5476cde2a28bbe346c3cd8f499b8184e8fbe5e549ee0d09284f9d526153e0a99

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07-05-2024 06:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5476cde2a28bbe346c3cd8f499b8184e8fbe5e549ee0d09284f9d526153e0a99.exe
Size

1.1MB
MD5

630577f754f2073f28f9726150b9ceb1
SHA1

7541151c5fd292ffd3aec5b5007effcdbe410760
SHA256

5476cde2a28bbe346c3cd8f499b8184e8fbe5e549ee0d09284f9d526153e0a99
SHA512

b1240076e608218c575f249397d979dcdcd97b51213651e774cfd29661f4e20238eb8c9ff430438d2e4aea6b0f985e49b421a2d3a5118d6626a57705f481a357
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qu:CcaClSFlG4ZM7QzMV

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2556	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2556	svchcst.exe
2424	svchcst.exe
2280	svchcst.exe
2004	svchcst.exe
572	svchcst.exe
3052	svchcst.exe
816	svchcst.exe
1468	svchcst.exe
3044	svchcst.exe
1504	svchcst.exe
1004	svchcst.exe
1588	svchcst.exe
2980	svchcst.exe
1944	svchcst.exe
2932	svchcst.exe
1768	svchcst.exe
1644	svchcst.exe
1884	svchcst.exe
2564	svchcst.exe
2684	svchcst.exe
1240	svchcst.exe
648	svchcst.exe
916	svchcst.exe

Loads dropped DLL 33 IoCs

pid	Process
2500	WScript.exe
2500	WScript.exe
2420	WScript.exe
2124	WScript.exe
2124	WScript.exe
1880	WScript.exe
1648	WScript.exe
2536	WScript.exe
2536	WScript.exe
1524	WScript.exe
2596	WScript.exe
2596	WScript.exe
2820	WScript.exe
2244	WScript.exe
1432	WScript.exe
2992	WScript.exe
2992	WScript.exe
960	WScript.exe
960	WScript.exe
2728	WScript.exe
2728	WScript.exe
2944	WScript.exe
2944	WScript.exe
2808	WScript.exe
2808	WScript.exe
1748	WScript.exe
1748	WScript.exe
2400	WScript.exe
2400	WScript.exe
2820	WScript.exe
2820	WScript.exe
2132	WScript.exe
2132	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1984	5476cde2a28bbe346c3cd8f499b8184e8fbe5e549ee0d09284f9d526153e0a99.exe
2556	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1984	5476cde2a28bbe346c3cd8f499b8184e8fbe5e549ee0d09284f9d526153e0a99.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
1984	5476cde2a28bbe346c3cd8f499b8184e8fbe5e549ee0d09284f9d526153e0a99.exe
1984	5476cde2a28bbe346c3cd8f499b8184e8fbe5e549ee0d09284f9d526153e0a99.exe
2556	svchcst.exe
2556	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
572	svchcst.exe
572	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
816	svchcst.exe
816	svchcst.exe
1468	svchcst.exe
1468	svchcst.exe
3044	svchcst.exe
3044	svchcst.exe
1504	svchcst.exe
1504	svchcst.exe
1004	svchcst.exe
1004	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
2932	svchcst.exe
2932	svchcst.exe
1768	svchcst.exe
1768	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
1240	svchcst.exe
1240	svchcst.exe
648	svchcst.exe
648	svchcst.exe
916	svchcst.exe
916	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2500	1984	5476cde2a28bbe346c3cd8f499b8184e8fbe5e549ee0d09284f9d526153e0a99.exe	28
PID 1984 wrote to memory of 2500	1984	5476cde2a28bbe346c3cd8f499b8184e8fbe5e549ee0d09284f9d526153e0a99.exe	28
PID 1984 wrote to memory of 2500	1984	5476cde2a28bbe346c3cd8f499b8184e8fbe5e549ee0d09284f9d526153e0a99.exe	28
PID 1984 wrote to memory of 2500	1984	5476cde2a28bbe346c3cd8f499b8184e8fbe5e549ee0d09284f9d526153e0a99.exe	28
PID 2500 wrote to memory of 2556	2500	WScript.exe	30
PID 2500 wrote to memory of 2556	2500	WScript.exe	30
PID 2500 wrote to memory of 2556	2500	WScript.exe	30
PID 2500 wrote to memory of 2556	2500	WScript.exe	30
PID 2556 wrote to memory of 2420	2556	svchcst.exe	31
PID 2556 wrote to memory of 2420	2556	svchcst.exe	31
PID 2556 wrote to memory of 2420	2556	svchcst.exe	31
PID 2556 wrote to memory of 2420	2556	svchcst.exe	31
PID 2420 wrote to memory of 2424	2420	WScript.exe	32
PID 2420 wrote to memory of 2424	2420	WScript.exe	32
PID 2420 wrote to memory of 2424	2420	WScript.exe	32
PID 2420 wrote to memory of 2424	2420	WScript.exe	32
PID 2424 wrote to memory of 2124	2424	svchcst.exe	33
PID 2424 wrote to memory of 2124	2424	svchcst.exe	33
PID 2424 wrote to memory of 2124	2424	svchcst.exe	33
PID 2424 wrote to memory of 2124	2424	svchcst.exe	33
PID 2124 wrote to memory of 2280	2124	WScript.exe	34
PID 2124 wrote to memory of 2280	2124	WScript.exe	34
PID 2124 wrote to memory of 2280	2124	WScript.exe	34
PID 2124 wrote to memory of 2280	2124	WScript.exe	34
PID 2280 wrote to memory of 272	2280	svchcst.exe	35
PID 2280 wrote to memory of 272	2280	svchcst.exe	35
PID 2280 wrote to memory of 272	2280	svchcst.exe	35
PID 2280 wrote to memory of 272	2280	svchcst.exe	35
PID 2124 wrote to memory of 2004	2124	WScript.exe	36
PID 2124 wrote to memory of 2004	2124	WScript.exe	36
PID 2124 wrote to memory of 2004	2124	WScript.exe	36
PID 2124 wrote to memory of 2004	2124	WScript.exe	36
PID 2004 wrote to memory of 1880	2004	svchcst.exe	37
PID 2004 wrote to memory of 1880	2004	svchcst.exe	37
PID 2004 wrote to memory of 1880	2004	svchcst.exe	37
PID 2004 wrote to memory of 1880	2004	svchcst.exe	37
PID 1880 wrote to memory of 572	1880	WScript.exe	38
PID 1880 wrote to memory of 572	1880	WScript.exe	38
PID 1880 wrote to memory of 572	1880	WScript.exe	38
PID 1880 wrote to memory of 572	1880	WScript.exe	38
PID 572 wrote to memory of 1648	572	svchcst.exe	39
PID 572 wrote to memory of 1648	572	svchcst.exe	39
PID 572 wrote to memory of 1648	572	svchcst.exe	39
PID 572 wrote to memory of 1648	572	svchcst.exe	39
PID 1648 wrote to memory of 3052	1648	WScript.exe	40
PID 1648 wrote to memory of 3052	1648	WScript.exe	40
PID 1648 wrote to memory of 3052	1648	WScript.exe	40
PID 1648 wrote to memory of 3052	1648	WScript.exe	40
PID 3052 wrote to memory of 2536	3052	svchcst.exe	41
PID 3052 wrote to memory of 2536	3052	svchcst.exe	41
PID 3052 wrote to memory of 2536	3052	svchcst.exe	41
PID 3052 wrote to memory of 2536	3052	svchcst.exe	41
PID 2536 wrote to memory of 816	2536	WScript.exe	42
PID 2536 wrote to memory of 816	2536	WScript.exe	42
PID 2536 wrote to memory of 816	2536	WScript.exe	42
PID 2536 wrote to memory of 816	2536	WScript.exe	42
PID 816 wrote to memory of 1204	816	svchcst.exe	43
PID 816 wrote to memory of 1204	816	svchcst.exe	43
PID 816 wrote to memory of 1204	816	svchcst.exe	43
PID 816 wrote to memory of 1204	816	svchcst.exe	43
PID 2536 wrote to memory of 1468	2536	WScript.exe	46
PID 2536 wrote to memory of 1468	2536	WScript.exe	46
PID 2536 wrote to memory of 1468	2536	WScript.exe	46
PID 2536 wrote to memory of 1468	2536	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\5476cde2a28bbe346c3cd8f499b8184e8fbe5e549ee0d09284f9d526153e0a99.exe
"C:\Users\Admin\AppData\Local\Temp\5476cde2a28bbe346c3cd8f499b8184e8fbe5e549ee0d09284f9d526153e0a99.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2420
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2424
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        
        PID:272
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:572
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:816
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1468
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        
        PID:1524
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3044
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:2596
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1504
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2820
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1588
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2244
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2980
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:1432
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1944
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:2992
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2932
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:960
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1768
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:2728
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1644
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:2944
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1884
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:2808
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2564
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:1748
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2684
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:2400
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1240
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:2820
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:648
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:2132
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:916
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1004
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        
        PID:1484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
b60d3e06bdca0a243bb750fbfde60c36

SHA1
88e7b87fc04f1317be67e81257ad80b2be99e7d4

SHA256
31a1e0f57c4a4009230ed3f9d3ac4a38a38dd7cd8f207bd77b420b780c51975d

SHA512
bcfde9a3accc1cd1f73eb1b43e929a0915e1f5aa6228ffbda30210cd40f035e1b2d61e73766d3742dbbf41921dbe25fca30a2c4db266150032bf6cb85024c7fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3612d3ea6472851cf27d0650f30a8461

SHA1
6deb8050a9d5911a2bcaa1dff30442b243389423

SHA256
2952c41a53b0569f4005c91e142940e5e96ab915146591fd27e380826de74370

SHA512
274ea073a41fbb585172d72f0f3c37132154378212b24cf3609f2bb450d631741c438035f81046ec36f08e62f287949079776d359cd42602ad097cfc0689f49c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
85fa416be0b995c6e53ce5e2df106d8a

SHA1
bcffe6d0eb7594897fb6c1c1e6e409bacd04f009

SHA256
f08a191ea7850c2d2e0fa0cd1f40254eecb8dcb63a9dfa94cc8a97f609c49293

SHA512
5d92938d833d0555e94027148d0d9fc064274885bb4992f4e5840e7be03b629a3d2dc3703f9a7aa7614cb46ee19f9cfe26c69cc2e3a162f4be9045e5da18efbf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
bf8c66bc238068346f8bc94f6763b894

SHA1
43019b1b9d3d7e90719747856103a1af12d024ef

SHA256
de7fa3ae16d70f789b4d0aa427b017215cdb51f141038688ca5ba2cbb4060b5d

SHA512
a5d2d1662be29ceebb5d9441b537804722646c7ee3974d89d87bb37d1563bdbcac709f29e3251cf9d45845bdedd518bca99e203102b5c7f0e3657eca406277c6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c85adfb789ee03eba0d843b08042e4db

SHA1
263793011d11bd0dd1daf4b55215a8802f9bf6e2

SHA256
8cc7784dcb4efa452913063eacec257cd1b6577c80bb3540f7cfcc48320dbf59

SHA512
b52184fa3c8a36d8e9293921a40820991247bbd203aa991678dafcd5cc96af20bf2df3e0b876b77a0d6a91f5b43aa2768137f88fca28357f883410d3b9f77539

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3353d1633bca569636039038a518d927

SHA1
780e7b0504ce0c3eb7a2d5ab9cc18b9d0596bd34

SHA256
6f9daffcca457b49869f9b22fe00e63b4c232c9e13998ab908b91909aa446b8d

SHA512
66a8b0877d6c6f196b85b4e8bf7d67da20fd3749543d65b54599233fc68f476445e70f9ad8e54cb3a71676c6b8a51957f11df2442883f1283c6d526884ec0c18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
9e8dca236ce949019c46b94428612ac9

SHA1
0917050afcbb7b94fce6fbb9827fb57de7432b0b

SHA256
bd9f06dbb8f2165c3b75da289ad7983f0c57328d236b2c68a2b5798188874fb3

SHA512
23ce9deba9286cbb24c1725503542b63d7e44ea7ada302e5aba6595f84398e2162008d7431f842cccfb2b8fae126216d85c566931d5fcc8c8c5625e2c05f44d6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e5bba46683440caa1508061b6e638120

SHA1
538ff5b7cb3ca90cee3e60bae0b487f4b78912de

SHA256
9b324dbd185a14c0ebfd2cd2731f6bb32c501dfefa7aef4f65b137357502c65d

SHA512
466f00fee10e323273e5d1151062e9fcc36f5657a404c6dd3c0c9ecb56e5205930087e612b13a9c6d1a56df7e05a2bd9c14e95debd5e5aed96ad2ef867e8de4d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b80e64a84f22d05c1da6e47ce54973aa

SHA1
5cad9390328f2c7439c775fabb7a0456663085d9

SHA256
9dd0f5f176d3fad7c0eb3bdd6f14036a878cbce9fd50fb1a47318da147bfd82e

SHA512
983affb7f9189c1eb80982438c288ee607e7ee91675b6a6e854873c476961b39ddec66801e0a09bedd0f133a0132693a5fed5c8ff0f8c3d3aa4f470fdb8c39b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f988db0382571319f9b0af53097c2376

SHA1
fd83936b61f5d4256a899610d5c13c5a9b24e625

SHA256
8557443470cff4b30c533603a8e73dd9b9c55af2bae1ed0a7ce86d860fe4953c

SHA512
8f0df896cf7432ac5248f1149a79cc721e40e80dc1ced770f830725c00e64bb96944bbdd375aa25587e0574dba32375934cbf99bf99f33267296c1e605ac8703

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e0e0a1f6d22e3905753a9c1ed053cbff

SHA1
52c11b8049f4015d7825fc1fcbd0d5eadb29a6e4

SHA256
2eca9ba67f160c00268003e7239f9cfc5da0f10b6a0b3c82538ef2a0874b871d

SHA512
3eb98287cc8115cb648626272eaa6cc77cb57fcd614f0e969d3af3977a8e09e0f7f6f3ee6ef9322e096bf0cec546f681a6983030a10e972b538d42e2bd17740c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
fb757130836576e5f952cb011021776c

SHA1
68f6351ef6dd363f67e76b91e7d8150050948698

SHA256
2d8143967be00cc4d6f3a1b8671885498b80e57ec52a84e19eaf136e64980e5b

SHA512
6f7311c6964be509733152377344d37f311021a6638946d275d282aa1b0212d8d790175b8c4e61fba6f5f4299c0e5da3307b69b03f619273462edd5c3cfce0d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
28167c064311357a30cc6de51b34120d

SHA1
cd6e8343bf5fa014ded5905fd8c6037eda277818

SHA256
e1a76a59c230fb740b85443e95d9db97f660e6d57f8f79060c51d3fb21f7af2a

SHA512
a8ca9a0804c9cb2c87148d82b2ffb169d766b6ea91b4106363b24d555c9a58594915364b6cb61a1757723e96f7095f06859ab83a6e1055d43c8e78e9b52c8b57

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
30eafc82ac9962314c98d54ef2588957

SHA1
3bf1e1f24264448ba2688366b10b083c808e1e7a

SHA256
fc93c94af2daa9c8b70b9f6104f613a1cf0ac39bf1856542a3dbb6f828d2bee6

SHA512
5cd90109e61e06fda91874fd3cd28d83b42b6e586446ce99cf69a611f0015f56010937fadca4accef57ab47b5bca54b4171479a9a989ab5b1a015d491f985fb5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
69092b83ae8ef837bd3a7d4b289c8739

SHA1
bf4df7eb657b909c39b3d0f7009a26e82875eb93

SHA256
f3ae029eb467f1362b785d2c6ac161e9c0c35893f0933f79fe5aa39786d3084d

SHA512
c880cc5d8ba30d3e3f2c49dbe4a52b9f80262b962a66d6823c3245723dd2d7e6ff2d680768ac5769f93684eb1cda60d0f06d37db6c8b0e344f02e71e1187b0f6

Download Submit
memory/1984-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download