b523c5585efa129263f522c05354732cc2c2182bf09e4f5012d2b605050d31d5

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
21/05/2024, 23:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b523c5585efa129263f522c05354732cc2c2182bf09e4f5012d2b605050d31d5.exe
Size

1.1MB
MD5

36ecd31ccf9de49f89ef35d5142d7604
SHA1

7048aea1105dbe612bbb1201798f243715cbb1b7
SHA256

b523c5585efa129263f522c05354732cc2c2182bf09e4f5012d2b605050d31d5
SHA512

0a6e0075828c3b32f8b5e2149c1927d489641255e5a08a400388db2396ea354d3ad3f5562281f4ec482bd6f2e7dbba101c8dae98b3a72fcb3b50734684546bfb
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QB:acallSllG4ZM7QzMi

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2732	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2732	svchcst.exe
2772	svchcst.exe
2412	svchcst.exe
1324	svchcst.exe
336	svchcst.exe
1908	svchcst.exe
2616	svchcst.exe
2128	svchcst.exe
2556	svchcst.exe
3060	svchcst.exe
1680	svchcst.exe
2932	svchcst.exe
712	svchcst.exe
1356	svchcst.exe
892	svchcst.exe
1244	svchcst.exe
2776	svchcst.exe
2812	svchcst.exe
1796	svchcst.exe
548	svchcst.exe
2936	svchcst.exe
320	svchcst.exe
348	svchcst.exe

Loads dropped DLL 40 IoCs

pid	Process
2432	WScript.exe
2432	WScript.exe
2552	WScript.exe
3032	WScript.exe
3032	WScript.exe
3032	WScript.exe
2120	WScript.exe
2120	WScript.exe
2988	WScript.exe
1020	WScript.exe
2348	WScript.exe
2348	WScript.exe
2140	WScript.exe
2140	WScript.exe
2732	WScript.exe
1712	WScript.exe
1712	WScript.exe
2020	WScript.exe
484	WScript.exe
484	WScript.exe
556	WScript.exe
556	WScript.exe
2988	WScript.exe
2988	WScript.exe
2796	WScript.exe
2796	WScript.exe
2748	WScript.exe
2748	WScript.exe
3008	WScript.exe
3008	WScript.exe
3016	WScript.exe
3016	WScript.exe
2768	WScript.exe
2768	WScript.exe
1040	WScript.exe
1040	WScript.exe
2300	WScript.exe
2300	WScript.exe
1824	WScript.exe
1824	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2956	b523c5585efa129263f522c05354732cc2c2182bf09e4f5012d2b605050d31d5.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2956	b523c5585efa129263f522c05354732cc2c2182bf09e4f5012d2b605050d31d5.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2956	b523c5585efa129263f522c05354732cc2c2182bf09e4f5012d2b605050d31d5.exe
2956	b523c5585efa129263f522c05354732cc2c2182bf09e4f5012d2b605050d31d5.exe
2732	svchcst.exe
2732	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
1324	svchcst.exe
1324	svchcst.exe
336	svchcst.exe
336	svchcst.exe
1908	svchcst.exe
1908	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2128	svchcst.exe
2128	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
3060	svchcst.exe
3060	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
2932	svchcst.exe
2932	svchcst.exe
712	svchcst.exe
712	svchcst.exe
1356	svchcst.exe
1356	svchcst.exe
892	svchcst.exe
892	svchcst.exe
1244	svchcst.exe
1244	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
1796	svchcst.exe
1796	svchcst.exe
548	svchcst.exe
548	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
320	svchcst.exe
320	svchcst.exe
348	svchcst.exe
348	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2432	2956	b523c5585efa129263f522c05354732cc2c2182bf09e4f5012d2b605050d31d5.exe	28
PID 2956 wrote to memory of 2432	2956	b523c5585efa129263f522c05354732cc2c2182bf09e4f5012d2b605050d31d5.exe	28
PID 2956 wrote to memory of 2432	2956	b523c5585efa129263f522c05354732cc2c2182bf09e4f5012d2b605050d31d5.exe	28
PID 2956 wrote to memory of 2432	2956	b523c5585efa129263f522c05354732cc2c2182bf09e4f5012d2b605050d31d5.exe	28
PID 2432 wrote to memory of 2732	2432	WScript.exe	30
PID 2432 wrote to memory of 2732	2432	WScript.exe	30
PID 2432 wrote to memory of 2732	2432	WScript.exe	30
PID 2432 wrote to memory of 2732	2432	WScript.exe	30
PID 2732 wrote to memory of 2552	2732	svchcst.exe	31
PID 2732 wrote to memory of 2552	2732	svchcst.exe	31
PID 2732 wrote to memory of 2552	2732	svchcst.exe	31
PID 2732 wrote to memory of 2552	2732	svchcst.exe	31
PID 2552 wrote to memory of 2772	2552	WScript.exe	32
PID 2552 wrote to memory of 2772	2552	WScript.exe	32
PID 2552 wrote to memory of 2772	2552	WScript.exe	32
PID 2552 wrote to memory of 2772	2552	WScript.exe	32
PID 2772 wrote to memory of 3032	2772	svchcst.exe	33
PID 2772 wrote to memory of 3032	2772	svchcst.exe	33
PID 2772 wrote to memory of 3032	2772	svchcst.exe	33
PID 2772 wrote to memory of 3032	2772	svchcst.exe	33
PID 3032 wrote to memory of 2412	3032	WScript.exe	34
PID 3032 wrote to memory of 2412	3032	WScript.exe	34
PID 3032 wrote to memory of 2412	3032	WScript.exe	34
PID 3032 wrote to memory of 2412	3032	WScript.exe	34
PID 2412 wrote to memory of 3036	2412	svchcst.exe	35
PID 2412 wrote to memory of 3036	2412	svchcst.exe	35
PID 2412 wrote to memory of 3036	2412	svchcst.exe	35
PID 2412 wrote to memory of 3036	2412	svchcst.exe	35
PID 3032 wrote to memory of 1324	3032	WScript.exe	36
PID 3032 wrote to memory of 1324	3032	WScript.exe	36
PID 3032 wrote to memory of 1324	3032	WScript.exe	36
PID 3032 wrote to memory of 1324	3032	WScript.exe	36
PID 1324 wrote to memory of 2120	1324	svchcst.exe	37
PID 1324 wrote to memory of 2120	1324	svchcst.exe	37
PID 1324 wrote to memory of 2120	1324	svchcst.exe	37
PID 1324 wrote to memory of 2120	1324	svchcst.exe	37
PID 2120 wrote to memory of 336	2120	WScript.exe	38
PID 2120 wrote to memory of 336	2120	WScript.exe	38
PID 2120 wrote to memory of 336	2120	WScript.exe	38
PID 2120 wrote to memory of 336	2120	WScript.exe	38
PID 336 wrote to memory of 2988	336	svchcst.exe	39
PID 336 wrote to memory of 2988	336	svchcst.exe	39
PID 336 wrote to memory of 2988	336	svchcst.exe	39
PID 336 wrote to memory of 2988	336	svchcst.exe	39
PID 2988 wrote to memory of 1908	2988	WScript.exe	40
PID 2988 wrote to memory of 1908	2988	WScript.exe	40
PID 2988 wrote to memory of 1908	2988	WScript.exe	40
PID 2988 wrote to memory of 1908	2988	WScript.exe	40
PID 1908 wrote to memory of 1020	1908	svchcst.exe	41
PID 1908 wrote to memory of 1020	1908	svchcst.exe	41
PID 1908 wrote to memory of 1020	1908	svchcst.exe	41
PID 1908 wrote to memory of 1020	1908	svchcst.exe	41
PID 1020 wrote to memory of 2616	1020	WScript.exe	42
PID 1020 wrote to memory of 2616	1020	WScript.exe	42
PID 1020 wrote to memory of 2616	1020	WScript.exe	42
PID 1020 wrote to memory of 2616	1020	WScript.exe	42
PID 2616 wrote to memory of 2348	2616	svchcst.exe	43
PID 2616 wrote to memory of 2348	2616	svchcst.exe	43
PID 2616 wrote to memory of 2348	2616	svchcst.exe	43
PID 2616 wrote to memory of 2348	2616	svchcst.exe	43
PID 2348 wrote to memory of 2128	2348	WScript.exe	46
PID 2348 wrote to memory of 2128	2348	WScript.exe	46
PID 2348 wrote to memory of 2128	2348	WScript.exe	46
PID 2348 wrote to memory of 2128	2348	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\b523c5585efa129263f522c05354732cc2c2182bf09e4f5012d2b605050d31d5.exe
"C:\Users\Admin\AppData\Local\Temp\b523c5585efa129263f522c05354732cc2c2182bf09e4f5012d2b605050d31d5.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2552
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2772
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:336
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2128
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:2140
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2556
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2732
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3060
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:1712
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1680
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:2020
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2932
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:484
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:712
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:556
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1356
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:2988
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:892
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:2796
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1244
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:2748
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2776
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:3008
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2812
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:3016
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1796
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:2768
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:548
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:1040
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2936
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:2300
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:320
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        
        PID:1824
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:348
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        
        PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
4433cc23fc280ad8dcff9966bac19fe4

SHA1
62cc2abfe6e2ee0fd6b5cbce20daff4ba787bff0

SHA256
ca7cfd972b03d0b30404c8233125adda1dacc81a2e43e919d70bf1c2700af55b

SHA512
6a5e7454dde98251a987bedc21e628550c469480cbe41f3b3644789da38e782c8b94660d4a076697cc7abf3fcc767650d00ac3639b11cfeba96ece8110920b4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
1944b6aca957234c688996974079b710

SHA1
61b4ea23ef7262d3f8bd9dc689d999f4eda7e849

SHA256
9797b700da62a510d4484861e3c2464646d6af0c4f764caa213580c51a2d746b

SHA512
a4aa394ec9bf57ab8241f1eecc0a0f79ea68f835fb7499240a06e039d4db909803a5ce00bb6ecab72e16755ab8b9a1c174f2cdff6597db8b0e9fe61420ab7989

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
24e4a44b907089d788280d647e33c77e

SHA1
ac5a4e397dea243c0022c55319e7c7035d013905

SHA256
7fcd076a55f0b7c8e9407217aee7e68893461d15cb8d2946ac5250af35137211

SHA512
c4a8dac1c1d5dfa976cc3e8fd299e423ab620463983b8c602be8a83ecc6598eb3f1d60a7370806e1f85a52dd91e4f1337a6dff2e99459f9a1e429a1ffb65a00b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
22ee4efbc67fc70b9f9d483cf169e846

SHA1
5e0a01490f92c7a77457c1df61c009cdc5c641dd

SHA256
abd4fb5ee308e65770cced9ea111c1dcfc48e0571cfcb79284f4fbbab293e161

SHA512
7638f6551734a6256e6d7666a9811368ee2894afeb442f65c6da0680fe8134059c52f552e36b2539774c4e3e5fc0cc1ae027e3ef872b5bb5d4b8e0f6687ce238

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b5e11596fa3b5ec67af0232750a3cadb

SHA1
80cb25f5250390b6b2130c8b4eefc9872cc4939d

SHA256
d6429bbb3e3d5c86f30efdb3aa599d47eb8f130c1d0f2a6345e3e9387f7670b3

SHA512
06c71dd481c8936cb5c8a259111986a31b94e7bf73267a081e2162e16b3bffc633a257b5dcf2fd64c7bcc95a20ee841d5d07ca2ea5a16b7f862aec9cde5f17f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
99c6d3daae7cb362152020047cb956dc

SHA1
4d70b60a43d37fbfea1be333aad269606ae3d3a7

SHA256
b35a71753d085b170fca9949910d93671a298e1fcc05cf0cdff308dba4d12324

SHA512
37098e0594a21439720df6adc851063d275020c7a337326cf0f83c8fce79ac210bd42c5458e49e560c4641b569be88b34ee5ee99dccba5c2655fee127c21e110

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
18daeaff7fc134fc2edabbaea7e7e9f0

SHA1
a6a3002f7828141bac042e08241df957ef348bb4

SHA256
56a26505482cb65715785a972070bd6b72ad56c09ec26f7a97d7b0ac5bf52303

SHA512
6a91ececa4ca5ffbd12c7ca83888a63a7baf2be281610d9b0d83ee9dfcb8f6d04c1466de5ac1b53abe3daaf2998ec40b4b3a1a1d6fc271f35d25523358bd3df0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
10ffe941ac3b45a1b27eaab090d03e3b

SHA1
4f72abac858bc7659692930176f0cd4f18e354f1

SHA256
b2a27182b84ccf59736264c5fc788f96d92a2d3a14fe7c964e0976af00956144

SHA512
638a48fe06a5e0c47e50ac67e0df2d6952e5e39620a585e5fb086d40ff61cff9bee6a6cfda6582c54e216f052dc6ba4ce5d742ae5174a987701701e67dc65544

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
66073a2944d79129b28645fed6bc1286

SHA1
2cbba938ab66f7f5c9b0cb2a5c58940e2e14599b

SHA256
87d79920ed0fb49971153bdcb8a8ca003a247e5937d8cc3dc3b871e91ef79042

SHA512
95b8dffed82c126394ce16db0af1874ade41cca2b096d9ffe388e9c6a462c86e21723f811c0fb8c8445047906b0dfe035f5a421b5d406b8e8d3e6a1ad5d4351b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
344b0286b823cd492e5ca9c83c00ba11

SHA1
b76dbac9b5724f5b1e11a10ed7a2125edb16259b

SHA256
04ea89515062031f99eb08fad07de798532e0adea7ff18c0c9a8b1e3a1d4dbbd

SHA512
9aba17235e4f1bd62f45545cfa0e4f302c0471732b33a8398b462e334126c5a3e74fdcbe17db70029184cc1207f558efc46b868475fb607ad536288b0796bb80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1ef0f0b572c2f4293cad723d25d00c42

SHA1
21070aedce103ee5e41ef411b732699f04623804

SHA256
92f0114d24a1bf7f670197c1b6e8cecc445559bbf6b12e1a82538aa9213fe4a3

SHA512
0af8482f8df004ae0534ab1d23addd55149209ab50bfb1ecbfc4d9ee49c7cce91b53fd3ed3b155e020286772eaa8396c89b8f67befe3ca5d9804b7871add0c4c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
07b2d5ef2a065888bcd8a45f1ba75c83

SHA1
d940a1a4b13e06539738a45209458e77903c9be8

SHA256
e1dce8651d267eadb01722aed312bcbe23d642cfd52872a3786f55d3707e8eb3

SHA512
55ba898f41edc733ae4f3210b6dab5f5fa6b871ecb7d52fc0f5cc2dfc98e6544ae308da029041fb30389c7c7a563f4b6470ed06f236e5ae185908914a1a996f5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
efa127fe91fdeb89298a9d67296c6efa

SHA1
d686e04a415d4e7a638cacbbf81955bcc34a09cd

SHA256
34b1ac10e0f79691e88a58244cd882fe14ab46d72f8321075d851ddf7a33b7e9

SHA512
75579353bdaf04c232d02f8f7fa2d19d93c670892a6b8581e18b65fcddcdb5cb38c717648c231fbf841941d0c0b754d7e76f1f2f981b996b55698b0b5c6273d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a525321d2c2f154b6dcd2702880999c0

SHA1
01ced1eacb05c996747a3845ec0c850fe0ec27c8

SHA256
8582d58622aefb5277160c2c1a2fb331fefa73775664c1da9a30f8e2676deb3d

SHA512
9fc2f753c9400569fa883ac274247ea0263a9030429744e12a522315355e3bbf7d6b082ec7ff04d4943a7666ef62dcd63e87fdad4c283a06d872a3d397f58c6d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d58f9059aef5dc363989aa69fc6485d3

SHA1
5c6b522c64e08562bbec268aed2555cef62cfc19

SHA256
53f9084f597995a6887cf8a86987e72bb4a815200a7dda41efa6ed029bb15156

SHA512
809b949c3095f5b372b18556a51efce5c6a29d09f19d69d890ca072b9bacfcab717ece062cb93ca8261510ecb22674af87e2753682de5ebb6eb380edf0c8dee5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
3e18f229ee7bfc6b59dbb4de260b8bad

SHA1
6d7b474e5279c388c65837adfe9982012a247705

SHA256
78b89ada9f3e4f1bf597520305a215c3acd31b1ef4c3305365b03a2e339de59f

SHA512
e8e3a091e55e4775f4fb1c87fee05e059b82561b08b8556995d34657694465d4bc9df5bc8cf874e9f9b957e4f05d07715d111a63e88045b32108b872082753bd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
19cee786bfd930d26c1b2d4b6f397337

SHA1
ef0110f9f49d118a781269e4fee0999732ee7d44

SHA256
d1f53487149c7b999835ae2eb893a0cf107afa944c84ab9176816d4650ec4572

SHA512
5bdf8cac96935f626ade4a6be6557cfda35c2e3ac6ca0f4cebbbbcbc15b540fbfb319876a23cb495e54b18d13a5ee5239e71301ff61c8c27a3470e46a7f6de28

Download Submit
memory/320-253-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/336-78-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/336-73-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/348-254-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/548-228-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/548-235-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/712-180-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/712-173-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/892-196-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/892-189-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1020-93-0x0000000004750000-0x00000000048AF000-memory.dmp

Filesize
1.4MB

Download
memory/1040-240-0x0000000005C60000-0x0000000005DBF000-memory.dmp

Filesize
1.4MB

Download
memory/1244-201-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1244-204-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1324-62-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1324-54-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1356-181-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1356-188-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1680-161-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1680-152-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1712-150-0x0000000005C10000-0x0000000005D6F000-memory.dmp

Filesize
1.4MB

Download
memory/1796-227-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1796-224-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1908-90-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1908-83-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2020-164-0x0000000005940000-0x0000000005A9F000-memory.dmp

Filesize
1.4MB

Download
memory/2120-72-0x0000000004830000-0x000000000498F000-memory.dmp

Filesize
1.4MB

Download
memory/2120-67-0x0000000004830000-0x000000000498F000-memory.dmp

Filesize
1.4MB

Download
memory/2128-118-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2128-110-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2140-124-0x0000000005AC0000-0x0000000005C1F000-memory.dmp

Filesize
1.4MB

Download
memory/2140-129-0x0000000005AC0000-0x0000000005C1F000-memory.dmp

Filesize
1.4MB

Download
memory/2300-246-0x00000000045B0000-0x000000000470F000-memory.dmp

Filesize
1.4MB

Download
memory/2348-107-0x00000000057B0000-0x000000000590F000-memory.dmp

Filesize
1.4MB

Download
memory/2348-108-0x00000000057B0000-0x000000000590F000-memory.dmp

Filesize
1.4MB

Download
memory/2412-41-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2412-46-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2432-53-0x00000000044A0000-0x00000000045FF000-memory.dmp

Filesize
1.4MB

Download
memory/2556-130-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2556-134-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2616-95-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2616-103-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2732-24-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2732-18-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2772-34-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2772-28-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2776-205-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2776-212-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2812-219-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2932-165-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2932-172-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2936-241-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2936-245-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2956-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2956-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2988-82-0x0000000005B40000-0x0000000005C9F000-memory.dmp

Filesize
1.4MB

Download
memory/3016-244-0x0000000005BA0000-0x0000000005CFF000-memory.dmp

Filesize
1.4MB

Download
memory/3032-51-0x0000000005BA0000-0x0000000005CFF000-memory.dmp

Filesize
1.4MB

Download
memory/3032-50-0x0000000005BA0000-0x0000000005CFF000-memory.dmp

Filesize
1.4MB

Download
memory/3060-146-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3060-137-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download