1ea428efc4ed247035bd60c3c89990862e59bfe06ff85293218856675f8c5650

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
12/05/2024, 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ea428efc4ed247035bd60c3c89990862e59bfe06ff85293218856675f8c5650.exe
Size

1.1MB
MD5

ffbf739ca37b3b5b8ac99e862022f732
SHA1

c8fdf6104b78e8648f35b38fac06553b48a61f02
SHA256

1ea428efc4ed247035bd60c3c89990862e59bfe06ff85293218856675f8c5650
SHA512

e1a6bb925f6ce60257cd6449a0c97c5aabac42b5c82d8149a00764e2cee5d87ae3f636cea0fea0d872757868f72dfd0a4443b6d8e42266ff236c17c2c5fee6ee
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QI:CcaClSFlG4ZM7QzMv

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3004	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
3004	svchcst.exe
2604	svchcst.exe
784	svchcst.exe
2304	svchcst.exe
484	svchcst.exe
2352	svchcst.exe
1160	svchcst.exe
2488	svchcst.exe
2776	svchcst.exe
712	svchcst.exe
1980	svchcst.exe
2460	svchcst.exe
792	svchcst.exe
544	svchcst.exe
1568	svchcst.exe
3036	svchcst.exe
2800	svchcst.exe
2492	svchcst.exe
2420	svchcst.exe
2348	svchcst.exe
2016	svchcst.exe
1016	svchcst.exe
596	svchcst.exe

Loads dropped DLL 44 IoCs

pid	Process
2828	WScript.exe
2828	WScript.exe
2612	WScript.exe
2612	WScript.exe
1964	WScript.exe
1964	WScript.exe
352	WScript.exe
352	WScript.exe
2212	WScript.exe
2212	WScript.exe
1404	WScript.exe
1404	WScript.exe
964	WScript.exe
2492	WScript.exe
2492	WScript.exe
2492	WScript.exe
2988	WScript.exe
2988	WScript.exe
1972	WScript.exe
1972	WScript.exe
1688	WScript.exe
1688	WScript.exe
2276	WScript.exe
2276	WScript.exe
1488	WScript.exe
1488	WScript.exe
1372	WScript.exe
1372	WScript.exe
1820	WScript.exe
1820	WScript.exe
2784	WScript.exe
2784	WScript.exe
2620	WScript.exe
2620	WScript.exe
2392	WScript.exe
2392	WScript.exe
1316	WScript.exe
1316	WScript.exe
1060	WScript.exe
1060	WScript.exe
2452	WScript.exe
2452	WScript.exe
2412	WScript.exe
2412	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1716	1ea428efc4ed247035bd60c3c89990862e59bfe06ff85293218856675f8c5650.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
2604	svchcst.exe
2604	svchcst.exe
2604	svchcst.exe
2604	svchcst.exe
2604	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1716	1ea428efc4ed247035bd60c3c89990862e59bfe06ff85293218856675f8c5650.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
1716	1ea428efc4ed247035bd60c3c89990862e59bfe06ff85293218856675f8c5650.exe
1716	1ea428efc4ed247035bd60c3c89990862e59bfe06ff85293218856675f8c5650.exe
3004	svchcst.exe
3004	svchcst.exe
2604	svchcst.exe
2604	svchcst.exe
784	svchcst.exe
784	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
484	svchcst.exe
484	svchcst.exe
2352	svchcst.exe
2352	svchcst.exe
1160	svchcst.exe
1160	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
712	svchcst.exe
712	svchcst.exe
1980	svchcst.exe
1980	svchcst.exe
2460	svchcst.exe
2460	svchcst.exe
792	svchcst.exe
792	svchcst.exe
544	svchcst.exe
544	svchcst.exe
1568	svchcst.exe
1568	svchcst.exe
3036	svchcst.exe
3036	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2420	svchcst.exe
2420	svchcst.exe
2348	svchcst.exe
2348	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
1016	svchcst.exe
1016	svchcst.exe
596	svchcst.exe
596	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 2828	1716	1ea428efc4ed247035bd60c3c89990862e59bfe06ff85293218856675f8c5650.exe	28
PID 1716 wrote to memory of 2828	1716	1ea428efc4ed247035bd60c3c89990862e59bfe06ff85293218856675f8c5650.exe	28
PID 1716 wrote to memory of 2828	1716	1ea428efc4ed247035bd60c3c89990862e59bfe06ff85293218856675f8c5650.exe	28
PID 1716 wrote to memory of 2828	1716	1ea428efc4ed247035bd60c3c89990862e59bfe06ff85293218856675f8c5650.exe	28
PID 2828 wrote to memory of 3004	2828	WScript.exe	30
PID 2828 wrote to memory of 3004	2828	WScript.exe	30
PID 2828 wrote to memory of 3004	2828	WScript.exe	30
PID 2828 wrote to memory of 3004	2828	WScript.exe	30
PID 3004 wrote to memory of 2612	3004	svchcst.exe	31
PID 3004 wrote to memory of 2612	3004	svchcst.exe	31
PID 3004 wrote to memory of 2612	3004	svchcst.exe	31
PID 3004 wrote to memory of 2612	3004	svchcst.exe	31
PID 2612 wrote to memory of 2604	2612	WScript.exe	32
PID 2612 wrote to memory of 2604	2612	WScript.exe	32
PID 2612 wrote to memory of 2604	2612	WScript.exe	32
PID 2612 wrote to memory of 2604	2612	WScript.exe	32
PID 2604 wrote to memory of 1964	2604	svchcst.exe	33
PID 2604 wrote to memory of 1964	2604	svchcst.exe	33
PID 2604 wrote to memory of 1964	2604	svchcst.exe	33
PID 2604 wrote to memory of 1964	2604	svchcst.exe	33
PID 1964 wrote to memory of 784	1964	WScript.exe	34
PID 1964 wrote to memory of 784	1964	WScript.exe	34
PID 1964 wrote to memory of 784	1964	WScript.exe	34
PID 1964 wrote to memory of 784	1964	WScript.exe	34
PID 784 wrote to memory of 352	784	svchcst.exe	35
PID 784 wrote to memory of 352	784	svchcst.exe	35
PID 784 wrote to memory of 352	784	svchcst.exe	35
PID 784 wrote to memory of 352	784	svchcst.exe	35
PID 352 wrote to memory of 2304	352	WScript.exe	36
PID 352 wrote to memory of 2304	352	WScript.exe	36
PID 352 wrote to memory of 2304	352	WScript.exe	36
PID 352 wrote to memory of 2304	352	WScript.exe	36
PID 2304 wrote to memory of 2212	2304	svchcst.exe	37
PID 2304 wrote to memory of 2212	2304	svchcst.exe	37
PID 2304 wrote to memory of 2212	2304	svchcst.exe	37
PID 2304 wrote to memory of 2212	2304	svchcst.exe	37
PID 2212 wrote to memory of 484	2212	WScript.exe	38
PID 2212 wrote to memory of 484	2212	WScript.exe	38
PID 2212 wrote to memory of 484	2212	WScript.exe	38
PID 2212 wrote to memory of 484	2212	WScript.exe	38
PID 484 wrote to memory of 1404	484	svchcst.exe	39
PID 484 wrote to memory of 1404	484	svchcst.exe	39
PID 484 wrote to memory of 1404	484	svchcst.exe	39
PID 484 wrote to memory of 1404	484	svchcst.exe	39
PID 1404 wrote to memory of 2352	1404	WScript.exe	40
PID 1404 wrote to memory of 2352	1404	WScript.exe	40
PID 1404 wrote to memory of 2352	1404	WScript.exe	40
PID 1404 wrote to memory of 2352	1404	WScript.exe	40
PID 2352 wrote to memory of 964	2352	svchcst.exe	41
PID 2352 wrote to memory of 964	2352	svchcst.exe	41
PID 2352 wrote to memory of 964	2352	svchcst.exe	41
PID 2352 wrote to memory of 964	2352	svchcst.exe	41
PID 964 wrote to memory of 1160	964	WScript.exe	43
PID 964 wrote to memory of 1160	964	WScript.exe	43
PID 964 wrote to memory of 1160	964	WScript.exe	43
PID 964 wrote to memory of 1160	964	WScript.exe	43
PID 1160 wrote to memory of 2492	1160	svchcst.exe	45
PID 1160 wrote to memory of 2492	1160	svchcst.exe	45
PID 1160 wrote to memory of 2492	1160	svchcst.exe	45
PID 1160 wrote to memory of 2492	1160	svchcst.exe	45
PID 2492 wrote to memory of 2488	2492	WScript.exe	46
PID 2492 wrote to memory of 2488	2492	WScript.exe	46
PID 2492 wrote to memory of 2488	2492	WScript.exe	46
PID 2492 wrote to memory of 2488	2492	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\1ea428efc4ed247035bd60c3c89990862e59bfe06ff85293218856675f8c5650.exe
"C:\Users\Admin\AppData\Local\Temp\1ea428efc4ed247035bd60c3c89990862e59bfe06ff85293218856675f8c5650.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2612
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2604
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:784
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:352
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:484
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:964
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2488
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2776
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2988
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:712
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:1972
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1980
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:1688
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2460
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:2276
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:792
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:1488
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:544
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:1372
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1568
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:1820
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3036
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:2784
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2800
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:2620
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2492
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:2392
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2420
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:1316
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2348
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:1060
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2016
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:2452
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1016
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        
        PID:2412
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:596
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        
        PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
7ec6ba631f5f1ed2eb52b336bc9a5bfb

SHA1
51eec10d5f585b55dc40dd93d8faeee1f5cd24de

SHA256
1d7c0de04d7caa0b7fd1bcdb500492722119deb0a68d881a578868e867e48d6e

SHA512
d48e1c577574867ceb1f5c5262c59b16ca41475674f3954ef07c117f5112a3a0db65b3b1d41f0bc4d8f8f58004ca52a259a393b144713c08a06887ff8bcb219d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3fe126921f6537cf36cd507b1649ffbb

SHA1
445c8796d072bb5829f0af8421e3eb7da34add70

SHA256
b4af7c7ab452f12e0ea38532d00cfa19cf99247ef169e5e698acd882e72750a6

SHA512
5d8527210f01cc30bda93521cdbd9828d03f2af3e2810996ad8c60cf62a35e415c0e54a34e00847ae30bf2718e8c431b65ed4f509c11986a8eb54ed6ed64ac94

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
cd34ba54e0dd84bc94990092afc183a9

SHA1
938feedabe63e3e7c6cbb6a405512e21a7ebe449

SHA256
44358f1aedf540acf9e56069e4cc6d4e6a2445ccba362dad9ec4e2f59e0178ab

SHA512
1c261ac13591d4d1cd3692dae12de7fb393134b014dbc766b2946b6ea983e74cef7984bb7003241d5221dea9df78e5f5fe31a839ad7d8453a79db887c8d09958

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e941c404604f780e37c7e63233301fa0

SHA1
d27c9a3b90881add1a06b41b5931267fc818ff08

SHA256
6add2531fc05662418f48a46f522fa4507053ece8d0d94a04c0c213d27da81ce

SHA512
1f448e52f5aa81f30ecf10d6222fa0913ab7a5f3c0f2c7e6a9deb231e9bf55937c4fb0f84bbaeccdd9040e163ae371daec55eff48d633cd6d6bd409433fbf4f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0deab118abcf8e078322ee46edd4cfd3

SHA1
b0f46f2ca33e8ea264812838f6c7a98d0c55a0bf

SHA256
344ce7e23c768177547510b0627c60667804530f220048e11f21e1cda521c502

SHA512
e7e4c041addbecf42ec91877dac6c89a207a3c1eb0247d56c6e4844852a3c7a3a716809d5040d01b03ab332bd155a4f4fb014abc896b9598ac52218c74a1f3c0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5771c014296ebb077452c34a3ea54708

SHA1
6e6ff6d4e62db0f7295883fcdf1b10a4f69b2b58

SHA256
8abb3ec990928dfb09f067bb1f8b7e99a9487f039c9a5f80ab5306006c746859

SHA512
642db2534af82e398285770d5b6564603b457e1e4e0853cb46322aa24f7a880223a839875e7022d5c21f5eb01730df4e4dffdb426ef6e6c81defeb5f5f774ac5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
632419f9e97777f0bcd1af67443cadae

SHA1
52edb2e30a2b1156ff9f77c0fe7435bc1a616ac8

SHA256
50e39163065b39c8cac4f381ff35c00972adde6c6fcd6d9cf555d1b0b8b68554

SHA512
b9b188d33cab5023dd410c0d6c01b5b200c003b432d44fe47da9b6ca1d4a5fa6fd3e869baeac6c8f5d7fae063e6128ee9c96b9258e10e550093e199cccaca2b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
910e8b4a682865877d5b4c6b32ac2db3

SHA1
7df0ffdcff6b2f1d51878af2ca989990c399c005

SHA256
0eaa114fec2febec98337efcccfbb2863979005935decd44f9cd7db110b33b9f

SHA512
eb3e30e57f8ae59dc62d7c7f6c20296c7105a3fead464229b7b037924a20127266c0f09a6090cdeae4bea0f728f6213b2da67b44c3cd85a662c6b0cdf34c24bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ab52ce62f84a24d48d9cebec5331b1c6

SHA1
6fcb810a46e83020e55af419752f5583f9dcb9ba

SHA256
908bec6021a78b90a02c6123db4ac62b590ea738e97fa35aac7c4dce624f3244

SHA512
8823f3f60863692a8fd2be8610670b06077ea7c948b7c46f9a1ab712276b27e48c19d0a394e7f51c0fbdf753f989af4cac5dab078e4f04ee5ee6a50427368cd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c1f667683c1809dc2fa81d863ea10a4e

SHA1
dc9fdbeca32f2afbcfdc5363769ebb594fc93e44

SHA256
a0afd04975f7f5cf26533640020a9533d4dcf1b152143e69196f93bd5b49fa1e

SHA512
e4c894530934444cb97392b0180e5b6040b84ab5c639412c6b9e5355a13152412da8d881403832c2f3c601624465b16242ebd8710f6e6a4666a27e15ce759b2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
66dec81d7f7dc4e36f9d8151fe38056a

SHA1
fc169994b2239eb407778d28d35025f7c9a1658e

SHA256
a09a3c722b494400011829c5645415020d39c8e6ec90f466fc3109a1ba49db2a

SHA512
3e8af1d301ba9228d5afcfaa1e1d3e6f931c5f0ba5e19c74f73b88ddf7c4baa7b24f13533679096f6c94871985de9e47d0f91362ec2ee9132b1e1b772d56fbcc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d32955f30e8aad52247ece470e41d5ad

SHA1
ac6775ee1d2cccafe3baeb722ca57bf16953f173

SHA256
bbd8749995b7f218975a3955fac72a16d1f5a3fd3826f7bb98d0b4fe537d6697

SHA512
1a00595cdfca51c9c95101a1d04a15089aded3fc687de721d882c6ef57697a943c0a99d917167e76d55040c5d8607e01fe5a206054112635a642f6364d3fdcaf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
40e405af6120ab373044da89c949c584

SHA1
dddda01042b00c5a30996c791201d8298c835a6d

SHA256
12c7050c33cea35be697f3a6ead323f55c03ce034230139bf5a7bc59c05ff54b

SHA512
72239d6aef9adcc8b1ad8007e93f850e188b2fbdb8ac75cc93ccef83a1d7a2578a88145c9ced2c1767be5b0b28604fa44465fe66e231360bd3a8b28d468309f5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
87065c59cd3a050fb7b5c90acb67fed7

SHA1
4cb281f97468c68d1f96ba0358cbbacc3403eef3

SHA256
941329b95fec7d75910b0461405368ec4c7de7af9121f266602b1cc406369bed

SHA512
a4f70548a1372e93d4a889208187339510f8cef2bc3c04d4acf0bd72dc768ff74827f89b4b081ab34aac1928223a3c4c92e8b73dd620cac8ebd9f81dd420cb78

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
8835c1afad899af83873a587f12abb80

SHA1
a404bcddfb689b4633f2695896908ce2e2eee59f

SHA256
5a12617c26b1d0f6f9dd865bf15a350f71e55997609cba41ec93c8df16187e4d

SHA512
205d744a1a70b6c544bf78ea1895819a6b0d9fb13ee63a512ea7acdce54cecbf993d0f6f846f61c5e6e0e67175bf9a261c5992b72767e6f12629f26ba13fd610

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ccea09d4a7fa19b4148a0f2ba8087ce5

SHA1
384063ebcdb24d64ea86ddf57ec45928efe97368

SHA256
b4927fbd3ec1e39feb016983bea5396e126df8b4a347a6d46fc8758bb3f3db89

SHA512
7ba9df68cb59554326c779e402dc9c9de2bbf749c5eaf050dc0b6d632390130b418ccfb357a6d529807a5bb8e1fdb4ae7b8e22555a4c710e59ce2ab527e9435c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0bd3d2a4c09c2fee36d308525319b214

SHA1
2190821c105f9b084eab1a03534d340ca8f9e797

SHA256
bda047bb7f633e98d8c85dcf25a7ef77ef2b5b4fb293ec9c67651bdb998b5d8b

SHA512
5217c1bf3a35c098eab6cd86ced10d28d45a0128f323e25a78a2429299855eb6d2be7d28ed7e28b7127b3abb08d6f6518abbdfecc129f670734caca2069edc8c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a04a95e40f080e3612eee5f7754334ec

SHA1
c2dd373689575be0a3563cf2bdc69b7e148679fe

SHA256
26d35bb843395178ad44ccb9a13a37b1c028c392ca6e47983ffdd7253c8a6152

SHA512
9cf90c80cfc208904da8e9cee7e7cbe55abcabbdd22eace9091cbc73e2024f0be5502ab26a099288c17d8dc8ad107045d361f823c70a6945b5bd94fcbcbcf114

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ae3942e9284f34eef5700cfe16b92461

SHA1
e0e93be290dc2e3a8d1cd0c277e8a418e264c800

SHA256
f7f858fd5a0d384db7a0203eba4f66a378b0c1439c213d1c83f0d55b78b45289

SHA512
5a02274c5bd2afa567039c378ced88366a09b1b04b9f78777a6a9cb9731a5977fca27e7df16dc1d11ea2a1775cef7e6b4dbb22456ac0dc4427358eb1426065bc

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
3c2f0d7597b36630116ef0eaf8671842

SHA1
88e0077f20d2dafb2045af12b937a1088d6cb466

SHA256
f3756825530b35aee0dba20db82e37822639479163e2e54df93df668c5f52d7c

SHA512
f7ee96c24b31b0688de8898823965b13be1a74f37063862bf1d4b0356fa70a8df8d9774b4eba4e11f7e6a9d2143bd86cf7cb73e272da07a7ace33ca46e73cb72

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
27c42e5ef4a31017fc2e67a2a71ae15b

SHA1
c5a81e08e9af44a36e58c8edcd94eec97a17041c

SHA256
c4ead6ab0557239d21a8f63ef6d3a179c80ef4a9a3824bde17286f6658d55e8f

SHA512
8cae52c539e2ce779f19d26bc3016f9a88588d705a67fb01a0d356102e6cb7bff8b9c969b2b8194eefce1aef4c1446e3837bcc6203816a9147257d124e6747d7

Download Submit
memory/1716-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download