c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa

Analysis

max time kernel
149s
max time network
127s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
22/05/2024, 21:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe
Size

1.1MB
MD5

78b52e14fbfe7ef408182a904f1ce54f
SHA1

b0ffdc6c381796b7f614c2219cab062d6d6d06bc
SHA256

c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa
SHA512

7920bee63a78a6e17e3330e78549617936d09f84d8d0901c253553e2a9d5c04fa01a2e008689802e63d8b0f907f487ca1431ee54585667a0a0175e931a216e84
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QS:CcaClSFlG4ZM7QzMh

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2512	svchcst.exe

Executes dropped EXE 24 IoCs

pid	Process
2512	svchcst.exe
1924	svchcst.exe
624	svchcst.exe
1416	svchcst.exe
480	svchcst.exe
2268	svchcst.exe
2088	svchcst.exe
2596	svchcst.exe
2624	svchcst.exe
2564	svchcst.exe
2316	svchcst.exe
2984	svchcst.exe
2864	svchcst.exe
604	svchcst.exe
3068	svchcst.exe
1684	svchcst.exe
2872	svchcst.exe
2624	svchcst.exe
2376	svchcst.exe
1272	svchcst.exe
2876	svchcst.exe
1416	svchcst.exe
2344	svchcst.exe
296	svchcst.exe

Loads dropped DLL 47 IoCs

pid	Process
2292	WScript.exe
2292	WScript.exe
3028	WScript.exe
3028	WScript.exe
3028	WScript.exe
3028	WScript.exe
2840	WScript.exe
2080	WScript.exe
2080	WScript.exe
1104	WScript.exe
1104	WScript.exe
1324	WScript.exe
1324	WScript.exe
1148	WScript.exe
1148	WScript.exe
3044	WScript.exe
3044	WScript.exe
1608	WScript.exe
1608	WScript.exe
2748	WScript.exe
2748	WScript.exe
2756	WScript.exe
2756	WScript.exe
2016	WScript.exe
2016	WScript.exe
540	WScript.exe
540	WScript.exe
2892	WScript.exe
2892	WScript.exe
2444	WScript.exe
2444	WScript.exe
1796	WScript.exe
1796	WScript.exe
2072	WScript.exe
2072	WScript.exe
3000	WScript.exe
3000	WScript.exe
1808	WScript.exe
1808	WScript.exe
2828	WScript.exe
2828	WScript.exe
2492	WScript.exe
2492	WScript.exe
1656	WScript.exe
1656	WScript.exe
2908	WScript.exe
2908	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2216	c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe
2216	c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
1924	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2216	c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe

Suspicious use of SetWindowsHookEx 50 IoCs

pid	Process
2216	c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe
2216	c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe
2512	svchcst.exe
2512	svchcst.exe
1924	svchcst.exe
1924	svchcst.exe
624	svchcst.exe
624	svchcst.exe
1416	svchcst.exe
1416	svchcst.exe
480	svchcst.exe
480	svchcst.exe
2268	svchcst.exe
2268	svchcst.exe
2088	svchcst.exe
2088	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2316	svchcst.exe
2316	svchcst.exe
2984	svchcst.exe
2984	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
604	svchcst.exe
604	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
1684	svchcst.exe
1684	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2376	svchcst.exe
2376	svchcst.exe
1272	svchcst.exe
1272	svchcst.exe
2876	svchcst.exe
2876	svchcst.exe
1416	svchcst.exe
1416	svchcst.exe
2344	svchcst.exe
2344	svchcst.exe
296	svchcst.exe
296	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2804	2216	c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe	28
PID 2216 wrote to memory of 2804	2216	c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe	28
PID 2216 wrote to memory of 2804	2216	c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe	28
PID 2216 wrote to memory of 2804	2216	c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe	28
PID 2216 wrote to memory of 2292	2216	c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe	29
PID 2216 wrote to memory of 2292	2216	c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe	29
PID 2216 wrote to memory of 2292	2216	c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe	29
PID 2216 wrote to memory of 2292	2216	c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe	29
PID 2292 wrote to memory of 2512	2292	WScript.exe	31
PID 2292 wrote to memory of 2512	2292	WScript.exe	31
PID 2292 wrote to memory of 2512	2292	WScript.exe	31
PID 2292 wrote to memory of 2512	2292	WScript.exe	31
PID 2512 wrote to memory of 2604	2512	svchcst.exe	32
PID 2512 wrote to memory of 2604	2512	svchcst.exe	32
PID 2512 wrote to memory of 2604	2512	svchcst.exe	32
PID 2512 wrote to memory of 2604	2512	svchcst.exe	32
PID 2512 wrote to memory of 3028	2512	svchcst.exe	33
PID 2512 wrote to memory of 3028	2512	svchcst.exe	33
PID 2512 wrote to memory of 3028	2512	svchcst.exe	33
PID 2512 wrote to memory of 3028	2512	svchcst.exe	33
PID 3028 wrote to memory of 1924	3028	WScript.exe	34
PID 3028 wrote to memory of 1924	3028	WScript.exe	34
PID 3028 wrote to memory of 1924	3028	WScript.exe	34
PID 3028 wrote to memory of 1924	3028	WScript.exe	34
PID 1924 wrote to memory of 2840	1924	svchcst.exe	35
PID 1924 wrote to memory of 2840	1924	svchcst.exe	35
PID 1924 wrote to memory of 2840	1924	svchcst.exe	35
PID 1924 wrote to memory of 2840	1924	svchcst.exe	35
PID 3028 wrote to memory of 624	3028	WScript.exe	36
PID 3028 wrote to memory of 624	3028	WScript.exe	36
PID 3028 wrote to memory of 624	3028	WScript.exe	36
PID 3028 wrote to memory of 624	3028	WScript.exe	36
PID 2840 wrote to memory of 1416	2840	WScript.exe	37
PID 2840 wrote to memory of 1416	2840	WScript.exe	37
PID 2840 wrote to memory of 1416	2840	WScript.exe	37
PID 2840 wrote to memory of 1416	2840	WScript.exe	37
PID 1416 wrote to memory of 2080	1416	svchcst.exe	38
PID 1416 wrote to memory of 2080	1416	svchcst.exe	38
PID 1416 wrote to memory of 2080	1416	svchcst.exe	38
PID 1416 wrote to memory of 2080	1416	svchcst.exe	38
PID 2080 wrote to memory of 480	2080	WScript.exe	39
PID 2080 wrote to memory of 480	2080	WScript.exe	39
PID 2080 wrote to memory of 480	2080	WScript.exe	39
PID 2080 wrote to memory of 480	2080	WScript.exe	39
PID 480 wrote to memory of 1104	480	svchcst.exe	40
PID 480 wrote to memory of 1104	480	svchcst.exe	40
PID 480 wrote to memory of 1104	480	svchcst.exe	40
PID 480 wrote to memory of 1104	480	svchcst.exe	40
PID 1104 wrote to memory of 2268	1104	WScript.exe	41
PID 1104 wrote to memory of 2268	1104	WScript.exe	41
PID 1104 wrote to memory of 2268	1104	WScript.exe	41
PID 1104 wrote to memory of 2268	1104	WScript.exe	41
PID 2268 wrote to memory of 1324	2268	svchcst.exe	42
PID 2268 wrote to memory of 1324	2268	svchcst.exe	42
PID 2268 wrote to memory of 1324	2268	svchcst.exe	42
PID 2268 wrote to memory of 1324	2268	svchcst.exe	42
PID 1324 wrote to memory of 2088	1324	WScript.exe	43
PID 1324 wrote to memory of 2088	1324	WScript.exe	43
PID 1324 wrote to memory of 2088	1324	WScript.exe	43
PID 1324 wrote to memory of 2088	1324	WScript.exe	43
PID 2088 wrote to memory of 1148	2088	svchcst.exe	44
PID 2088 wrote to memory of 1148	2088	svchcst.exe	44
PID 2088 wrote to memory of 1148	2088	svchcst.exe	44
PID 2088 wrote to memory of 1148	2088	svchcst.exe	44

C:\Users\Admin\AppData\Local\Temp\c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe
"C:\Users\Admin\AppData\Local\Temp\c40fc7e3df8e47497d5e3b3c54a9586cf09e9ffec5bf80c2613ec4ba4aee4bfa.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:2804
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      PID:2604
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:3028
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1924
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:480
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1104
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        
        PID:1148
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2596
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:3044
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2624
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:1608
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2564
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2748
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2316
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:2756
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2984
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:2016
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2864
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:540
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:604
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:2892
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3068
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:2444
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1684
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:1796
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2872
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:2072
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2624
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:3000
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2376
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:1808
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1272
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:2828
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2876
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:2492
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1416
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        
        PID:1656
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2344
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        
        PID:2908
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:296
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        
        PID:2960
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c85adfb789ee03eba0d843b08042e4db

SHA1
263793011d11bd0dd1daf4b55215a8802f9bf6e2

SHA256
8cc7784dcb4efa452913063eacec257cd1b6577c80bb3540f7cfcc48320dbf59

SHA512
b52184fa3c8a36d8e9293921a40820991247bbd203aa991678dafcd5cc96af20bf2df3e0b876b77a0d6a91f5b43aa2768137f88fca28357f883410d3b9f77539

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a28791ebea83786bb5889ef857a9e493

SHA1
0c7cc3d05c844d5edd4535fbd48d2c73b2764630

SHA256
ad8607d9518b14cf6e9f567194700afa64c424bbe7da5b1819babbc7678a98bf

SHA512
d357643579f32de1c3f28b9d717d4d82a91d2ae25014a2ab52c0b6340ea577c31386cfa7901694f47889e5966ab11ff6888ae19a8602f812d2484827295d12ce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
aa6578debd9e5045ad239d59ebeb6d15

SHA1
2a25e6293914cd6ada6649f34506c8bcf35494aa

SHA256
7acb095ca5298eb1d1e2ba7f02c1b876d7d28684762a9d180ae2ed8c9e68beb2

SHA512
150796c7aad73d1732103e41bd01d3c181b4a0afd37b673d184d5c6c643622704e7692b668e231a319549c2bb378f4d83c7ede82caf81dd15c934b81936e22b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
81da78e4c29b5abf222c1425d1b8da16

SHA1
c68fae858982c6217d14f0a94f1e424dc47e5abb

SHA256
e1c0bac8ec1a6de7acf76dbaae7862a630d01697c06843f75330f8be29261f38

SHA512
859ff4f8d8119e4a12c83c8aa7a7c392b9bde66358d189f67f0d44ae6777f75dd7f994536d812cb00f0612a9c4444a3775ff729512d50c1a6173f23b5866fdb0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8364c7b31d7cc2ff033d43e692633d35

SHA1
8c51dd902e1739104aff48093aecb669522fea1f

SHA256
7ac0c74de647ef78ef6fffba49310f3c9c1b7d9ad19121d3502ec03c6e412a42

SHA512
0615c03be93f2b8cadfa7f0fca0ec6a790728d61980a9cd5edc372c99d3d73c5bdd1e6abfc055d4bd7ff2a2aa67f6fd5221c0d0479e33ac6736522fdc0572571

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
49586bddf88b5db5b4106eee55d7e03b

SHA1
3001fb71136b5c8d307695de4f651ccd9b4dcebc

SHA256
bf9c7a65973ae0ee9e2da4bae47ba378234e45820598034a3672edfb233e002d

SHA512
6933b416d4af6997e31e7277ddbf5820f421f01763ee6560e50a0dfb8323e8c66312511b4093d16540c17521f338b239e79d67c70fcda4ff793363e1366d4011

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
251a70f0c55d02e74e34c409c5795274

SHA1
b0eb587b5e8d597ef801848722b790692d804be2

SHA256
f5397f02a6c8c59bc9869c0e5c726c096a69c84ad7f0934608fdbd8bc7e5b9f3

SHA512
023cca65a97265961790183f43605fb3dd47426049f2152e5ed90d2daed98607d1e215cb8cabf54d7d2068f7a86d3b01b1d101823e8ed1acfb09076e69b67c71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
9d9867376c8284245aea97643987cadf

SHA1
fe6a7bd23577feb841e3cbeae6aebd38a742b0a5

SHA256
b31c91bdbe14673b004567163ddea094dd6bd903f62c5a57c3b3f79268021fb4

SHA512
2dc179cf9f71aae049072f62e06951537e38c6070d79d98aaaa94d2b1b53edd6550f6d1c61a2ffc117ed53791689b59c50826bb506cf22cb01235da522d623a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
37972dc8446e1cbc7a27ae7baa835cf8

SHA1
702a37710b5c5022155b37cd1de2c1f69244429d

SHA256
480829e55f331de1621808096a6eb9937d9ffaf0fcbd30f7f82109a6b67e58c4

SHA512
3614cc125a97768bfeb117278024689bd692a3cf09f8d8a077fa6b5250a55f7141637f542ed0eb043106cdf3611ff4b3f75efd401a3cd94ec1d9e43fef374947

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f02b234115a56496bcd6642d1de04e5d

SHA1
d383b9d3c82fe145f25a9a6e7e4333151fd4ecc6

SHA256
9eca0120263ab4947d38369d9a4986744e61189382c1d313eb464ad449ea2651

SHA512
c446eccd822729a81d49321c88ecc0fba4e4f7b6f6277d2660c7f3a18a67614915ae24a96353bf93b039eb441f0c260c1961a1363f16524dbeaf2554626c1b4e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
be85ce7bb02d959078db568ee3a8905d

SHA1
e3598468f1db49d961a98da4deda91a619b56985

SHA256
4d76969f7a746574f6be0eca7b1939230ca7607610f12f82b670f4b7bf829806

SHA512
8ffd0d9432c57b2a445afb0701de88903bee1df5295b7ec14042623bfd5d72d0d3cdf198bbdce55be06439c8ac594ddc9bcf53f425bf9e9c9ebb299f6d8150cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3436c1c6420b4dd3e950884257e8b45d

SHA1
4889f8460c4c1b1fc3f357a03df6ca7fac272fbf

SHA256
88d11bc6a0ed417ee8dbbc8ec0894c9b616480afec00a30256ca41150aab17b8

SHA512
7960190b3738a018b0c04804e673662b6227bc397fa6a6ca2b1b1041ed7403f4dbe80f7aa6d63484f1f49c98361f27dd425b95b4c6fafedafb5f1e864b3adeb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
522a20ce69b85e1fd33d3573bff02c84

SHA1
7eead2b53b4d39969f76e5b3160676a08cdfea93

SHA256
03333f2de868140b72a27d6a5ff974a03676f0337c9026e90137aad0ed51ede6

SHA512
73f56b55ce2e409fcf0a84cd9a10261eaafd57a27116bfa84536d607cc9154f00dfae5cd90833288bad8ca1498af26c677540a0e75bbb3ad50b11307335c3c97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
3eb7d52785a6e179ba557c30b0c26e92

SHA1
8b6da5761a593ae89eaf4b7d26316a6ed2a031ff

SHA256
af3870dc5f4fc8ce02c9d83d890ca6f402d848a54c897718d8ed73a7bbc661ed

SHA512
7201d2c0cc0e9901dafff0478cc2bd6bf16b8801e3a8f1abb5d3685af320e199fd2ef6d33cd293244c180ca28d85d4d570391a77c19bb21f6eed6a3d0bffb924

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
717048d265ec451814f6b4984e1493a8

SHA1
edb1136af6b546bc24c98c5afee1e88e135f9252

SHA256
42eeee326af0fb543e0ba14f5cc964928e6897e6655dd48c74f2f379170ed82d

SHA512
d1ed730ff9670ecf4d79cf8f3e2105c444a26bedec732309679f9852df6bb9e660e3f1f814e9fd1819713631e1b76a57d7948e25f66f4fbf582589274052cc8a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
3db5f13fd5eafa334bf1c3ee5c9bfde9

SHA1
c3531ecb21e83970a4843e17de9adabfaac445b6

SHA256
50880e26b7ddc4f5b71acf779ae2830e69ea6c873618433685d56811603e6c7c

SHA512
351c524d191e2b6ea3bae57b9e9ecd774d1611e3f908a5180c0c973b1e9f86931fbc75ef4db927fddbb68b64472f8af51914b044a7e1ea465d2a11c048ef5d21

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7e734e7eacd46b1b97f5dcf4ce21dca4

SHA1
c5eca879f647b1ce73fd2abdd2e144927e25c8d1

SHA256
7020d72d33c15d35b0ad0686dca10108ffefbcb5d4fbae8f4072068aa86b2033

SHA512
767882a4bc484650192338f413d4cb98675862684acddbab20e12a85d0cfa2f5f9fc89763e7dc5b3a6ba7090e7c6e1e185ef62da75a4564cb387f10cb1400269

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
6d053d380df553bfa625ad4dbf6d70be

SHA1
42747329aa12fecb5439dc94a47c754e9366be86

SHA256
325cc57d468d9f6fcdaf271163bc2f764674f6747cd36b28fbbcba6eb80676ed

SHA512
ea3ec83c0d53d72c2f60937a98283ffc621e08e03c5da62f49ed691923ec1e2d077644f6db078c424996f3599ccd5fc3c657d223a11302c18e4b56a78257be4e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e3810cd9201c6b713ab050f07ea2248b

SHA1
04fe7a537a3b028e0ca061ca390b6e0e38e0f0d4

SHA256
45150ad61b987a648feba4e50ddb93916c53c64feda421b09631e0dada5ed3a1

SHA512
db9b1de3a917366b0c6ea4733ea89eedd2d61921d31cd306d4fcefc6f850f7543153814e1d9f091708a8aa9e76f6a80136517ad20f57885891461eee62c2e891

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
4961a1c1d157af4130791ae10bde6e9c

SHA1
33d5fe74590d85c9e98e942aa3ed4829d29f3036

SHA256
d4c4b8efeb695cb6aa1cede93d59327471177e2c5dc11d27fb537f38d5c554d2

SHA512
43a826a4810f27ae99488c71b66f92abfcb65381baa683e4a72408f50ecf23c1370a580a156e39bd7d161aa13ab5106d4dd8e5e5bdbc02f9a3fd700ceaf29cb7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1639673b6a9551ca2b39daac4207aea9

SHA1
1230db13e36766e5c1c0e3db94182baa5f705156

SHA256
b04dc5e664b7003517be4fb2f6be4d18ca5eb590fe184e22bbe9518a97ce254a

SHA512
99e21843226c80ea9d6c455ea4647cad54994eec1213e9a6eb6df0b5a6f14ffc87f84159a64452c72c6babd385be6a9993a95f7a2a0c6bb26e0d4a0556861985

Download Submit
memory/2216-10-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download