39f591ad18b433b8e54686b2deb9b18361b6e179b0b95cc531142cdd324499a6

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
20-05-2024 00:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39f591ad18b433b8e54686b2deb9b18361b6e179b0b95cc531142cdd324499a6.exe
Size

1.1MB
MD5

e344cc141c19f4d441db280419b2be1e
SHA1

0bd60f659206214d5e3af86f0dcae0fad65a3126
SHA256

39f591ad18b433b8e54686b2deb9b18361b6e179b0b95cc531142cdd324499a6
SHA512

263d5cd45acf6fe39abdb394eb600d1b2fc230c89151303e5eb1478460bdfe3c4d4ade6d4baf3544739505034d7577d06c4f5619d219d6fcf207adc95e9060c3
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qc:acallSllG4ZM7QzM7

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2436	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2436	svchcst.exe
2772	svchcst.exe
1136	svchcst.exe
2968	svchcst.exe
588	svchcst.exe
968	svchcst.exe
792	svchcst.exe
1744	svchcst.exe
2652	svchcst.exe
2436	svchcst.exe
2392	svchcst.exe
1264	svchcst.exe
564	svchcst.exe
2108	svchcst.exe
2904	svchcst.exe
2564	svchcst.exe
3068	svchcst.exe
1512	svchcst.exe
2588	svchcst.exe
1132	svchcst.exe
1976	svchcst.exe
2964	svchcst.exe
1844	svchcst.exe

Loads dropped DLL 33 IoCs

pid	Process
2636	WScript.exe
2636	WScript.exe
2948	WScript.exe
1584	WScript.exe
1584	WScript.exe
1628	WScript.exe
1628	WScript.exe
948	WScript.exe
948	WScript.exe
2872	WScript.exe
2872	WScript.exe
1600	WScript.exe
1600	WScript.exe
2064	WScript.exe
2064	WScript.exe
1156	WScript.exe
1156	WScript.exe
2284	WScript.exe
2284	WScript.exe
2444	WScript.exe
2444	WScript.exe
2488	WScript.exe
2488	WScript.exe
2752	WScript.exe
2752	WScript.exe
2784	WScript.exe
2784	WScript.exe
2320	WScript.exe
2320	WScript.exe
1968	WScript.exe
1968	WScript.exe
1036	WScript.exe
1036	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2344	39f591ad18b433b8e54686b2deb9b18361b6e179b0b95cc531142cdd324499a6.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2344	39f591ad18b433b8e54686b2deb9b18361b6e179b0b95cc531142cdd324499a6.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2344	39f591ad18b433b8e54686b2deb9b18361b6e179b0b95cc531142cdd324499a6.exe
2344	39f591ad18b433b8e54686b2deb9b18361b6e179b0b95cc531142cdd324499a6.exe
2436	svchcst.exe
2436	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
588	svchcst.exe
588	svchcst.exe
968	svchcst.exe
968	svchcst.exe
792	svchcst.exe
792	svchcst.exe
1744	svchcst.exe
1744	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
1264	svchcst.exe
1264	svchcst.exe
564	svchcst.exe
564	svchcst.exe
2108	svchcst.exe
2108	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
1512	svchcst.exe
1512	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
1976	svchcst.exe
1976	svchcst.exe
2964	svchcst.exe
2964	svchcst.exe
1844	svchcst.exe
1844	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 2636	2344	39f591ad18b433b8e54686b2deb9b18361b6e179b0b95cc531142cdd324499a6.exe	28
PID 2344 wrote to memory of 2636	2344	39f591ad18b433b8e54686b2deb9b18361b6e179b0b95cc531142cdd324499a6.exe	28
PID 2344 wrote to memory of 2636	2344	39f591ad18b433b8e54686b2deb9b18361b6e179b0b95cc531142cdd324499a6.exe	28
PID 2344 wrote to memory of 2636	2344	39f591ad18b433b8e54686b2deb9b18361b6e179b0b95cc531142cdd324499a6.exe	28
PID 2636 wrote to memory of 2436	2636	WScript.exe	30
PID 2636 wrote to memory of 2436	2636	WScript.exe	30
PID 2636 wrote to memory of 2436	2636	WScript.exe	30
PID 2636 wrote to memory of 2436	2636	WScript.exe	30
PID 2436 wrote to memory of 2948	2436	svchcst.exe	31
PID 2436 wrote to memory of 2948	2436	svchcst.exe	31
PID 2436 wrote to memory of 2948	2436	svchcst.exe	31
PID 2436 wrote to memory of 2948	2436	svchcst.exe	31
PID 2948 wrote to memory of 2772	2948	WScript.exe	32
PID 2948 wrote to memory of 2772	2948	WScript.exe	32
PID 2948 wrote to memory of 2772	2948	WScript.exe	32
PID 2948 wrote to memory of 2772	2948	WScript.exe	32
PID 2772 wrote to memory of 1584	2772	svchcst.exe	33
PID 2772 wrote to memory of 1584	2772	svchcst.exe	33
PID 2772 wrote to memory of 1584	2772	svchcst.exe	33
PID 2772 wrote to memory of 1584	2772	svchcst.exe	33
PID 1584 wrote to memory of 1136	1584	WScript.exe	34
PID 1584 wrote to memory of 1136	1584	WScript.exe	34
PID 1584 wrote to memory of 1136	1584	WScript.exe	34
PID 1584 wrote to memory of 1136	1584	WScript.exe	34
PID 1136 wrote to memory of 844	1136	svchcst.exe	35
PID 1136 wrote to memory of 844	1136	svchcst.exe	35
PID 1136 wrote to memory of 844	1136	svchcst.exe	35
PID 1136 wrote to memory of 844	1136	svchcst.exe	35
PID 1584 wrote to memory of 2968	1584	WScript.exe	36
PID 1584 wrote to memory of 2968	1584	WScript.exe	36
PID 1584 wrote to memory of 2968	1584	WScript.exe	36
PID 1584 wrote to memory of 2968	1584	WScript.exe	36
PID 2968 wrote to memory of 1628	2968	svchcst.exe	37
PID 2968 wrote to memory of 1628	2968	svchcst.exe	37
PID 2968 wrote to memory of 1628	2968	svchcst.exe	37
PID 2968 wrote to memory of 1628	2968	svchcst.exe	37
PID 1628 wrote to memory of 588	1628	WScript.exe	38
PID 1628 wrote to memory of 588	1628	WScript.exe	38
PID 1628 wrote to memory of 588	1628	WScript.exe	38
PID 1628 wrote to memory of 588	1628	WScript.exe	38
PID 588 wrote to memory of 1060	588	svchcst.exe	39
PID 588 wrote to memory of 1060	588	svchcst.exe	39
PID 588 wrote to memory of 1060	588	svchcst.exe	39
PID 588 wrote to memory of 1060	588	svchcst.exe	39
PID 1628 wrote to memory of 968	1628	WScript.exe	40
PID 1628 wrote to memory of 968	1628	WScript.exe	40
PID 1628 wrote to memory of 968	1628	WScript.exe	40
PID 1628 wrote to memory of 968	1628	WScript.exe	40
PID 968 wrote to memory of 948	968	svchcst.exe	41
PID 968 wrote to memory of 948	968	svchcst.exe	41
PID 968 wrote to memory of 948	968	svchcst.exe	41
PID 968 wrote to memory of 948	968	svchcst.exe	41
PID 948 wrote to memory of 792	948	WScript.exe	42
PID 948 wrote to memory of 792	948	WScript.exe	42
PID 948 wrote to memory of 792	948	WScript.exe	42
PID 948 wrote to memory of 792	948	WScript.exe	42
PID 792 wrote to memory of 2872	792	svchcst.exe	43
PID 792 wrote to memory of 2872	792	svchcst.exe	43
PID 792 wrote to memory of 2872	792	svchcst.exe	43
PID 792 wrote to memory of 2872	792	svchcst.exe	43
PID 948 wrote to memory of 1744	948	WScript.exe	46
PID 948 wrote to memory of 1744	948	WScript.exe	46
PID 948 wrote to memory of 1744	948	WScript.exe	46
PID 948 wrote to memory of 1744	948	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\39f591ad18b433b8e54686b2deb9b18361b6e179b0b95cc531142cdd324499a6.exe
"C:\Users\Admin\AppData\Local\Temp\39f591ad18b433b8e54686b2deb9b18361b6e179b0b95cc531142cdd324499a6.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2436
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2948
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2772
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:588
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:792
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        
        PID:2872
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2652
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2436
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        
        PID:1600
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2392
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1264
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:2064
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:564
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        
        PID:1168
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2108
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:1156
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2904
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2284
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2564
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:2444
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3068
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:2488
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1512
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:2752
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2588
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:2784
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1132
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:2320
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1976
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:1968
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2964
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:1036
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1844
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1744
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        
        PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
55765ba68da8820ee35d2d4d1dedeac0

SHA1
19f5f147056f3d837a11d6b08a7fc9544f9927f6

SHA256
1eb237d283717ac45bdfef217d3d09fb4ef73db3838859057c94e488b329c522

SHA512
61b6361b8dfef2067016c50e830db1fc768d0654a3f643cf4b4cb1193de722f74401e73f719d8cff5a443058adfa7e3cd0dfc502f25dd249cdc36a7056c81c18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
faa8ef2e758448ccba58a486794e0699

SHA1
85bd05023b75335ca0ff084efcd02e7e9e447e88

SHA256
f4c0222febb3104b66ec8578be36697e28bc8956d3606e711c39b3ad7fcf6b8b

SHA512
8a1074670bbf7942ba1cef24d474aa26b9a66c378cc790a5577bc3d487f7174dad7890d2fdd43eccad42c4da28e282e5909a8f9de120a3ba81ee2847b44a328e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
17a7ad271ac5165404242e0fe6145156

SHA1
53211cecdb2ac1b14dbb4e2b15c416c7f76bb5cb

SHA256
621052b10d0586d5706052508045a84c65493a21299a173d4b95b6994ba8d3a5

SHA512
66e72e2a54aa816e97db3237f3e437d53b2e1134ae43259ca644dc83eb71ad12914156c5e74aa03d49cfa0af68fc58616fddd430eaebcf7db899aff4b46df4b5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d44632a3e4cce7689f6de0096ea7b712

SHA1
62726ae2641d71b6a218793f1ca8c00c81443eda

SHA256
013ba01f27689a865f4497bdab298b8914e8c235beac2311020fa928649a7603

SHA512
ed9934194e0211fca3d30bb16802ae080086a71d4b8b065afecea339f06f4d5dc43f51786059d6ccaf7718a54dde8b050268068ed6a416dacfa6c79a8ba0881a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
25874246c29e6249372a62c1ffb8a1ae

SHA1
8b271268ba9ae539e8c5ca3233e5f85772899926

SHA256
3d9e506a169afe13ea22a91f88363de0837fc11723beb0425f564262d104bb59

SHA512
bb48d383a7aa5bc14fbe010fd778e40512b1079fa7c66757041b6e79c51bf6a719b058434d6c603db81d8d5bd269f354d153ca899aaae789e25061f005afcdaa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2c6490a42a6a0c40ff0c4e23b3e1aa2f

SHA1
673399038e095a86936267b5014fc7d216ee5c0a

SHA256
4b5b75f23c5d2765bccf9691327947fcdd4e1e17e6da73c1b1c47dab8db99b3d

SHA512
8ffd13c3e9ecd8c522703bf13f839b3925bf3dd0418c33e8b4edc5cd07ca53d76d21e3d8f2e47622d51cc73ac3eed7dd2f7308bb332cde1bd1e6f1cb8f8bb8d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f988db0382571319f9b0af53097c2376

SHA1
fd83936b61f5d4256a899610d5c13c5a9b24e625

SHA256
8557443470cff4b30c533603a8e73dd9b9c55af2bae1ed0a7ce86d860fe4953c

SHA512
8f0df896cf7432ac5248f1149a79cc721e40e80dc1ced770f830725c00e64bb96944bbdd375aa25587e0574dba32375934cbf99bf99f33267296c1e605ac8703

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a66ca64afe431b7c50358bd05ba54e34

SHA1
f34d905ac06b3c07f936352bff4db70469f5057c

SHA256
3a2a423d9df888fadef3786fdbf7fb0125eb8e1d08b22a707b6efa4bc00b7f43

SHA512
90ea8413b1fce013f8e902e0e3efbbfd1ec30c7f26ca2fb05e390a847d22a1181eeb60dccf6e3f8fec5aeff2568506977ab47018a54d328078ab14407f3eeb09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e5bba46683440caa1508061b6e638120

SHA1
538ff5b7cb3ca90cee3e60bae0b487f4b78912de

SHA256
9b324dbd185a14c0ebfd2cd2731f6bb32c501dfefa7aef4f65b137357502c65d

SHA512
466f00fee10e323273e5d1151062e9fcc36f5657a404c6dd3c0c9ecb56e5205930087e612b13a9c6d1a56df7e05a2bd9c14e95debd5e5aed96ad2ef867e8de4d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
152cdcb10a0dcbdcaeb00bd4b08b2f94

SHA1
d957bd7eff64e6b13d3a088c0ae764eaeedf0ad2

SHA256
5525126f60e1b6cf4d353d30db46873836712e3964020d1dbca2694b6dc3d599

SHA512
c2e61516af9e5c14978792ec3b5e20aa84d5f6d9607322575d2f0448a67b6a10911ebf350f51e24e19f40840897251c891cda2c651c0881fccc9e0006d1a2f99

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
81da78e4c29b5abf222c1425d1b8da16

SHA1
c68fae858982c6217d14f0a94f1e424dc47e5abb

SHA256
e1c0bac8ec1a6de7acf76dbaae7862a630d01697c06843f75330f8be29261f38

SHA512
859ff4f8d8119e4a12c83c8aa7a7c392b9bde66358d189f67f0d44ae6777f75dd7f994536d812cb00f0612a9c4444a3775ff729512d50c1a6173f23b5866fdb0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c85adfb789ee03eba0d843b08042e4db

SHA1
263793011d11bd0dd1daf4b55215a8802f9bf6e2

SHA256
8cc7784dcb4efa452913063eacec257cd1b6577c80bb3540f7cfcc48320dbf59

SHA512
b52184fa3c8a36d8e9293921a40820991247bbd203aa991678dafcd5cc96af20bf2df3e0b876b77a0d6a91f5b43aa2768137f88fca28357f883410d3b9f77539

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e94e88174ec781f873054a1341dde3c1

SHA1
1bfcc1fd57262661e3e17db7f582004d481e95d9

SHA256
83a3606b4d4b48761b768ff2bd5668a599025f46b5d31b73bd0b014f6f95e225

SHA512
10dd4c89ea250920267a33317f693093471b805e33f18b38ffd7e3b9fb12624047f6bca7c82b0a2c83a3d6cead4d289f3da723b249a7ab6a9c40b339977fe7f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7d2c3f227d42fae4a5b7fbcb491b74e3

SHA1
c1271bbd86747cc709b694ba9579a68b5e75a17c

SHA256
9353a2f27a61e571c5bc92ccc1046c1059c5fad8e1e2cafe63a9cc73e1169c33

SHA512
50330ad733975966b32fbedffb99a25cd13004d685e5788ef11f1f0fedfc62658e3e8f5ed0030fe60ecb02ba95ffa7d440c067a1e164cc3bc02ac5008b6a27d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
24e4a44b907089d788280d647e33c77e

SHA1
ac5a4e397dea243c0022c55319e7c7035d013905

SHA256
7fcd076a55f0b7c8e9407217aee7e68893461d15cb8d2946ac5250af35137211

SHA512
c4a8dac1c1d5dfa976cc3e8fd299e423ab620463983b8c602be8a83ecc6598eb3f1d60a7370806e1f85a52dd91e4f1337a6dff2e99459f9a1e429a1ffb65a00b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
02b32d2f93a71aa8089ce977d6f44454

SHA1
4f3d7a876bbb7a0d3377145c16a901fe2a18979e

SHA256
99e0c24c8dc030639d2699c924ea4028eeadc1e649d824976adffe9a42f32833

SHA512
6e6b52e527bab9f99ee5778f6d6a1010899fed03c4439c67b841c4d510a0e1a1a30fadd89eaa8ddef04dcc344bb3312aa47a69dcf680899b1b9c0ce619980a73

Download Submit
memory/564-154-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/564-158-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/588-69-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/588-64-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/792-92-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/792-83-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/968-72-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/968-79-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1132-215-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1132-208-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1136-43-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1136-47-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1156-168-0x0000000005A90000-0x0000000005BEF000-memory.dmp

Filesize
1.4MB

Download
memory/1264-140-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1264-147-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1512-199-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1744-95-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1744-102-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1844-232-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1976-223-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1976-220-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2108-167-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2108-160-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2344-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2344-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2392-137-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2392-128-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2436-18-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2436-25-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2436-124-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2436-118-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2564-184-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2564-177-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2588-206-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2636-15-0x0000000005CA0000-0x0000000005DFF000-memory.dmp

Filesize
1.4MB

Download
memory/2636-14-0x0000000005CA0000-0x0000000005DFF000-memory.dmp

Filesize
1.4MB

Download
memory/2652-110-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2652-114-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2772-36-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2772-29-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2784-207-0x0000000005A50000-0x0000000005BAF000-memory.dmp

Filesize
1.4MB

Download
memory/2904-176-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2904-169-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2948-28-0x0000000004600000-0x000000000475F000-memory.dmp

Filesize
1.4MB

Download
memory/2964-224-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2964-231-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2968-50-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2968-57-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3068-185-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3068-192-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download