776d4ddbd9ad1b4da58062ea596382b5a27a07d837d561a0cab3c9bddd54cc75

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
23/05/2024, 02:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

776d4ddbd9ad1b4da58062ea596382b5a27a07d837d561a0cab3c9bddd54cc75.exe
Size

1.1MB
MD5

bcc1408f17087c9c00be3c7dc221dff5
SHA1

52201f0da3953011b7908e611ec7a41be29f0890
SHA256

776d4ddbd9ad1b4da58062ea596382b5a27a07d837d561a0cab3c9bddd54cc75
SHA512

65e16e94ad90830e6a2fa9be3d2c6794ccda1b8bc3f4650fd44e5327c6e8aa3da7ba21fe04594a05c7253738bc6f52221a35bda55a364f5e52d26a49a2ed09c3
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qz:CcaClSFlG4ZM7QzMk

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2232	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2232	svchcst.exe
2772	svchcst.exe
2164	svchcst.exe
2288	svchcst.exe
1480	svchcst.exe
1908	svchcst.exe
2284	svchcst.exe
2708	svchcst.exe
2128	svchcst.exe
2592	svchcst.exe
1968	svchcst.exe
2116	svchcst.exe
596	svchcst.exe
1816	svchcst.exe
1660	svchcst.exe
3036	svchcst.exe
2608	svchcst.exe
2992	svchcst.exe
2980	svchcst.exe
324	svchcst.exe
1036	svchcst.exe
2104	svchcst.exe
1900	svchcst.exe

Loads dropped DLL 42 IoCs

pid	Process
3056	WScript.exe
3056	WScript.exe
2588	WScript.exe
2588	WScript.exe
1648	WScript.exe
1648	WScript.exe
2584	WScript.exe
2584	WScript.exe
1248	WScript.exe
1248	WScript.exe
1808	WScript.exe
1808	WScript.exe
1628	WScript.exe
2180	WScript.exe
1912	WScript.exe
1912	WScript.exe
1264	WScript.exe
2016	WScript.exe
1536	WScript.exe
1536	WScript.exe
2108	WScript.exe
2108	WScript.exe
1416	WScript.exe
1416	WScript.exe
1348	WScript.exe
1348	WScript.exe
1644	WScript.exe
1644	WScript.exe
1596	WScript.exe
1596	WScript.exe
2816	WScript.exe
2816	WScript.exe
2228	WScript.exe
2228	WScript.exe
1420	WScript.exe
1420	WScript.exe
1568	WScript.exe
1568	WScript.exe
2428	WScript.exe
2428	WScript.exe
2468	WScript.exe
2468	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2424	776d4ddbd9ad1b4da58062ea596382b5a27a07d837d561a0cab3c9bddd54cc75.exe
2424	776d4ddbd9ad1b4da58062ea596382b5a27a07d837d561a0cab3c9bddd54cc75.exe
2232	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2424	776d4ddbd9ad1b4da58062ea596382b5a27a07d837d561a0cab3c9bddd54cc75.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2424	776d4ddbd9ad1b4da58062ea596382b5a27a07d837d561a0cab3c9bddd54cc75.exe
2424	776d4ddbd9ad1b4da58062ea596382b5a27a07d837d561a0cab3c9bddd54cc75.exe
2232	svchcst.exe
2232	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2288	svchcst.exe
2288	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1908	svchcst.exe
1908	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2128	svchcst.exe
2128	svchcst.exe
2592	svchcst.exe
2592	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
2116	svchcst.exe
2116	svchcst.exe
596	svchcst.exe
596	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
3036	svchcst.exe
3036	svchcst.exe
2608	svchcst.exe
2608	svchcst.exe
2992	svchcst.exe
2992	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
324	svchcst.exe
324	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 3056	2424	776d4ddbd9ad1b4da58062ea596382b5a27a07d837d561a0cab3c9bddd54cc75.exe	28
PID 2424 wrote to memory of 3056	2424	776d4ddbd9ad1b4da58062ea596382b5a27a07d837d561a0cab3c9bddd54cc75.exe	28
PID 2424 wrote to memory of 3056	2424	776d4ddbd9ad1b4da58062ea596382b5a27a07d837d561a0cab3c9bddd54cc75.exe	28
PID 2424 wrote to memory of 3056	2424	776d4ddbd9ad1b4da58062ea596382b5a27a07d837d561a0cab3c9bddd54cc75.exe	28
PID 3056 wrote to memory of 2232	3056	WScript.exe	30
PID 3056 wrote to memory of 2232	3056	WScript.exe	30
PID 3056 wrote to memory of 2232	3056	WScript.exe	30
PID 3056 wrote to memory of 2232	3056	WScript.exe	30
PID 2232 wrote to memory of 2588	2232	svchcst.exe	31
PID 2232 wrote to memory of 2588	2232	svchcst.exe	31
PID 2232 wrote to memory of 2588	2232	svchcst.exe	31
PID 2232 wrote to memory of 2588	2232	svchcst.exe	31
PID 2588 wrote to memory of 2772	2588	WScript.exe	32
PID 2588 wrote to memory of 2772	2588	WScript.exe	32
PID 2588 wrote to memory of 2772	2588	WScript.exe	32
PID 2588 wrote to memory of 2772	2588	WScript.exe	32
PID 2772 wrote to memory of 1648	2772	svchcst.exe	33
PID 2772 wrote to memory of 1648	2772	svchcst.exe	33
PID 2772 wrote to memory of 1648	2772	svchcst.exe	33
PID 2772 wrote to memory of 1648	2772	svchcst.exe	33
PID 1648 wrote to memory of 2164	1648	WScript.exe	34
PID 1648 wrote to memory of 2164	1648	WScript.exe	34
PID 1648 wrote to memory of 2164	1648	WScript.exe	34
PID 1648 wrote to memory of 2164	1648	WScript.exe	34
PID 2164 wrote to memory of 2584	2164	svchcst.exe	35
PID 2164 wrote to memory of 2584	2164	svchcst.exe	35
PID 2164 wrote to memory of 2584	2164	svchcst.exe	35
PID 2164 wrote to memory of 2584	2164	svchcst.exe	35
PID 2584 wrote to memory of 2288	2584	WScript.exe	36
PID 2584 wrote to memory of 2288	2584	WScript.exe	36
PID 2584 wrote to memory of 2288	2584	WScript.exe	36
PID 2584 wrote to memory of 2288	2584	WScript.exe	36
PID 2288 wrote to memory of 1248	2288	svchcst.exe	37
PID 2288 wrote to memory of 1248	2288	svchcst.exe	37
PID 2288 wrote to memory of 1248	2288	svchcst.exe	37
PID 2288 wrote to memory of 1248	2288	svchcst.exe	37
PID 1248 wrote to memory of 1480	1248	WScript.exe	38
PID 1248 wrote to memory of 1480	1248	WScript.exe	38
PID 1248 wrote to memory of 1480	1248	WScript.exe	38
PID 1248 wrote to memory of 1480	1248	WScript.exe	38
PID 1480 wrote to memory of 1808	1480	svchcst.exe	39
PID 1480 wrote to memory of 1808	1480	svchcst.exe	39
PID 1480 wrote to memory of 1808	1480	svchcst.exe	39
PID 1480 wrote to memory of 1808	1480	svchcst.exe	39
PID 1808 wrote to memory of 1908	1808	WScript.exe	40
PID 1808 wrote to memory of 1908	1808	WScript.exe	40
PID 1808 wrote to memory of 1908	1808	WScript.exe	40
PID 1808 wrote to memory of 1908	1808	WScript.exe	40
PID 1908 wrote to memory of 1628	1908	svchcst.exe	41
PID 1908 wrote to memory of 1628	1908	svchcst.exe	41
PID 1908 wrote to memory of 1628	1908	svchcst.exe	41
PID 1908 wrote to memory of 1628	1908	svchcst.exe	41
PID 1628 wrote to memory of 2284	1628	WScript.exe	44
PID 1628 wrote to memory of 2284	1628	WScript.exe	44
PID 1628 wrote to memory of 2284	1628	WScript.exe	44
PID 1628 wrote to memory of 2284	1628	WScript.exe	44
PID 2284 wrote to memory of 2180	2284	svchcst.exe	45
PID 2284 wrote to memory of 2180	2284	svchcst.exe	45
PID 2284 wrote to memory of 2180	2284	svchcst.exe	45
PID 2284 wrote to memory of 2180	2284	svchcst.exe	45
PID 2180 wrote to memory of 2708	2180	WScript.exe	46
PID 2180 wrote to memory of 2708	2180	WScript.exe	46
PID 2180 wrote to memory of 2708	2180	WScript.exe	46
PID 2180 wrote to memory of 2708	2180	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\776d4ddbd9ad1b4da58062ea596382b5a27a07d837d561a0cab3c9bddd54cc75.exe
"C:\Users\Admin\AppData\Local\Temp\776d4ddbd9ad1b4da58062ea596382b5a27a07d837d561a0cab3c9bddd54cc75.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2232
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2772
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2708
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:1912
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2128
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:1264
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2592
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:2016
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1968
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:1536
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2116
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:2108
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:596
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:1416
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1816
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:1348
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1660
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:1644
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3036
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:1596
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2608
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:2816
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2992
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:2228
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2980
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:1420
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:324
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:1568
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1036
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        
        PID:2428
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2104
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        
        PID:2468
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1900
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        
        PID:1812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6d7f7c489889b75561316023d3e8b801

SHA1
222906d8a273e49d99b9107d388856ba8e6a5400

SHA256
3c01dd72d85883db4a345c0092b799f8deb31d43fde226e7df011c64d95202a7

SHA512
7238e65f9b93ee3be8828f01b54fbb6acaeaaf31e2b62af398356b02fa80d615acc3f41139fb001b9c1e8855e5cfa467f2883acda663a08194955cadb409a24a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
297aff64991480fd92a4ce9fb4d40807

SHA1
c586f7003f854f442db26448516e59826dfe41e9

SHA256
5137a62e031c71093a7d6c2684519614bb5eed80fd8daa92912f085a6ab82b8a

SHA512
f7a2fae80f26e6fb846ec9675c5a03932c8bd842d75f68cdb05c2f18e9397ed32774ce0a1f495e5618a5ce1b37e088c8991a69fb999559d1e2b0dd360cc96b4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e74576d29f1c1a7185cdf1e12b96a260

SHA1
f76ee203cb56b7dda62a2947ff1e2fc954efa777

SHA256
e31ecb9dcf31c19fbd131b31e5191375f7aeb708ffa678363de99e118715eb65

SHA512
934e3a9171de8fe03c9b398b4e79b3eee77845750ba2b0d16c3a38bc8299d3d72643cedfbb025df848f4c5ab302f5d4b145da13c2ac3ed96bdc1658791d4f5bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
423a0fabd3a9fd2cbedc3aba67c69650

SHA1
880097557ac6718e93822ac7efc9a3e2986c51de

SHA256
d77f549afde3b88ac747c3d0dee3069f914fac77b572ae08737ffc05f696491b

SHA512
c65d3db8250c7885b05075ebc3485db4506dde6c435247ad6a86e9085d59b039f4629583b327662a2eb40c79bc135d5d17b5bfb01f63ee02726aa57ecd7ed139

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
bdff210bf33c9ed5f2b10773c8c98ff5

SHA1
fc4fbaca4c7f23506dc792dec89e640050ad62e9

SHA256
900ab6b8ac0df4e138335d9d8e283495f569bf9fa1f401a6f8122661104f8cf8

SHA512
45849b735796586ea2518bd4aec42377db54b2de01025df65e52d8d1561d7e26702051c945ac7257857e00d7ab9d2d7fbf87f178e1e606905e095b22d95e5b32

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
68131c1f4506af5c010d5e01f031bfae

SHA1
51cc54917c040091c3a39dd33ec52fc5f4cb4c15

SHA256
d235953ddf5884a014ce05d8a26b9b93bafd580bdeda08e369e2d6e395d34a95

SHA512
69be7da57430dd6d3f1deea9c2a4f78a0ec41a74fc593f033a7944504cd9c4fe6d2f7a0be052e40238a4389b649c36a603b1725959fab050a0114714a6d65c6d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a66ca64afe431b7c50358bd05ba54e34

SHA1
f34d905ac06b3c07f936352bff4db70469f5057c

SHA256
3a2a423d9df888fadef3786fdbf7fb0125eb8e1d08b22a707b6efa4bc00b7f43

SHA512
90ea8413b1fce013f8e902e0e3efbbfd1ec30c7f26ca2fb05e390a847d22a1181eeb60dccf6e3f8fec5aeff2568506977ab47018a54d328078ab14407f3eeb09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
98328aa8ad181fbf0b87edfc21155dce

SHA1
3ca100ca64d5f62a5dceef47f414c0953fd4f559

SHA256
a6928cf27564f6f983d8f62358463a2dee471715b220de03db8b72ebf105f20c

SHA512
75f298c982eeebf184fdd0612436583a863beba740bd55053539dc1b1c20103a1c6f5da46b41621eb00d601cdfc86c1705080a0da08fef7756637805dcb588ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
e59aae41940ae03cb24f80ea15175199

SHA1
624526bd72662a75e0ae315cb99babd792dcafd0

SHA256
55438a0509a4107e50367b6f7626bdbb20a38ff832152c440f2ac46b6598d527

SHA512
b50536202dc5936a734a55ea103d2e09e1200c9f2306e8d9a571b8ff4a8ab49942ee33a312df7b8d54f0f6fb1dd433095f97ea6f4c3b0ee1c77bc1bd7443c336

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2c3b5340da071ac89dded61dffd49fb5

SHA1
77a880658d0b70e5455379099427bfdae8cc0ae8

SHA256
d7433fbea40ea3f87e991ce54c73436c110cfbb83748d554aea8d94051a5224e

SHA512
7e69f14c55afec39149491531c2a499b6253aa71ad448e722912f239fde055826b34383bd8d14773af08ef475b5fe53451a0a93e0bcc46fbeba3872198200f3c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
dabf4e9d32908d961aaffdd1c77d4879

SHA1
e41572d98b7452016fb004c843236377364ab1d3

SHA256
3488c64a6d2da3c00e50e954c495ac354ee504e54f3ed6dda6a991c5b9d33e19

SHA512
911d46aca8005857c86eddbb3cbbc4301ee5e173b2358a717053cf12727c06cc3b2d757ddf513f969dafe61c6b88d03b1478d8c483495f153e30bf64585195aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
faa8ef2e758448ccba58a486794e0699

SHA1
85bd05023b75335ca0ff084efcd02e7e9e447e88

SHA256
f4c0222febb3104b66ec8578be36697e28bc8956d3606e711c39b3ad7fcf6b8b

SHA512
8a1074670bbf7942ba1cef24d474aa26b9a66c378cc790a5577bc3d487f7174dad7890d2fdd43eccad42c4da28e282e5909a8f9de120a3ba81ee2847b44a328e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
970fb03887235f4c3fecae532282fb89

SHA1
fa27efd87484a086f6fcdca4beefa21fe1918615

SHA256
1021d5fe739d7fed5128880fa33f0e94651ee6738b583febfd2b18c576914785

SHA512
bc1820f2b906e4988ff46d280135096b771bb488a19be2d80de3d8331d7ace5555bb5ea480233019f371588b86b81724d407d566ec0f56a8c7bcf0aa7717640d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0c8d54f7df48446cdc8e0a5d37b9b048

SHA1
8a21a0e5f47ccc900e91aef0b752795e7dc15e6b

SHA256
5fb83edb08d1137575f63433aca838841cdf02d2b801fbdf114a026b5be8cdc1

SHA512
df7a31b39939037f6de4b2fb1bfaa8d87e88acfcb2fb116026c963f728153a322090cb45bed4c102d1932a94d85b48b602daa564269878d280d52597428c60e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a10998175f49688a69c74ccfffc354b9

SHA1
e3f920fe600a28839a7267b4ba6255bb3795a57b

SHA256
0343b7e1c0526520adc91138510f2f53b647f6dfab23b33b796a36df79b52994

SHA512
fd34ae078bd186670b88736c5f252a6cacccf8103b10c02375b104a7317b0963f3a906041464538ee947a0f074f009874daab10702185caaa9319c1460e59bb2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
95b26233fe8d77c7afc2e427f3dd91d6

SHA1
317a79b8898eca74f85e232d111bead208699772

SHA256
bd74db13128f7a8a107718af66f1ccc71307073ae86f49bc14a585bf98e78a93

SHA512
18818703cde7ee3a2f5fe52e184a81f1a5d80fd5b3c9a25c9032e0c6edd3b548471d796031b0b461b8bc39d3532bf80bbb81fd4bbbf791e595649f43b1132142

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0dad8d820ba8075d82002b2466cce3bd

SHA1
018a5d7622ebb286adfd0ceb6a106fe528dd360a

SHA256
94a8da73b83efa6d86a4d4af6248eafd43135481b24178e6e648165f1ec5a6cd

SHA512
1b85b88f05fc0e67102402a7a74923aeea3e5a8224ff93789bb7b98d988cdbe50d50da16e8590b12bdc710aa6f8956a6e4858b5c0f51d66762b08f9e333929e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
445661d240bc9acfef2ba7768a694450

SHA1
8d293f173cf7fdd902311c5c243ec815d75cc633

SHA256
a6b9fd2e868dd3fc0de639ca9d8ccbf5b8d0ceebc9fefeb278085bcc415f3e61

SHA512
0848273cc7cea073ed4126aec5bd97b6fd9ebf99678083f44f45ff06242827e9fa0b8b471b2df43ee7febddd02e3bd244c8bf35f2f178457071c5dfda66c3381

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f4c303b3a54f800912b0b2623738250e

SHA1
2b739db1ffa353a1e7a68dcafbc8f962b519bd4b

SHA256
8cbb3d8a2863140033163e0902b52a468ff7e1dad73dac3c29bf35d523abda5a

SHA512
1d15ab1b92922ba1acb635081f37ba8e4771e0bb58a9e6e5abc4c9b3defa0f2f792da76c33cee91673e23268e62756506d38209771ba2c32fea0bad23c3f43f5

Download Submit
memory/2424-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download