eed9eea4b267d12456a5fb176a810c3986de04024d6f2b8e3eff8a55fa662209

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
23/05/2024, 21:51 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eed9eea4b267d12456a5fb176a810c3986de04024d6f2b8e3eff8a55fa662209.exe
Size

1.1MB
MD5

2a23f69b03bdb8e9f3648af23d6c6e25
SHA1

e99065918021af0b3b4db3f897832c1a1656393a
SHA256

eed9eea4b267d12456a5fb176a810c3986de04024d6f2b8e3eff8a55fa662209
SHA512

6cfc6ecd6d8266cece09096491d89805097512b7bcc2be0746c520c6255591ecdefe3815e29252d0622566adb63e262be078f1582b8e6a7272882c912ffa065f
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qm:acallSllG4ZM7QzMt

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2520	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2520	svchcst.exe
1768	svchcst.exe
2212	svchcst.exe
1616	svchcst.exe
2348	svchcst.exe
2804	svchcst.exe
1648	svchcst.exe
2388	svchcst.exe
2012	svchcst.exe
2396	svchcst.exe
2588	svchcst.exe
2244	svchcst.exe
1284	svchcst.exe
1380	svchcst.exe
868	svchcst.exe
2732	svchcst.exe
2188	svchcst.exe
2400	svchcst.exe
1680	svchcst.exe
656	svchcst.exe
620	svchcst.exe
2344	svchcst.exe
392	svchcst.exe

Loads dropped DLL 44 IoCs

pid	Process
2144	WScript.exe
2144	WScript.exe
1260	WScript.exe
2560	WScript.exe
1556	WScript.exe
1556	WScript.exe
308	WScript.exe
308	WScript.exe
1504	WScript.exe
1504	WScript.exe
2028	WScript.exe
2028	WScript.exe
1668	WScript.exe
1668	WScript.exe
3000	WScript.exe
3000	WScript.exe
1296	WScript.exe
1296	WScript.exe
2392	WScript.exe
2392	WScript.exe
2856	WScript.exe
2856	WScript.exe
2332	WScript.exe
2332	WScript.exe
1344	WScript.exe
1344	WScript.exe
2716	WScript.exe
2716	WScript.exe
2072	WScript.exe
2072	WScript.exe
2620	WScript.exe
2620	WScript.exe
1608	WScript.exe
1608	WScript.exe
1992	WScript.exe
1992	WScript.exe
1828	WScript.exe
1828	WScript.exe
2476	WScript.exe
2476	WScript.exe
2884	WScript.exe
2884	WScript.exe
1140	WScript.exe
1140	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2236	eed9eea4b267d12456a5fb176a810c3986de04024d6f2b8e3eff8a55fa662209.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
1768	svchcst.exe
1768	svchcst.exe
1768	svchcst.exe
1768	svchcst.exe
1768	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2236	eed9eea4b267d12456a5fb176a810c3986de04024d6f2b8e3eff8a55fa662209.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2236	eed9eea4b267d12456a5fb176a810c3986de04024d6f2b8e3eff8a55fa662209.exe
2236	eed9eea4b267d12456a5fb176a810c3986de04024d6f2b8e3eff8a55fa662209.exe
2520	svchcst.exe
2520	svchcst.exe
1768	svchcst.exe
1768	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
1616	svchcst.exe
1616	svchcst.exe
2348	svchcst.exe
2348	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
1648	svchcst.exe
1648	svchcst.exe
2388	svchcst.exe
2388	svchcst.exe
2012	svchcst.exe
2012	svchcst.exe
2396	svchcst.exe
2396	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2244	svchcst.exe
2244	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1380	svchcst.exe
1380	svchcst.exe
868	svchcst.exe
868	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2188	svchcst.exe
2188	svchcst.exe
2400	svchcst.exe
2400	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
656	svchcst.exe
656	svchcst.exe
620	svchcst.exe
620	svchcst.exe
2344	svchcst.exe
2344	svchcst.exe
392	svchcst.exe
392	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2144	2236	eed9eea4b267d12456a5fb176a810c3986de04024d6f2b8e3eff8a55fa662209.exe	28
PID 2236 wrote to memory of 2144	2236	eed9eea4b267d12456a5fb176a810c3986de04024d6f2b8e3eff8a55fa662209.exe	28
PID 2236 wrote to memory of 2144	2236	eed9eea4b267d12456a5fb176a810c3986de04024d6f2b8e3eff8a55fa662209.exe	28
PID 2236 wrote to memory of 2144	2236	eed9eea4b267d12456a5fb176a810c3986de04024d6f2b8e3eff8a55fa662209.exe	28
PID 2144 wrote to memory of 2520	2144	WScript.exe	30
PID 2144 wrote to memory of 2520	2144	WScript.exe	30
PID 2144 wrote to memory of 2520	2144	WScript.exe	30
PID 2144 wrote to memory of 2520	2144	WScript.exe	30
PID 2520 wrote to memory of 1260	2520	svchcst.exe	31
PID 2520 wrote to memory of 1260	2520	svchcst.exe	31
PID 2520 wrote to memory of 1260	2520	svchcst.exe	31
PID 2520 wrote to memory of 1260	2520	svchcst.exe	31
PID 1260 wrote to memory of 1768	1260	WScript.exe	32
PID 1260 wrote to memory of 1768	1260	WScript.exe	32
PID 1260 wrote to memory of 1768	1260	WScript.exe	32
PID 1260 wrote to memory of 1768	1260	WScript.exe	32
PID 1768 wrote to memory of 2560	1768	svchcst.exe	33
PID 1768 wrote to memory of 2560	1768	svchcst.exe	33
PID 1768 wrote to memory of 2560	1768	svchcst.exe	33
PID 1768 wrote to memory of 2560	1768	svchcst.exe	33
PID 2560 wrote to memory of 2212	2560	WScript.exe	34
PID 2560 wrote to memory of 2212	2560	WScript.exe	34
PID 2560 wrote to memory of 2212	2560	WScript.exe	34
PID 2560 wrote to memory of 2212	2560	WScript.exe	34
PID 2212 wrote to memory of 1556	2212	svchcst.exe	35
PID 2212 wrote to memory of 1556	2212	svchcst.exe	35
PID 2212 wrote to memory of 1556	2212	svchcst.exe	35
PID 2212 wrote to memory of 1556	2212	svchcst.exe	35
PID 1556 wrote to memory of 1616	1556	WScript.exe	36
PID 1556 wrote to memory of 1616	1556	WScript.exe	36
PID 1556 wrote to memory of 1616	1556	WScript.exe	36
PID 1556 wrote to memory of 1616	1556	WScript.exe	36
PID 1616 wrote to memory of 308	1616	svchcst.exe	37
PID 1616 wrote to memory of 308	1616	svchcst.exe	37
PID 1616 wrote to memory of 308	1616	svchcst.exe	37
PID 1616 wrote to memory of 308	1616	svchcst.exe	37
PID 308 wrote to memory of 2348	308	WScript.exe	38
PID 308 wrote to memory of 2348	308	WScript.exe	38
PID 308 wrote to memory of 2348	308	WScript.exe	38
PID 308 wrote to memory of 2348	308	WScript.exe	38
PID 2348 wrote to memory of 1504	2348	svchcst.exe	39
PID 2348 wrote to memory of 1504	2348	svchcst.exe	39
PID 2348 wrote to memory of 1504	2348	svchcst.exe	39
PID 2348 wrote to memory of 1504	2348	svchcst.exe	39
PID 1504 wrote to memory of 2804	1504	WScript.exe	40
PID 1504 wrote to memory of 2804	1504	WScript.exe	40
PID 1504 wrote to memory of 2804	1504	WScript.exe	40
PID 1504 wrote to memory of 2804	1504	WScript.exe	40
PID 2804 wrote to memory of 2028	2804	svchcst.exe	41
PID 2804 wrote to memory of 2028	2804	svchcst.exe	41
PID 2804 wrote to memory of 2028	2804	svchcst.exe	41
PID 2804 wrote to memory of 2028	2804	svchcst.exe	41
PID 2028 wrote to memory of 1648	2028	WScript.exe	44
PID 2028 wrote to memory of 1648	2028	WScript.exe	44
PID 2028 wrote to memory of 1648	2028	WScript.exe	44
PID 2028 wrote to memory of 1648	2028	WScript.exe	44
PID 1648 wrote to memory of 1668	1648	svchcst.exe	45
PID 1648 wrote to memory of 1668	1648	svchcst.exe	45
PID 1648 wrote to memory of 1668	1648	svchcst.exe	45
PID 1648 wrote to memory of 1668	1648	svchcst.exe	45
PID 1668 wrote to memory of 2388	1668	WScript.exe	46
PID 1668 wrote to memory of 2388	1668	WScript.exe	46
PID 1668 wrote to memory of 2388	1668	WScript.exe	46
PID 1668 wrote to memory of 2388	1668	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\eed9eea4b267d12456a5fb176a810c3986de04024d6f2b8e3eff8a55fa662209.exe
"C:\Users\Admin\AppData\Local\Temp\eed9eea4b267d12456a5fb176a810c3986de04024d6f2b8e3eff8a55fa662209.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1260
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1768
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:308
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2388
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:3000
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2012
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:1296
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2396
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:2392
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2588
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:2856
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2244
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:2332
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1284
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:1344
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1380
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:2716
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:868
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:2072
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2732
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:2620
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2188
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:1608
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2400
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:1992
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1680
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:1828
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:656
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:2476
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:620
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        
        PID:2884
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2344
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        
        PID:1140
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:392
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        
        PID:852
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        
        PID:1828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
779731cbe33184909e5e40bc139882e6

SHA1
705fd1bdf005210f16f38756a03ebd595fee7ed8

SHA256
177d55d9f03c796e0ebabd8f3dc8076c956c80e86cc87e1ac2acb7b4c275ccc2

SHA512
3096859ecadbc3ce368e74c3a04ddcb0b2507840472781f9f3386f53203711dc782e4d82bf741e244999ed2fc84c97c020cfe17af307048894e4f9b8926e7f86

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
48e04b8c794b661550560f9e02af5bb4

SHA1
973d939e48bc7713c0338e95966219616bd415d0

SHA256
f3bfe9c6c363e0ef4e22d9990175cb4c1c5d7d087aa5a2cff9f912d5ac6676da

SHA512
23ca46c09e1c2c320c7c79e71056dc6cb78d1dbaa75f4cee92e63626fe1eef268d91c519a8a0219f816049d2babd0276d27471ccc57a05825ce339ea88eea778

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
38a699d07d8879db6356427ad5568cde

SHA1
a13f87e47243e126c2ea20018877fbeac913a320

SHA256
33039fb8b50833ea2836de980992405e10426ad862007f2fef2a96147dccc7bb

SHA512
b5373577a397c0eb493b1173f0fa5a583fe10b986eced439f39997707622fdb54dad7f39311c0148da02b9f0eda2c097d6d9e98b6a7c7d4aa5996e7cc5f4791d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1cd04c63c025f0297f2ae60e978d92a1

SHA1
047246564f4b2ab71494a82cef25f5bcdeb63469

SHA256
c5d481502d8e9429512066a0eb058459e0d7d60fbfc4aed5169b3ea47966c9ed

SHA512
dede45f2ae3b7da526e64e82f5e550d9f29d7ad0409fe97a0067bcd8ad70859a8f05441dcad0f2364710f8d9bf58997ffea6874b4797948b61486570394325a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c91530bbaec9815f2db19bd6645b8729

SHA1
ea901a28f06bfbfc1dc9c3391910a87bfaf07020

SHA256
7924a95b4fb309a069dcb92b65632f01f9db2560b224d4812ebb84130994ab8d

SHA512
7ebce2d0627561189c27073f3e43e84e6164c3c4a63fe4172d2c1214fe799795393573038fb3dd75359327e7cca4eec17889749411e289480580f568b02e6588

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
4e9605159361f93230fef3cc5ad4301c

SHA1
64e6d5673487e049cc4e96650b507641062ca1bf

SHA256
2abd0c0ae088f6c911f23add50e985c447f1c62c8a45f848698b08d6e6dd20e7

SHA512
5cf02982826cc6e08ea33c4ce5d186ad4277493480cf08c2df56a7deea87e58a6df3a95097c96409a89317528933e0999d4ccddc2403024bd04b6e1c312f42fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
fb757130836576e5f952cb011021776c

SHA1
68f6351ef6dd363f67e76b91e7d8150050948698

SHA256
2d8143967be00cc4d6f3a1b8671885498b80e57ec52a84e19eaf136e64980e5b

SHA512
6f7311c6964be509733152377344d37f311021a6638946d275d282aa1b0212d8d790175b8c4e61fba6f5f4299c0e5da3307b69b03f619273462edd5c3cfce0d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e74576d29f1c1a7185cdf1e12b96a260

SHA1
f76ee203cb56b7dda62a2947ff1e2fc954efa777

SHA256
e31ecb9dcf31c19fbd131b31e5191375f7aeb708ffa678363de99e118715eb65

SHA512
934e3a9171de8fe03c9b398b4e79b3eee77845750ba2b0d16c3a38bc8299d3d72643cedfbb025df848f4c5ab302f5d4b145da13c2ac3ed96bdc1658791d4f5bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
321085c6e57a8455a3e915906a6c160b

SHA1
9cd284183cd00b8ed9766cf5ba4433bd041c381e

SHA256
0d5abb9f989e8b184b17b159987cacb4be04d476a85a3c684e797cdbded810cb

SHA512
030c762c6548c28805fb3f9d97ed98ff958a379fb5142b7ba6c4cb2a8dd7a59051135e649abd6c16320361b10c374e4a1003c802560fcc244849089255fb7722

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2c6490a42a6a0c40ff0c4e23b3e1aa2f

SHA1
673399038e095a86936267b5014fc7d216ee5c0a

SHA256
4b5b75f23c5d2765bccf9691327947fcdd4e1e17e6da73c1b1c47dab8db99b3d

SHA512
8ffd13c3e9ecd8c522703bf13f839b3925bf3dd0418c33e8b4edc5cd07ca53d76d21e3d8f2e47622d51cc73ac3eed7dd2f7308bb332cde1bd1e6f1cb8f8bb8d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
297aff64991480fd92a4ce9fb4d40807

SHA1
c586f7003f854f442db26448516e59826dfe41e9

SHA256
5137a62e031c71093a7d6c2684519614bb5eed80fd8daa92912f085a6ab82b8a

SHA512
f7a2fae80f26e6fb846ec9675c5a03932c8bd842d75f68cdb05c2f18e9397ed32774ce0a1f495e5618a5ce1b37e088c8991a69fb999559d1e2b0dd360cc96b4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b5595e696ad38e0e30c17fb673e5a413

SHA1
c332491899261f337b3a97929994c31344bb5333

SHA256
48a77a58f3ef88b2dd6c8d1e8e20d3f05f226743a274e44bcc4b0e782f0bdb19

SHA512
510d9d7e2cfc7709ecea034440955f138aab18c118a40351373183ae6b76276a76528175540268529e872d064186c2d17b87bea097502c8bdfc435a5a576b4de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
3e2972882e9be071c949526404791014

SHA1
3afbbed462ac7b98eee85e8644c8375a037e6194

SHA256
5e17d4c97d7f6337870ccce4d9dd2eb75d5f7643d883c9cdcc0b73d694753141

SHA512
1601e8572be71bbd0d2794ea5cc22f2afbd59b3c80b4652dbe9761389ff99bcb30545df25e6f25f743b1c1d3cf1267870634a0bb4021dfa4bc7d4779460599b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
4afc359e83ac606fc5a4e435b0b5036c

SHA1
fa4f255d3ca97446af611ac14872148f06a80dc9

SHA256
7983d200d385ec6801954b618a2f76b7ae9b204818c6c3f1394cb57dc834d8d8

SHA512
579ab2727bd2a4e0e848d89ad88e3579e3368183b322aac392aefdb6a3b0de8f6ecc3311e221bebce84b2e6fc07ac77bf8e9e9268834ec444bf23e9ba41d1b24

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b2e695355cac1bbd4b03b3cf64e88545

SHA1
96d6b60915340f7fde7a555e4fe808819d7b9e90

SHA256
d278cd12070e5f73bbe8886a4eebfc4b48c44464afb4df97510b120b879c5255

SHA512
e58a9e03065b104d5dda23a3678c06bee86e616f58b0f0515529d960b5c57bd0b925842f64407c8591e0eb975df29d37fbb13b76e524c5bc7b7eb064917c2663

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
57259cd0edae94bb405865c47be8b9bd

SHA1
b87b737d8941e3509cbfd7e4ea17279e5f36aadf

SHA256
59d965402b5d5f268fab147c163fba75515341a25cc966ae03946a7818892adb

SHA512
d38563137f22c1de3badf652443444b470519bd69852237ad7159b433ba4fe71b3e3217023636ce948815ba200d73eb2050978270d49278db31181598f92d19e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b7d0c6f0cbba962d0f0fe4a3b2e161d7

SHA1
796468e6c46313e4f0865562fe0fc60bc89740bd

SHA256
019a2d311e175258616a3a6a75f5589b730ffdd916df7406d8d3908c386dd8f0

SHA512
a39adbb6dced248fa3e2a30746b0d15363bb9dc3d167bc36cc8cc71e0e17aa4f6876b7c3d639da6a50172f98e03996c908f8c3b6ea3900c8418507d7ccb5ac24

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
6fe75d1492e3f8319ee7b5dc4073f466

SHA1
95bcc07ea97dd4e80b14191bd1e35237ec835a06

SHA256
442e35575090b607c7b1b83331c796a85b1c97c39083fed3b2168b492e65b5a3

SHA512
165a48e2d0435e6316bef7e7e82d594a0ffa71b248c19110fad197d59e6eb8d22f22a0f5866e49c59c44d05402786ed975f5f7243e565db968fbe7df56af2945

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
43b13da7c1d48fa083dd87e499795337

SHA1
4b8a8bb11295ebe54c5cd56aa29da7de4e86542d

SHA256
cf2eec996f1fea3fabbbfaba1be294a9c2a7266bd55f89c12972861567d45812

SHA512
cee59c506306cbd9708355485404a7b9e1452beb426d4849d5df198eb9acafe8dd48c3445544733eb4da1e94b89b14876972e3e3c1626db46edcba26ae9a77a2

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1bcb65b69c50c27f88e275e3b966fea6

SHA1
8f864871f60679cce8c962f129d1351784cf99e7

SHA256
ee0a1d5f938b2c1640e3a0d74180f251dbd7ca7bb936a0da7af0e1a2945e9886

SHA512
6b5f6160963fe94a22a39fc5b82d03f1fe5b4bdd482586ae2c56e5e79ee8e376083f734b650f3cfbe779ee04605c47d009f7839a4f8f07e935e0404ed9d1941a

Download Submit
memory/308-65-0x0000000004690000-0x00000000047EF000-memory.dmp

Filesize
1.4MB

Download
memory/392-269-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/620-254-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/620-251-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/656-246-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/656-243-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/868-196-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/868-203-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1140-268-0x00000000048D0000-0x0000000004A2F000-memory.dmp

Filesize
1.4MB

Download
memory/1284-186-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1296-145-0x0000000005F60000-0x00000000060BF000-memory.dmp

Filesize
1.4MB

Download
memory/1296-146-0x0000000005F60000-0x00000000060BF000-memory.dmp

Filesize
1.4MB

Download
memory/1380-194-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1380-191-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1504-81-0x0000000005BB0000-0x0000000005D0F000-memory.dmp

Filesize
1.4MB

Download
memory/1504-80-0x0000000005BB0000-0x0000000005D0F000-memory.dmp

Filesize
1.4MB

Download
memory/1616-51-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1616-59-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1648-98-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1648-106-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1668-112-0x0000000005C50000-0x0000000005DAF000-memory.dmp

Filesize
1.4MB

Download
memory/1680-237-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1680-234-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1768-28-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1768-35-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1828-238-0x0000000004620000-0x000000000477F000-memory.dmp

Filesize
1.4MB

Download
memory/2012-129-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2012-139-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2028-96-0x0000000004930000-0x0000000004A8F000-memory.dmp

Filesize
1.4MB

Download
memory/2028-95-0x0000000004930000-0x0000000004A8F000-memory.dmp

Filesize
1.4MB

Download
memory/2072-204-0x0000000004460000-0x00000000045BF000-memory.dmp

Filesize
1.4MB

Download
memory/2188-221-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2188-218-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2212-46-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2236-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2236-10-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2244-175-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2244-178-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2332-179-0x0000000005A90000-0x0000000005BEF000-memory.dmp

Filesize
1.4MB

Download
memory/2344-260-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2344-263-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2348-74-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2348-66-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2388-113-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2388-121-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2392-161-0x0000000005AE0000-0x0000000005C3F000-memory.dmp

Filesize
1.4MB

Download
memory/2392-158-0x0000000005AE0000-0x0000000005C3F000-memory.dmp

Filesize
1.4MB

Download
memory/2396-147-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2396-155-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2400-226-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2400-229-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2520-15-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2520-25-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2588-162-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2588-169-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2620-213-0x0000000004600000-0x000000000475F000-memory.dmp

Filesize
1.4MB

Download
memory/2716-195-0x0000000004790000-0x00000000048EF000-memory.dmp

Filesize
1.4MB

Download
memory/2732-205-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2732-212-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2804-90-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2804-82-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2856-174-0x00000000046E0000-0x000000000483F000-memory.dmp

Filesize
1.4MB

Download
memory/2884-259-0x00000000059F0000-0x0000000005B4F000-memory.dmp

Filesize
1.4MB

Download
memory/3000-128-0x00000000045D0000-0x000000000472F000-memory.dmp

Filesize
1.4MB

Download
memory/3000-127-0x00000000045D0000-0x000000000472F000-memory.dmp

Filesize
1.4MB

Download