8742e955e118e83b9c6fea50c60afcf101f7f249fa357826534e3e132d2afbc0

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23/05/2024, 22:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8742e955e118e83b9c6fea50c60afcf101f7f249fa357826534e3e132d2afbc0.exe
Size

1.1MB
MD5

17d2e6f02dca29fe9c243dd6bd1e2e8e
SHA1

694ecc60c710a54636f0473ada036c887ff650e7
SHA256

8742e955e118e83b9c6fea50c60afcf101f7f249fa357826534e3e132d2afbc0
SHA512

feb7664666be1f736156336c61ce7f18ce77583af586a2ad097eb7a5c4cbe047540ba909d9410bca7dce1165b5803349153df2295451570922c8672fcc672b1f
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QG:acallSllG4ZM7QzMd

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2456	svchcst.exe

Executes dropped EXE 24 IoCs

pid	Process
2456	svchcst.exe
344	svchcst.exe
1848	svchcst.exe
844	svchcst.exe
476	svchcst.exe
2256	svchcst.exe
2016	svchcst.exe
1692	svchcst.exe
2132	svchcst.exe
2424	svchcst.exe
2488	svchcst.exe
1300	svchcst.exe
2660	svchcst.exe
536	svchcst.exe
2192	svchcst.exe
2208	svchcst.exe
2632	svchcst.exe
876	svchcst.exe
2764	svchcst.exe
1304	svchcst.exe
2396	svchcst.exe
1468	svchcst.exe
2252	svchcst.exe
1028	svchcst.exe

Loads dropped DLL 38 IoCs

pid	Process
1784	WScript.exe
1784	WScript.exe
2432	WScript.exe
2784	WScript.exe
1508	WScript.exe
2240	WScript.exe
2240	WScript.exe
1348	WScript.exe
1348	WScript.exe
1688	WScript.exe
1348	WScript.exe
1688	WScript.exe
1688	WScript.exe
2588	WScript.exe
2588	WScript.exe
1772	WScript.exe
2904	WScript.exe
2904	WScript.exe
2828	WScript.exe
2828	WScript.exe
1572	WScript.exe
1572	WScript.exe
2428	WScript.exe
2428	WScript.exe
836	WScript.exe
836	WScript.exe
2436	WScript.exe
2436	WScript.exe
2036	WScript.exe
2036	WScript.exe
2720	WScript.exe
2720	WScript.exe
2588	WScript.exe
2588	WScript.exe
1896	WScript.exe
1896	WScript.exe
2108	WScript.exe
2108	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2872	8742e955e118e83b9c6fea50c60afcf101f7f249fa357826534e3e132d2afbc0.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
344	svchcst.exe
344	svchcst.exe
344	svchcst.exe
344	svchcst.exe
344	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2872	8742e955e118e83b9c6fea50c60afcf101f7f249fa357826534e3e132d2afbc0.exe

Suspicious use of SetWindowsHookEx 50 IoCs

pid	Process
2872	8742e955e118e83b9c6fea50c60afcf101f7f249fa357826534e3e132d2afbc0.exe
2872	8742e955e118e83b9c6fea50c60afcf101f7f249fa357826534e3e132d2afbc0.exe
2456	svchcst.exe
2456	svchcst.exe
344	svchcst.exe
344	svchcst.exe
1848	svchcst.exe
1848	svchcst.exe
844	svchcst.exe
844	svchcst.exe
476	svchcst.exe
476	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
1692	svchcst.exe
1692	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
1300	svchcst.exe
1300	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
536	svchcst.exe
536	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2208	svchcst.exe
2208	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
876	svchcst.exe
876	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
1304	svchcst.exe
1304	svchcst.exe
2396	svchcst.exe
2396	svchcst.exe
1468	svchcst.exe
1468	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 1784	2872	8742e955e118e83b9c6fea50c60afcf101f7f249fa357826534e3e132d2afbc0.exe	28
PID 2872 wrote to memory of 1784	2872	8742e955e118e83b9c6fea50c60afcf101f7f249fa357826534e3e132d2afbc0.exe	28
PID 2872 wrote to memory of 1784	2872	8742e955e118e83b9c6fea50c60afcf101f7f249fa357826534e3e132d2afbc0.exe	28
PID 2872 wrote to memory of 1784	2872	8742e955e118e83b9c6fea50c60afcf101f7f249fa357826534e3e132d2afbc0.exe	28
PID 1784 wrote to memory of 2456	1784	WScript.exe	30
PID 1784 wrote to memory of 2456	1784	WScript.exe	30
PID 1784 wrote to memory of 2456	1784	WScript.exe	30
PID 1784 wrote to memory of 2456	1784	WScript.exe	30
PID 2456 wrote to memory of 2432	2456	svchcst.exe	31
PID 2456 wrote to memory of 2432	2456	svchcst.exe	31
PID 2456 wrote to memory of 2432	2456	svchcst.exe	31
PID 2456 wrote to memory of 2432	2456	svchcst.exe	31
PID 2432 wrote to memory of 344	2432	WScript.exe	32
PID 2432 wrote to memory of 344	2432	WScript.exe	32
PID 2432 wrote to memory of 344	2432	WScript.exe	32
PID 2432 wrote to memory of 344	2432	WScript.exe	32
PID 344 wrote to memory of 2784	344	svchcst.exe	33
PID 344 wrote to memory of 2784	344	svchcst.exe	33
PID 344 wrote to memory of 2784	344	svchcst.exe	33
PID 344 wrote to memory of 2784	344	svchcst.exe	33
PID 2784 wrote to memory of 1848	2784	WScript.exe	34
PID 2784 wrote to memory of 1848	2784	WScript.exe	34
PID 2784 wrote to memory of 1848	2784	WScript.exe	34
PID 2784 wrote to memory of 1848	2784	WScript.exe	34
PID 1848 wrote to memory of 1508	1848	svchcst.exe	35
PID 1848 wrote to memory of 1508	1848	svchcst.exe	35
PID 1848 wrote to memory of 1508	1848	svchcst.exe	35
PID 1848 wrote to memory of 1508	1848	svchcst.exe	35
PID 1508 wrote to memory of 844	1508	WScript.exe	36
PID 1508 wrote to memory of 844	1508	WScript.exe	36
PID 1508 wrote to memory of 844	1508	WScript.exe	36
PID 1508 wrote to memory of 844	1508	WScript.exe	36
PID 844 wrote to memory of 2240	844	svchcst.exe	37
PID 844 wrote to memory of 2240	844	svchcst.exe	37
PID 844 wrote to memory of 2240	844	svchcst.exe	37
PID 844 wrote to memory of 2240	844	svchcst.exe	37
PID 2240 wrote to memory of 476	2240	WScript.exe	38
PID 2240 wrote to memory of 476	2240	WScript.exe	38
PID 2240 wrote to memory of 476	2240	WScript.exe	38
PID 2240 wrote to memory of 476	2240	WScript.exe	38
PID 476 wrote to memory of 376	476	svchcst.exe	39
PID 476 wrote to memory of 376	476	svchcst.exe	39
PID 476 wrote to memory of 376	476	svchcst.exe	39
PID 476 wrote to memory of 376	476	svchcst.exe	39
PID 2240 wrote to memory of 2256	2240	WScript.exe	40
PID 2240 wrote to memory of 2256	2240	WScript.exe	40
PID 2240 wrote to memory of 2256	2240	WScript.exe	40
PID 2240 wrote to memory of 2256	2240	WScript.exe	40
PID 2256 wrote to memory of 1348	2256	svchcst.exe	41
PID 2256 wrote to memory of 1348	2256	svchcst.exe	41
PID 2256 wrote to memory of 1348	2256	svchcst.exe	41
PID 2256 wrote to memory of 1348	2256	svchcst.exe	41
PID 1348 wrote to memory of 2016	1348	WScript.exe	44
PID 1348 wrote to memory of 2016	1348	WScript.exe	44
PID 1348 wrote to memory of 2016	1348	WScript.exe	44
PID 1348 wrote to memory of 2016	1348	WScript.exe	44
PID 2016 wrote to memory of 1688	2016	svchcst.exe	45
PID 2016 wrote to memory of 1688	2016	svchcst.exe	45
PID 2016 wrote to memory of 1688	2016	svchcst.exe	45
PID 2016 wrote to memory of 1688	2016	svchcst.exe	45
PID 1688 wrote to memory of 1692	1688	WScript.exe	47
PID 1688 wrote to memory of 1692	1688	WScript.exe	47
PID 1688 wrote to memory of 1692	1688	WScript.exe	47
PID 1688 wrote to memory of 1692	1688	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\8742e955e118e83b9c6fea50c60afcf101f7f249fa357826534e3e132d2afbc0.exe
"C:\Users\Admin\AppData\Local\Temp\8742e955e118e83b9c6fea50c60afcf101f7f249fa357826534e3e132d2afbc0.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2456
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2432
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:344
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:844
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:476
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1348
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1692
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        
        PID:2808
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2424
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:2588
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2488
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1300
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:1772
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2660
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2904
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:536
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:2828
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2192
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:1572
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2208
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:2428
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2632
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:836
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:876
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:2436
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2764
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:2036
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1304
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:2720
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2396
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:2588
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1468
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:1896
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2252
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:2108
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1028
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e4e96c55460da5fa5643648177198d56

SHA1
da09b8271cfd09349b8e79bd8856671e6124d6a0

SHA256
6ca56d2034da62f3a82f84935631e9d90430875cfd9b95382fdf1210758ba761

SHA512
23da2c3c87c8e52aab70931c7ca6f0d04f453cff01bda2fe078a060468d9d7b9e544635eb11976541246eaed2e4cac06e0ed7ed86bce775f95ff5d5f40c5d1bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ae63ded87a90f9812749cac189d07a57

SHA1
5a37ba565ce8c2445ff71f7c3d7adc38cb68627f

SHA256
6251cc562aff44a7222fe555019800d44c515c0319748fae595621d92f5d9236

SHA512
293cf9a753b1456071db8840910ec3ee7a0a00342caeb27a3bf7c150b54e51a22673e8262fd4376bad6c29eff3b3a77c1c47c1e10c49abffaba899b9193d9429

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
427acf0d31e4c051a5ecca486df18aaa

SHA1
66ed2e8e5533846366375ce855fb7b5d574d97fc

SHA256
397aa2536df328968f7006d3c5a2d0e7e53ab1e6d2deae8bb5bc7a242b4ba012

SHA512
aa2fe9a10550076d478762ed2043437460bfa1d81c3e6b793127d1235f8a6e75dc6002aad415f8086387faf7dc75a83f1790662cdfa58aa66596c640ed35b778

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c5ae655707a21f6473c5f382a787e100

SHA1
1d2078ebfae286212eb90e60c9dbce5e70ac24f1

SHA256
baf83e476c96ab1af7a7482de26dae9909744fad6d12c6ae818f51b834cecb50

SHA512
af80731f380d75a643ab885ba152cb7118297ab4e70ff44dd96b7bae8542881f0d06cdbe0ac524cdc30ddca970c2b27adf6398f8efc6e510cea6cc0b2a59b34f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e5bba46683440caa1508061b6e638120

SHA1
538ff5b7cb3ca90cee3e60bae0b487f4b78912de

SHA256
9b324dbd185a14c0ebfd2cd2731f6bb32c501dfefa7aef4f65b137357502c65d

SHA512
466f00fee10e323273e5d1151062e9fcc36f5657a404c6dd3c0c9ecb56e5205930087e612b13a9c6d1a56df7e05a2bd9c14e95debd5e5aed96ad2ef867e8de4d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
06a252a9516053e44ec8e64f1ebf0533

SHA1
29ac97e0cdade946c4feb81ad3f78d70953a2277

SHA256
6b8a799c3d4b977adb7220f6790b2ac09080ca3ccde5a2c33c83b33ea905928c

SHA512
0775aabeef7c910e03efc40f96143025a2ee3544dd656c78d09ef63c85d040037752aabe72fdf3b636ee31422ae8de01b73c85e27247203d5efc1635eaf15b2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
40b9e9b284baef7b003039f3c6bcdef8

SHA1
8c4abfe4e4860c8ddbb1dba89df4bff496a629fd

SHA256
bc48ad8e3a3ac7b411fdfc0a3dd6e9d418c038aabb6eb4b4f63a7cea1c2e5196

SHA512
6c6708a6773ab47310e393571855cb159a4cfc1d9c4b20518d69673ad7589c07ac90e0bf097b0fd58173d404c5c76d38544dd9b9d06049383f1bb6ce14126518

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7e30bbf5f589f6ae6e5daf322f9f4c63

SHA1
4078c36ab68538c4d3aa3996b3a218fa786e5813

SHA256
9ed68f0cb63b2fca99956af2a550eb26ac99a883afef4ea6dc1236c14593266b

SHA512
63bb07bfbef6c96b50bbcb60d7f805930aaeefd6eadaa39dcb3e591c84636c670257a7f544bb0565174578a517d06de29a6c086812ef5cfb3039aea1917fb4b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
66dec81d7f7dc4e36f9d8151fe38056a

SHA1
fc169994b2239eb407778d28d35025f7c9a1658e

SHA256
a09a3c722b494400011829c5645415020d39c8e6ec90f466fc3109a1ba49db2a

SHA512
3e8af1d301ba9228d5afcfaa1e1d3e6f931c5f0ba5e19c74f73b88ddf7c4baa7b24f13533679096f6c94871985de9e47d0f91362ec2ee9132b1e1b772d56fbcc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
379619305716718fbeeab2f364946c39

SHA1
b663cf106c4673549692fa39d25e9e8f4561cd64

SHA256
c844bc25686320e65c1b5259a6d0d6d47f61709f46e2c8eb2ad3f9c3b9333d84

SHA512
b2c91d0f1cbc9e253bb3bb339acbab0e31eef31188cc00132c423fee2a85c7a91132c9259b99b23a149f6ba1172b8522e2d8350f88dbb735ad8d7a32f71e2ed8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a4e2d4727487955ad59bf2d1a6661981

SHA1
e52949b5d7226aaf75d3713ed2ff1283edab2259

SHA256
4b2d44fd28dcc86d4f73784cea9ac601d2e69574ea0fc6214b3481b10687e0e2

SHA512
f3c59196a57237caa7ad762e2e31bb3b95156eb33cdad7d7b28244842a733160a74c6568452252ce2add95980fe653dc5322a3d1722f9d798289557351b5ea55

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
22ee4efbc67fc70b9f9d483cf169e846

SHA1
5e0a01490f92c7a77457c1df61c009cdc5c641dd

SHA256
abd4fb5ee308e65770cced9ea111c1dcfc48e0571cfcb79284f4fbbab293e161

SHA512
7638f6551734a6256e6d7666a9811368ee2894afeb442f65c6da0680fe8134059c52f552e36b2539774c4e3e5fc0cc1ae027e3ef872b5bb5d4b8e0f6687ce238

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
30eafc82ac9962314c98d54ef2588957

SHA1
3bf1e1f24264448ba2688366b10b083c808e1e7a

SHA256
fc93c94af2daa9c8b70b9f6104f613a1cf0ac39bf1856542a3dbb6f828d2bee6

SHA512
5cd90109e61e06fda91874fd3cd28d83b42b6e586446ce99cf69a611f0015f56010937fadca4accef57ab47b5bca54b4171479a9a989ab5b1a015d491f985fb5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
56b642f742552f48c6b8b9c099412a21

SHA1
c3cf968546d550feddcded0747d331305147e1e3

SHA256
a91e4afb0d2f495e9c4fd5031514174673505464922192f9d87832fc21ef119b

SHA512
43edab26c4c27b9458d393f139895b68ce6b230685fd112658b4046094beac5479329f63c9c836dace1e76984fc22b96aecdf0c0252cf656e6d1fe639abf403a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
87b2626dabea4f7286b74eb7321bb88f

SHA1
4d77c506e8e465978b05b99fba0997f0283e58e3

SHA256
cf3cbee163739cdd54bd9b26485f156da963145734774432a621a00038332518

SHA512
b03b58ed1af997298d83e58bda711754227a7cabd507f461e0b54781e375647ac530d2ce49fec408fb1f21f8c23bfd9a59bd0120f70ab6ffad3f0360f7a962b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ca4f6f48147b9a1beca4974517c17e30

SHA1
ffbf18feb8160ff36f5a3d453f7c32a85e434124

SHA256
c415097ce14d506c3164aaba4a461382049b23bd8d9d402ece45d6fe7d97196d

SHA512
d3e1bc8d2aa51ec65e7159886b59be708f8ff1f70137ac433419a32dcc37dfea67aacdd2f3dc2c829b23514729d03b8dd56799fd5895bdfd0e5420bd8c805557

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
6434311e418aed97f04dbdde41ff971f

SHA1
614fad7588fe549bb7b57fb60ab61f478beda9ce

SHA256
7f6b14808eee6d4f0d90aba10ec03220c1da945d1316c8720c485167b01f803e

SHA512
94cf17d16f068be5cf66faa4079645d50fb08e0149d0db6d2ae505b2f8f5520f2151410856c52189be598f39a361a24f9abcd7f8dd0777ebc15780a397429583

Download Submit
memory/344-28-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/344-36-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/476-65-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/476-72-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/536-167-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/536-170-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/844-59-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/844-55-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/876-203-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/876-196-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1028-246-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1028-253-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1300-149-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1300-142-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1304-220-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1304-213-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1348-87-0x0000000004750000-0x00000000048AF000-memory.dmp

Filesize
1.4MB

Download
memory/1468-229-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1468-236-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1508-52-0x0000000004400000-0x000000000455F000-memory.dmp

Filesize
1.4MB

Download
memory/1508-85-0x0000000004400000-0x000000000455F000-memory.dmp

Filesize
1.4MB

Download
memory/1688-110-0x00000000048D0000-0x0000000004A2F000-memory.dmp

Filesize
1.4MB

Download
memory/1692-116-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1692-112-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1848-39-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1848-48-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1896-238-0x0000000005AB0000-0x0000000005C0F000-memory.dmp

Filesize
1.4MB

Download
memory/2016-97-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2016-88-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2132-105-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2192-172-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2192-179-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2208-187-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2208-180-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2240-62-0x0000000005D90000-0x0000000005EEF000-memory.dmp

Filesize
1.4MB

Download
memory/2240-75-0x0000000004400000-0x000000000455F000-memory.dmp

Filesize
1.4MB

Download
memory/2252-245-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2252-237-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2256-83-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2256-77-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2396-228-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2396-221-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2424-126-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2424-119-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2436-204-0x0000000005BF0000-0x0000000005D4F000-memory.dmp

Filesize
1.4MB

Download
memory/2456-25-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2456-15-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2488-139-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2488-134-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2632-195-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2632-188-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2660-152-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2660-161-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2764-212-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2764-205-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2828-171-0x0000000005D50000-0x0000000005EAF000-memory.dmp

Filesize
1.4MB

Download
memory/2872-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2872-10-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download