 2080	2084	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\3cd73b4b96452c98a8c64a318c48c623586300c24c982be205dffb2a950f46a4.exe
"C:\Users\Admin\AppData\Local\Temp\3cd73b4b96452c98a8c64a318c48c623586300c24c982be205dffb2a950f46a4.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2476
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2648
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:564
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:332
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2080
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2908
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:2896
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2024
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2576
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:2760
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1020
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:1452
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1932
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3004
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:1240
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1656
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:608
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1912
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:1124
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:564
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:2892
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2392
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:1676
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2940
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:2644
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2288
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:328
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1228
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:3040
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2760
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:1996
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2580
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:2748
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1884
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2172
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1668
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        
        PID:1680
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f9749c13b20bc60748c3f72c2cf20740

SHA1
227698fcf7919e5c66d91e4e0fd51a5d54ffcd6e

SHA256
2ea51d4fb5a6022d3cf66550189fa271c025d8fabd55cc24025d12e600b70594

SHA512
541c5d5e8187257adb03505430c87bd364bec53487b373ecf4f91aee21dcecc746a4855ca0ee72fbfddcf34e52fe2453770ae66183b308d6b45a0f37342e44d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6d7f7c489889b75561316023d3e8b801

SHA1
222906d8a273e49d99b9107d388856ba8e6a5400

SHA256
3c01dd72d85883db4a345c0092b799f8deb31d43fde226e7df011c64d95202a7

SHA512
7238e65f9b93ee3be8828f01b54fbb6acaeaaf31e2b62af398356b02fa80d615acc3f41139fb001b9c1e8855e5cfa467f2883acda663a08194955cadb409a24a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
99c6d3daae7cb362152020047cb956dc

SHA1
4d70b60a43d37fbfea1be333aad269606ae3d3a7

SHA256
b35a71753d085b170fca9949910d93671a298e1fcc05cf0cdff308dba4d12324

SHA512
37098e0594a21439720df6adc851063d275020c7a337326cf0f83c8fce79ac210bd42c5458e49e560c4641b569be88b34ee5ee99dccba5c2655fee127c21e110

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
58ca5318a640c09cbe1734fe4e64aa9d

SHA1
37a07d13f9c9bda6757eb11f39d2994c5d24d4c3

SHA256
0332af1d8f7374e4ebdd0ae0a7890e6fd8ceff8d8f2ba5bc7e6ca36fd5a935b0

SHA512
697c10bf242e049a2cf955d9bf31ec33124a0ec527407967f9be6d41fda3ebb24c00b017e5a0c7a851ae8e74642167aaed771350bb0bfb10bb4e752534eb04ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0192d17fea0102bde8e142aabd30379e

SHA1
f625075beef58c06ca68d43a3ba5cc1caa8efdfd

SHA256
98e8ea7a93d93f491f56d4026b5683e7fdeff25fe26f518e2e81a1319ef49719

SHA512
43002329c61c0fedc908a1838c1868573a5f6f64b4bad3295182b341562cd4b17710ce021e75157830b5b29d29141ae394b3addae4f8c180259f02cb44648163

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0746413c017663c2889cbadf684741eb

SHA1
6a61f92238e17b83adba719b52d2f3d9cd205b8a

SHA256
5e9eb3cc7e536ea1249b6bdb65b934565018fa760198e2b2c8f5537de84b86bd

SHA512
e222a18584aadd15f5c4706601acc6fa30d6a08325f2679724eba4b2952e56d4d7e1a97c42ae88aefacfa59b87723118d2dd28c1541204715dc1e11b4867b05c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
df56efc5aa49720056952b653a76a0d1

SHA1
82823a83837e69b031a973238d78e0360d113ac7

SHA256
bd6fdd2db5dd3828baa84352f1c382304ce0481755f000a7445e3977c24d0a35

SHA512
ffd2ffc465dcd33cca7fdf4cce8711ce7a5cb6af0933fbf2885b7b4164ea2c19ec1a776f2422996599e28b05a3ff927dd76221b9b4dec49b942941b48962034c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2caa2e102cde23b48c1d5a47d901c3ff

SHA1
715fcb390ad3d9016885ab48ea99b2e204d1989b

SHA256
8e1f14065ac316ee2fcefab057390fe8b1ec88d9c35536f0755204ddf0d84ada

SHA512
9f6b298b5becff9b0af67c3181177876366db57d8d48ad3974dffa4f61fe7512b68d770e518d08d59c58d2707c52bd78930d2e36f00ef06f0a26d208e5372ae3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d44632a3e4cce7689f6de0096ea7b712

SHA1
62726ae2641d71b6a218793f1ca8c00c81443eda

SHA256
013ba01f27689a865f4497bdab298b8914e8c235beac2311020fa928649a7603

SHA512
ed9934194e0211fca3d30bb16802ae080086a71d4b8b065afecea339f06f4d5dc43f51786059d6ccaf7718a54dde8b050268068ed6a416dacfa6c79a8ba0881a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5c256ba320c7487a2c3cdb62bea97bb5

SHA1
2a28e5d7bd4483a40fb6035f1ec6fcf1d66cb2fc

SHA256
854aeaf6ba44537fc01088f8c336552a1aab4c6df84938d241c8616b6f0802e4

SHA512
bb55f293471dda9b074664d4cf2dad094f8f0c2479c1fd754dd85199d1d1b1012cfa3b050711ac0b59368d6bf1756cfcadcaff1e47d4f103a093a0b77782fdc0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
bf8c66bc238068346f8bc94f6763b894

SHA1
43019b1b9d3d7e90719747856103a1af12d024ef

SHA256
de7fa3ae16d70f789b4d0aa427b017215cdb51f141038688ca5ba2cbb4060b5d

SHA512
a5d2d1662be29ceebb5d9441b537804722646c7ee3974d89d87bb37d1563bdbcac709f29e3251cf9d45845bdedd518bca99e203102b5c7f0e3657eca406277c6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a66ca64afe431b7c50358bd05ba54e34

SHA1
f34d905ac06b3c07f936352bff4db70469f5057c

SHA256
3a2a423d9df888fadef3786fdbf7fb0125eb8e1d08b22a707b6efa4bc00b7f43

SHA512
90ea8413b1fce013f8e902e0e3efbbfd1ec30c7f26ca2fb05e390a847d22a1181eeb60dccf6e3f8fec5aeff2568506977ab47018a54d328078ab14407f3eeb09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2885ba4856fdbf84fb7a2c6c4aaaaf10

SHA1
f28e4d26121a9a9eae7c32a110ec85cc42d57e4c

SHA256
144476157518dff9bb713cab719e2996176f0fd265007500fdfdf1019069503e

SHA512
866c0f121c02c5818d7ab7dea0bd182fad5054466df934bd4565b2b758c0eab20e10e424e5e5604a9539d749b545aa7c74262545d71334df440fc8a4e98a13c4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
22fcbdb5877ff3c363f6ba9e1ce5ab26

SHA1
c0af5975d7811df0e810f3205d0cc9fc5a693e7b

SHA256
e80d0c3040fe61c89a69a46842ab17f56ad3667a7cf0274a86250c63415231c6

SHA512
9fc34bf82b8ef5bac4d8fc24d27d21218eea2327d528abb31d16a01d8cf46eebb82bcb4f104e1c583c66173924c5656ce0a21ecd311ac61617b44ad478d96065

Download Submit
memory/2908-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download