46c487e6e39680894c69d45609b22d428ec143ff24313c9cfc904db3f1289d29

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 20:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

46c487e6e39680894c69d45609b22d428ec143ff24313c9cfc904db3f1289d29.exe
Size

1.1MB
MD5

eeed20ae7a99c89fab5ae8ffffdaeae9
SHA1

a4abb34317a8a6b48240f93b2db1242a0cc06e7b
SHA256

46c487e6e39680894c69d45609b22d428ec143ff24313c9cfc904db3f1289d29
SHA512

28d74bbf1fb9d6d48e806bc615d749ef6d2766d4ffaecc776ca3e9fc583c9596a67277a77d7f578ebdb14a45ed96980f78d8f5311e87c6ad84b37b1de876379a
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QH:CcaClSFlG4ZM7QzMA

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2572	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2572	svchcst.exe
1220	svchcst.exe
1944	svchcst.exe
1608	svchcst.exe
484	svchcst.exe
708	svchcst.exe
2200	svchcst.exe
2928	svchcst.exe
2520	svchcst.exe
2988	svchcst.exe
1880	svchcst.exe
2620	svchcst.exe
2304	svchcst.exe
788	svchcst.exe
1764	svchcst.exe
1244	svchcst.exe
1572	svchcst.exe
2132	svchcst.exe
1780	svchcst.exe
2988	svchcst.exe
1204	svchcst.exe
1948	svchcst.exe
1748	svchcst.exe

Loads dropped DLL 38 IoCs

pid	Process
2988	WScript.exe
2988	WScript.exe
2716	WScript.exe
2716	WScript.exe
2004	WScript.exe
2004	WScript.exe
2756	WScript.exe
2756	WScript.exe
1200	WScript.exe
1468	WScript.exe
1736	WScript.exe
1736	WScript.exe
2116	WScript.exe
2724	WScript.exe
2480	WScript.exe
1960	WScript.exe
2792	WScript.exe
2792	WScript.exe
3040	WScript.exe
3040	WScript.exe
1112	WScript.exe
1112	WScript.exe
2952	WScript.exe
2952	WScript.exe
1592	WScript.exe
1592	WScript.exe
1892	WScript.exe
1892	WScript.exe
2472	WScript.exe
2472	WScript.exe
1000	WScript.exe
1000	WScript.exe
2012	WScript.exe
2012	WScript.exe
1640	WScript.exe
1640	WScript.exe
2700	WScript.exe
2700	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1620	46c487e6e39680894c69d45609b22d428ec143ff24313c9cfc904db3f1289d29.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
1220	svchcst.exe
1220	svchcst.exe
1220	svchcst.exe
1220	svchcst.exe
1220	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1620	46c487e6e39680894c69d45609b22d428ec143ff24313c9cfc904db3f1289d29.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
1620	46c487e6e39680894c69d45609b22d428ec143ff24313c9cfc904db3f1289d29.exe
1620	46c487e6e39680894c69d45609b22d428ec143ff24313c9cfc904db3f1289d29.exe
2572	svchcst.exe
2572	svchcst.exe
1220	svchcst.exe
1220	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1608	svchcst.exe
1608	svchcst.exe
484	svchcst.exe
484	svchcst.exe
708	svchcst.exe
708	svchcst.exe
2200	svchcst.exe
2200	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
1880	svchcst.exe
1880	svchcst.exe
2620	svchcst.exe
2620	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
788	svchcst.exe
788	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1244	svchcst.exe
1244	svchcst.exe
1572	svchcst.exe
1572	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
1780	svchcst.exe
1780	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
1204	svchcst.exe
1204	svchcst.exe
1948	svchcst.exe
1948	svchcst.exe
1748	svchcst.exe
1748	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 2988	1620	46c487e6e39680894c69d45609b22d428ec143ff24313c9cfc904db3f1289d29.exe	28
PID 1620 wrote to memory of 2988	1620	46c487e6e39680894c69d45609b22d428ec143ff24313c9cfc904db3f1289d29.exe	28
PID 1620 wrote to memory of 2988	1620	46c487e6e39680894c69d45609b22d428ec143ff24313c9cfc904db3f1289d29.exe	28
PID 1620 wrote to memory of 2988	1620	46c487e6e39680894c69d45609b22d428ec143ff24313c9cfc904db3f1289d29.exe	28
PID 2988 wrote to memory of 2572	2988	WScript.exe	30
PID 2988 wrote to memory of 2572	2988	WScript.exe	30
PID 2988 wrote to memory of 2572	2988	WScript.exe	30
PID 2988 wrote to memory of 2572	2988	WScript.exe	30
PID 2572 wrote to memory of 2716	2572	svchcst.exe	31
PID 2572 wrote to memory of 2716	2572	svchcst.exe	31
PID 2572 wrote to memory of 2716	2572	svchcst.exe	31
PID 2572 wrote to memory of 2716	2572	svchcst.exe	31
PID 2716 wrote to memory of 1220	2716	WScript.exe	32
PID 2716 wrote to memory of 1220	2716	WScript.exe	32
PID 2716 wrote to memory of 1220	2716	WScript.exe	32
PID 2716 wrote to memory of 1220	2716	WScript.exe	32
PID 1220 wrote to memory of 2004	1220	svchcst.exe	33
PID 1220 wrote to memory of 2004	1220	svchcst.exe	33
PID 1220 wrote to memory of 2004	1220	svchcst.exe	33
PID 1220 wrote to memory of 2004	1220	svchcst.exe	33
PID 2004 wrote to memory of 1944	2004	WScript.exe	34
PID 2004 wrote to memory of 1944	2004	WScript.exe	34
PID 2004 wrote to memory of 1944	2004	WScript.exe	34
PID 2004 wrote to memory of 1944	2004	WScript.exe	34
PID 1944 wrote to memory of 2756	1944	svchcst.exe	35
PID 1944 wrote to memory of 2756	1944	svchcst.exe	35
PID 1944 wrote to memory of 2756	1944	svchcst.exe	35
PID 1944 wrote to memory of 2756	1944	svchcst.exe	35
PID 2756 wrote to memory of 1608	2756	WScript.exe	36
PID 2756 wrote to memory of 1608	2756	WScript.exe	36
PID 2756 wrote to memory of 1608	2756	WScript.exe	36
PID 2756 wrote to memory of 1608	2756	WScript.exe	36
PID 1608 wrote to memory of 1200	1608	svchcst.exe	37
PID 1608 wrote to memory of 1200	1608	svchcst.exe	37
PID 1608 wrote to memory of 1200	1608	svchcst.exe	37
PID 1608 wrote to memory of 1200	1608	svchcst.exe	37
PID 1200 wrote to memory of 484	1200	WScript.exe	38
PID 1200 wrote to memory of 484	1200	WScript.exe	38
PID 1200 wrote to memory of 484	1200	WScript.exe	38
PID 1200 wrote to memory of 484	1200	WScript.exe	38
PID 484 wrote to memory of 1468	484	svchcst.exe	39
PID 484 wrote to memory of 1468	484	svchcst.exe	39
PID 484 wrote to memory of 1468	484	svchcst.exe	39
PID 484 wrote to memory of 1468	484	svchcst.exe	39
PID 1468 wrote to memory of 708	1468	WScript.exe	40
PID 1468 wrote to memory of 708	1468	WScript.exe	40
PID 1468 wrote to memory of 708	1468	WScript.exe	40
PID 1468 wrote to memory of 708	1468	WScript.exe	40
PID 708 wrote to memory of 1736	708	svchcst.exe	41
PID 708 wrote to memory of 1736	708	svchcst.exe	41
PID 708 wrote to memory of 1736	708	svchcst.exe	41
PID 708 wrote to memory of 1736	708	svchcst.exe	41
PID 1736 wrote to memory of 2200	1736	WScript.exe	44
PID 1736 wrote to memory of 2200	1736	WScript.exe	44
PID 1736 wrote to memory of 2200	1736	WScript.exe	44
PID 1736 wrote to memory of 2200	1736	WScript.exe	44
PID 2200 wrote to memory of 2116	2200	svchcst.exe	45
PID 2200 wrote to memory of 2116	2200	svchcst.exe	45
PID 2200 wrote to memory of 2116	2200	svchcst.exe	45
PID 2200 wrote to memory of 2116	2200	svchcst.exe	45
PID 1736 wrote to memory of 2928	1736	WScript.exe	46
PID 1736 wrote to memory of 2928	1736	WScript.exe	46
PID 1736 wrote to memory of 2928	1736	WScript.exe	46
PID 1736 wrote to memory of 2928	1736	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\46c487e6e39680894c69d45609b22d428ec143ff24313c9cfc904db3f1289d29.exe
"C:\Users\Admin\AppData\Local\Temp\46c487e6e39680894c69d45609b22d428ec143ff24313c9cfc904db3f1289d29.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2716
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1220
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1200
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:484
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:708
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:2116
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2520
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2724
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2988
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2480
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1880
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:1960
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2620
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:2792
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2304
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:3040
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:788
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:1112
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1764
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:2952
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1244
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:1592
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1572
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:1892
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2132
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:2472
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1780
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:1000
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2988
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:2012
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1204
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:1640
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1948
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        
        PID:2700
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1748
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2928
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        
        PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b01deb2dadc8260c4bcb435df78599d9

SHA1
7ac78543d19aefbe54d4e7d12d045cff0e7934f0

SHA256
4f88b370f98b6357f72a7942c293827b72164112e87fbbb6c842d9b206ab53b0

SHA512
319c1925e74af3cace9d3c3fafb7ff3c28ae3240e1d67da7d05ed25b7ec523eec9a974f21ff9914e602334c192e5801a55695ad705dbaa2a32e3b08e7996bb4b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
ca617f6d470b9fe400ba3ea3b839ea86

SHA1
d7f4e0fc6be9cdd7875daea00ad6ff83ea26d9e6

SHA256
a074a3268eb6566e9fe4ed75a59e13a72f40f8eeb47b83ae27c1a2acd763174a

SHA512
6288503cbb091d96f9211e94c9825cde8f38e61f90585329f342df3491a1105d031f45421cd16bbc49d0ca54b1cf0701f2b249cf0b39bd047ede6dc0ef633fda

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ddd204c2596c95e0b37f2faf17345158

SHA1
fb5c9a676eb0b0e08ed0498a5696bbd7d443b1a2

SHA256
6ba8498e50d16dedd7a4479998981b504b684f524c08329269fd4eb6e3fe52a2

SHA512
17f8ff158d74cb8b37954cd5d458440cbf7e41dd03d08d5101b55f7ca259fdd1e36967e5231a31362c68456d0e91bdbac1c83cc19876ab7ec1c97bde0ec03244

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3ed43de1cee96aaf1d64189d4482a672

SHA1
a346f6b3eca7b8442021d9878288d91084d00d79

SHA256
b2905e040a668759a3fbdc7f07ff57b3e197bbeec24099b65734e884c1e0bd98

SHA512
8f8536a36603c14a567034f0119212a6b3bf9dd52afcbe213b4e26c737394fe838baf0743440f62cd5d61d8d9c694279679e155920a9af3c2cac1549d43040dc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ee35194fa07bea6145178b37a18edb25

SHA1
7cbe9989cbc0090cc0ab534c7aa77d64d959e489

SHA256
e323603a594cf3a7e03aea20d2ab69a17040a02f256ac1e3fe02f8a36889a483

SHA512
d292e22575da17d694a33d6132cea65ca1c58a16bd2532dd24db161d2a77cf233039ed1b66b48868210f4d0ffff16678db3be341eca044432b8087b520e59f71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b9f42b67196579be4b48ef3493e40a6d

SHA1
f0a798a4aa9401ce637b3016829d6bc178b46b36

SHA256
5af7cfef4fc0b02f32178caf67f947bc09a9631a5ec201ffa67b2f4f470bbed2

SHA512
875207383356da783c8f932da091d7c1316a0859406a388a6a4b0e641cc15326ac5134a5dc3e5299cccd6c245456483db86f5f9652fec2fa049996259d166284

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d5a26bd3b4366107ffbb4663050f6576

SHA1
09a5b81e452620340fcc2343a146ac5469576d44

SHA256
6e6abc76efb5447d4e9b20d07396db93d0368e6f81f558217f81a4dedc437eef

SHA512
527fe34594e983df77843639208f832c63f24a23e6e72fabc3e27eb1cce2e08e4306f3a5ebd288142f9684c6730431fe09f2c60f699a0825dc8270e961abbb10

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
aa6578debd9e5045ad239d59ebeb6d15

SHA1
2a25e6293914cd6ada6649f34506c8bcf35494aa

SHA256
7acb095ca5298eb1d1e2ba7f02c1b876d7d28684762a9d180ae2ed8c9e68beb2

SHA512
150796c7aad73d1732103e41bd01d3c181b4a0afd37b673d184d5c6c643622704e7692b668e231a319549c2bb378f4d83c7ede82caf81dd15c934b81936e22b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
73dd42e0ba8cff47f0542d7d8aa40f90

SHA1
ffbb1b56415be5abcf4613aed3136768f2edbc38

SHA256
c73b4e554a4ae515ae3aa320a19d752e3d848d00ed0cd8f084081ed530b8fc3d

SHA512
efd0075f9e70dd557271bdbcd782a083ae2cde8cd5674bf7f8cf63064847951adfcbaa9c9cff91c57d19c7308d0b7bf4754bfbe8fce6ec0e41d920bde7f5a67e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
152cdcb10a0dcbdcaeb00bd4b08b2f94

SHA1
d957bd7eff64e6b13d3a088c0ae764eaeedf0ad2

SHA256
5525126f60e1b6cf4d353d30db46873836712e3964020d1dbca2694b6dc3d599

SHA512
c2e61516af9e5c14978792ec3b5e20aa84d5f6d9607322575d2f0448a67b6a10911ebf350f51e24e19f40840897251c891cda2c651c0881fccc9e0006d1a2f99

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1cd04c63c025f0297f2ae60e978d92a1

SHA1
047246564f4b2ab71494a82cef25f5bcdeb63469

SHA256
c5d481502d8e9429512066a0eb058459e0d7d60fbfc4aed5169b3ea47966c9ed

SHA512
dede45f2ae3b7da526e64e82f5e550d9f29d7ad0409fe97a0067bcd8ad70859a8f05441dcad0f2364710f8d9bf58997ffea6874b4797948b61486570394325a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ab52ce62f84a24d48d9cebec5331b1c6

SHA1
6fcb810a46e83020e55af419752f5583f9dcb9ba

SHA256
908bec6021a78b90a02c6123db4ac62b590ea738e97fa35aac7c4dce624f3244

SHA512
8823f3f60863692a8fd2be8610670b06077ea7c948b7c46f9a1ab712276b27e48c19d0a394e7f51c0fbdf753f989af4cac5dab078e4f04ee5ee6a50427368cd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
df424370c9515ceb55c7d15b4926f86a

SHA1
6df13c8a38a4f09d2fd8b004f37119db15fcb1ee

SHA256
e8bc0a22e148590228bc8d276ee1fc005383ebdbd5998dd9beba3ff8b828bdd2

SHA512
b0bcb9d27acabbf2e6ac88f0c9cf5152038a07645d66a431e9e367cbc3fcc0db7469d4bdc99e741c47aea1280b67c376070e154d560b9e2feac20afb1645a270

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7feb464d30b8c39f8e9b95d5cd93e88c

SHA1
9de5aedf58cba21722695fe6e2fc346327808921

SHA256
b129df5baa3c5a4440f40b0d6bca2d12e3dbc17d5e307e6fe61404e4a5d35cef

SHA512
1e549f63d2f94f65a51ddcdb391b89e2efa86ced552f51428434e05d25c7c91cc755536890602073f5978546400550b2f2e948516f459c86847699467c197fb8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0e20044772254a927e33279f88e67666

SHA1
7172fee7ab9cd30216c1f7a68403c2e45eb3ef1a

SHA256
31e8796096e185126c0100b2b7a2f3ba5227729e484915fcf0229ade09d1a8b2

SHA512
f9053da41ea57712bc65a7bb2f407cff1e6adc7b820cc2998475b768350466e105aa034b13edeea51ffcf9e66ca7525cb132b26e4cb950a19d5bca091a0c5a2c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
75ced6d0cee3d5f0c388fe67fd373b33

SHA1
b1c2a4664563c12bf078478c6b41fbf67b1d2594

SHA256
996d8d9228f56607115501d01e4fc796b609368e3f49a97ef82e289fb9b1d565

SHA512
e0f1dfa1b56e7b4b10c0b2117e6e73d4b0ca96d37fbf356de88f4834c1b905270301743e4918c4467f566627cc40c389a5369995a8347b6239c2287515b3874f

Download Submit
memory/1620-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download