fa3b25234d5581de6992d67d5389a63e654c8a8e09a1ba32680ad023f91c6116

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
29-05-2024 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa3b25234d5581de6992d67d5389a63e654c8a8e09a1ba32680ad023f91c6116.exe
Size

1.1MB
MD5

ccd80a68f925feaffe7ddc5d94645f4d
SHA1

e775cb59c7b38446a7272c2aed315ebb69b38cd7
SHA256

fa3b25234d5581de6992d67d5389a63e654c8a8e09a1ba32680ad023f91c6116
SHA512

0488992c6fd9aee18e661ee40304104975b409bf48610513331110340a042b92a5672527e9ae6f55ce1b4e7ebf570e520ee8edb3b0ab7b9f06208aca85962f42
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qa:CcaClSFlG4ZM7QzMZ

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3040	svchcst.exe

Executes dropped EXE 24 IoCs

pid	Process
3040	svchcst.exe
2868	svchcst.exe
772	svchcst.exe
1828	svchcst.exe
1852	svchcst.exe
2396	svchcst.exe
1624	svchcst.exe
2392	svchcst.exe
2696	svchcst.exe
2572	svchcst.exe
2012	svchcst.exe
1532	svchcst.exe
1828	svchcst.exe
2128	svchcst.exe
2268	svchcst.exe
1584	svchcst.exe
1932	svchcst.exe
2800	svchcst.exe
2640	svchcst.exe
2536	svchcst.exe
1684	svchcst.exe
3024	svchcst.exe
576	svchcst.exe
2924	svchcst.exe

Loads dropped DLL 44 IoCs

pid	Process
856	WScript.exe
856	WScript.exe
2596	WScript.exe
2596	WScript.exe
1032	WScript.exe
1032	WScript.exe
2844	WScript.exe
2844	WScript.exe
2128	WScript.exe
2128	WScript.exe
2468	WScript.exe
2468	WScript.exe
1636	WScript.exe
1636	WScript.exe
1300	WScript.exe
1300	WScript.exe
2332	WScript.exe
2532	WScript.exe
348	WScript.exe
348	WScript.exe
348	WScript.exe
348	WScript.exe
1616	WScript.exe
1616	WScript.exe
1616	WScript.exe
1616	WScript.exe
1700	WScript.exe
1700	WScript.exe
1624	WScript.exe
1624	WScript.exe
1656	WScript.exe
1656	WScript.exe
2880	WScript.exe
2880	WScript.exe
1820	WScript.exe
1820	WScript.exe
2204	WScript.exe
2204	WScript.exe
1520	WScript.exe
1520	WScript.exe
1540	WScript.exe
1540	WScript.exe
2284	WScript.exe
2284	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2132	fa3b25234d5581de6992d67d5389a63e654c8a8e09a1ba32680ad023f91c6116.exe
3040	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2132	fa3b25234d5581de6992d67d5389a63e654c8a8e09a1ba32680ad023f91c6116.exe

Suspicious use of SetWindowsHookEx 50 IoCs

pid	Process
2132	fa3b25234d5581de6992d67d5389a63e654c8a8e09a1ba32680ad023f91c6116.exe
2132	fa3b25234d5581de6992d67d5389a63e654c8a8e09a1ba32680ad023f91c6116.exe
3040	svchcst.exe
3040	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
772	svchcst.exe
772	svchcst.exe
1828	svchcst.exe
1828	svchcst.exe
1852	svchcst.exe
1852	svchcst.exe
2396	svchcst.exe
2396	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2012	svchcst.exe
2012	svchcst.exe
1532	svchcst.exe
1532	svchcst.exe
1828	svchcst.exe
1828	svchcst.exe
2128	svchcst.exe
2128	svchcst.exe
2268	svchcst.exe
2268	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1932	svchcst.exe
1932	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2536	svchcst.exe
2536	svchcst.exe
1684	svchcst.exe
1684	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
576	svchcst.exe
576	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 856	2132	fa3b25234d5581de6992d67d5389a63e654c8a8e09a1ba32680ad023f91c6116.exe	28
PID 2132 wrote to memory of 856	2132	fa3b25234d5581de6992d67d5389a63e654c8a8e09a1ba32680ad023f91c6116.exe	28
PID 2132 wrote to memory of 856	2132	fa3b25234d5581de6992d67d5389a63e654c8a8e09a1ba32680ad023f91c6116.exe	28
PID 2132 wrote to memory of 856	2132	fa3b25234d5581de6992d67d5389a63e654c8a8e09a1ba32680ad023f91c6116.exe	28
PID 856 wrote to memory of 3040	856	WScript.exe	30
PID 856 wrote to memory of 3040	856	WScript.exe	30
PID 856 wrote to memory of 3040	856	WScript.exe	30
PID 856 wrote to memory of 3040	856	WScript.exe	30
PID 3040 wrote to memory of 2596	3040	svchcst.exe	31
PID 3040 wrote to memory of 2596	3040	svchcst.exe	31
PID 3040 wrote to memory of 2596	3040	svchcst.exe	31
PID 3040 wrote to memory of 2596	3040	svchcst.exe	31
PID 2596 wrote to memory of 2868	2596	WScript.exe	32
PID 2596 wrote to memory of 2868	2596	WScript.exe	32
PID 2596 wrote to memory of 2868	2596	WScript.exe	32
PID 2596 wrote to memory of 2868	2596	WScript.exe	32
PID 2868 wrote to memory of 1032	2868	svchcst.exe	33
PID 2868 wrote to memory of 1032	2868	svchcst.exe	33
PID 2868 wrote to memory of 1032	2868	svchcst.exe	33
PID 2868 wrote to memory of 1032	2868	svchcst.exe	33
PID 1032 wrote to memory of 772	1032	WScript.exe	34
PID 1032 wrote to memory of 772	1032	WScript.exe	34
PID 1032 wrote to memory of 772	1032	WScript.exe	34
PID 1032 wrote to memory of 772	1032	WScript.exe	34
PID 772 wrote to memory of 2844	772	svchcst.exe	35
PID 772 wrote to memory of 2844	772	svchcst.exe	35
PID 772 wrote to memory of 2844	772	svchcst.exe	35
PID 772 wrote to memory of 2844	772	svchcst.exe	35
PID 2844 wrote to memory of 1828	2844	WScript.exe	36
PID 2844 wrote to memory of 1828	2844	WScript.exe	36
PID 2844 wrote to memory of 1828	2844	WScript.exe	36
PID 2844 wrote to memory of 1828	2844	WScript.exe	36
PID 1828 wrote to memory of 2128	1828	svchcst.exe	37
PID 1828 wrote to memory of 2128	1828	svchcst.exe	37
PID 1828 wrote to memory of 2128	1828	svchcst.exe	37
PID 1828 wrote to memory of 2128	1828	svchcst.exe	37
PID 2128 wrote to memory of 1852	2128	WScript.exe	38
PID 2128 wrote to memory of 1852	2128	WScript.exe	38
PID 2128 wrote to memory of 1852	2128	WScript.exe	38
PID 2128 wrote to memory of 1852	2128	WScript.exe	38
PID 1852 wrote to memory of 2468	1852	svchcst.exe	39
PID 1852 wrote to memory of 2468	1852	svchcst.exe	39
PID 1852 wrote to memory of 2468	1852	svchcst.exe	39
PID 1852 wrote to memory of 2468	1852	svchcst.exe	39
PID 2468 wrote to memory of 2396	2468	WScript.exe	40
PID 2468 wrote to memory of 2396	2468	WScript.exe	40
PID 2468 wrote to memory of 2396	2468	WScript.exe	40
PID 2468 wrote to memory of 2396	2468	WScript.exe	40
PID 2396 wrote to memory of 1636	2396	svchcst.exe	41
PID 2396 wrote to memory of 1636	2396	svchcst.exe	41
PID 2396 wrote to memory of 1636	2396	svchcst.exe	41
PID 2396 wrote to memory of 1636	2396	svchcst.exe	41
PID 1636 wrote to memory of 1624	1636	WScript.exe	44
PID 1636 wrote to memory of 1624	1636	WScript.exe	44
PID 1636 wrote to memory of 1624	1636	WScript.exe	44
PID 1636 wrote to memory of 1624	1636	WScript.exe	44
PID 1624 wrote to memory of 1300	1624	svchcst.exe	45
PID 1624 wrote to memory of 1300	1624	svchcst.exe	45
PID 1624 wrote to memory of 1300	1624	svchcst.exe	45
PID 1624 wrote to memory of 1300	1624	svchcst.exe	45
PID 1300 wrote to memory of 2392	1300	WScript.exe	46
PID 1300 wrote to memory of 2392	1300	WScript.exe	46
PID 1300 wrote to memory of 2392	1300	WScript.exe	46
PID 1300 wrote to memory of 2392	1300	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\fa3b25234d5581de6992d67d5389a63e654c8a8e09a1ba32680ad023f91c6116.exe
"C:\Users\Admin\AppData\Local\Temp\fa3b25234d5581de6992d67d5389a63e654c8a8e09a1ba32680ad023f91c6116.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:856
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3040
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2596
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2868
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1852
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2392
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2332
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2696
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2532
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2572
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:348
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2012
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        
        PID:788
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1532
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:1616
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2128
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2268
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:1700
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1584
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:1624
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1932
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:1656
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2800
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:2880
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2640
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:1820
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2536
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:2204
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1684
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:1520
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3024
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:1540
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:576
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:2284
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2924
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1828
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        
        PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6d7f7c489889b75561316023d3e8b801

SHA1
222906d8a273e49d99b9107d388856ba8e6a5400

SHA256
3c01dd72d85883db4a345c0092b799f8deb31d43fde226e7df011c64d95202a7

SHA512
7238e65f9b93ee3be8828f01b54fbb6acaeaaf31e2b62af398356b02fa80d615acc3f41139fb001b9c1e8855e5cfa467f2883acda663a08194955cadb409a24a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6cc9dd78b42e2ca0e1deb237988b6ae2

SHA1
6ec16a7e43a4c558a19f125758d56ed9a180e6ee

SHA256
11367ac6f6a1b237ca69aeeb571a435181256f8836d6910f036beb90e160f7b2

SHA512
331f0ae896c0fb9906dd2fc2e3d58860073af97deb31cdb2184cc4bd104e2e066bfec6bdef0e16a8eda3d5605875fe7c03480b1e2d68bc9d7e3a2b237a3020a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
fb21f73f1b12f1536ac204840f61f757

SHA1
b1f550535feca1fbb77866424fd50ed31fd4738b

SHA256
0afcbb92eda0144d65def1e84d0a8e64f2e39d75cfdf6408012d514cdfd41572

SHA512
926ef85b0b1529a240c4e68d15455d41e36b00a198d383f523399b8aca6880e6176f1e23654ffba45599ec745d5fd24e89ab8918f1bbdb74ca79f4a17e16cf8d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
df56efc5aa49720056952b653a76a0d1

SHA1
82823a83837e69b031a973238d78e0360d113ac7

SHA256
bd6fdd2db5dd3828baa84352f1c382304ce0481755f000a7445e3977c24d0a35

SHA512
ffd2ffc465dcd33cca7fdf4cce8711ce7a5cb6af0933fbf2885b7b4164ea2c19ec1a776f2422996599e28b05a3ff927dd76221b9b4dec49b942941b48962034c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f2d2f31794455ef80ea8a41b0b218045

SHA1
926c4e45922f43c6afc2cb31d96b5b35d4db3cae

SHA256
698e3bc7681704e68728030dcceb12377aae02f71e91a5fd15c12b686ba00141

SHA512
36cc2c9bd29c6bd97c2bd7eef7b9bffc512ebabf43d089a2866a66efc4f4f3f7d92b2d0719ae61ad07c38b89b1c0a4b59df57f84beef76c88bd376125048d714

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6e11da1c8a05db963ff0dda7c43866e0

SHA1
e1343d4a94a629047631b0c53a0501eace14d2a9

SHA256
2605d23ba5b4a9fc117704a99d9351dfffc81f22681becb9aa59d72a64a6a8f6

SHA512
74be18fd41e091762e317fd4565c13d36832ca7d8fbcb60631c8e818c25f447db2ed4b3bc20e4a97da5efeb3ab66dbe815f34776b3db338a1e7d41abc57c99ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
49586bddf88b5db5b4106eee55d7e03b

SHA1
3001fb71136b5c8d307695de4f651ccd9b4dcebc

SHA256
bf9c7a65973ae0ee9e2da4bae47ba378234e45820598034a3672edfb233e002d

SHA512
6933b416d4af6997e31e7277ddbf5820f421f01763ee6560e50a0dfb8323e8c66312511b4093d16540c17521f338b239e79d67c70fcda4ff793363e1366d4011

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e941c404604f780e37c7e63233301fa0

SHA1
d27c9a3b90881add1a06b41b5931267fc818ff08

SHA256
6add2531fc05662418f48a46f522fa4507053ece8d0d94a04c0c213d27da81ce

SHA512
1f448e52f5aa81f30ecf10d6222fa0913ab7a5f3c0f2c7e6a9deb231e9bf55937c4fb0f84bbaeccdd9040e163ae371daec55eff48d633cd6d6bd409433fbf4f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
aa6578debd9e5045ad239d59ebeb6d15

SHA1
2a25e6293914cd6ada6649f34506c8bcf35494aa

SHA256
7acb095ca5298eb1d1e2ba7f02c1b876d7d28684762a9d180ae2ed8c9e68beb2

SHA512
150796c7aad73d1732103e41bd01d3c181b4a0afd37b673d184d5c6c643622704e7692b668e231a319549c2bb378f4d83c7ede82caf81dd15c934b81936e22b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1c4a20bad462e2ead31b207cd4b0dd1b

SHA1
e6037559a47f711d0e930c907b6c33269cb8ecb9

SHA256
7cbf5f523fb2c8a62f6308bc56b5ff19556c167b7ce2c9e2d74329835c79d29e

SHA512
78e63943987dbb5fa66f2b9865002911c5225dbcba3e89ea0de4ed94dbd211e965e766073e19205a55a7d83cc631e87c50b9f6815d83fced9f41a72c842c145b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8cb32754e88999ece2a392d94875313e

SHA1
da0ef4e297872b82db206ebdc4cafefeed2a4e3d

SHA256
3dc5ae697f3f5a3ffe053412e05a646883c49be29b179039ceadf5f71a595f9d

SHA512
a331a2472d0ef04f4d6a9b41a147020a688c96977feec8d61878f31382af8c27b8e990dc404137475d48f0155d600cc0d6ebe0a5d1cbb60b1fecf364301ebaa7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a66ca64afe431b7c50358bd05ba54e34

SHA1
f34d905ac06b3c07f936352bff4db70469f5057c

SHA256
3a2a423d9df888fadef3786fdbf7fb0125eb8e1d08b22a707b6efa4bc00b7f43

SHA512
90ea8413b1fce013f8e902e0e3efbbfd1ec30c7f26ca2fb05e390a847d22a1181eeb60dccf6e3f8fec5aeff2568506977ab47018a54d328078ab14407f3eeb09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ef97e1f1531b7892e7f793ce6fd76136

SHA1
b12f0550e1ae5d07fcaefc1a2cbbf68e359bfc1d

SHA256
6ae2327d7a2c803e8d7f812cf6eee8811ee87052e88dc2d574d8c3769ed5a1e9

SHA512
3df521cd542a378daf1a35708929eebc00f21341260efcaa5ce3d92eb1cb849edfcea6a154e2c8ef44daf7a729f42095390bd9f1d9ca80e6a4b5ca58bc6427c1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
837d329de09ce695abb492a6a9332fef

SHA1
925ef9bbee7ca10fe3d66d84b3a221e17a59a146

SHA256
3b6a0a7b5ef0a9156650aef9bee64c0ce3dbbca7f91398a0b3ea4c581d7cb673

SHA512
5a40a01e4b1ad943e764edf3bf41c7a0a81b3c07c3ca5dbbc83953c36ac102ac8f555d20a45124fde67cd6735c40ceeb9d9ddae04bd54afe903468528ac81744

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
446a1785e5b8dc285543164ffa81806d

SHA1
dd387d89f272b15bf16012833a1c55d226986494

SHA256
6eaccb0927dbaa4127a07a13e7e796fe6f12901fad235adc2913a9783a1835c3

SHA512
78e71325d1eb3d22981f33ef4041315ca61e703ef182ee6effc72233eba3603cd25177a71a65a27c5fbd3a003565f365cb1bf785efc88ca46129ce0dc8fba9ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1700fec3cdc81e3d7a39a4e2b8d42959

SHA1
ab6edd187e2adb1abd465820d89bcfe98e5447a9

SHA256
272a5fa536bf0811200ee7e7eb3a6b2694222428f347bf5d8a305750c9fbd38e

SHA512
c5747ee6b75abcb8cc4bf4a604f4897d306e65b3a96df0b3098c91fd785318c26a8690aa79e026e347fc7a1bee2ec8392541cfb60bcb2410de98ac72bfea1ca8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
cd5a6517d0efc45b620f563c6ebaab7e

SHA1
3cbd8864fbc1967eed2aa84395d16eebd9b4062f

SHA256
41b655e73a67aebfeffca40386cb6ff8472f05aac5ac0ee21e2de2011fb8819c

SHA512
0638b9c9bb7adf56cded758e33175201e5cc6d67340860e16b229007b25f612eaba21ef4af606fad26b90d9e6b6e07c3d286b682185c25ad48d19f1dbd052fb5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b4859fbfb388a59d569eead9e677cc39

SHA1
0e55195c5af0924bedd6e792dcc9cc5e566f3491

SHA256
b17286b7ef68adccd98726e1399aee1aa57877190e6918369b48e9288c7e3b77

SHA512
45a63f646dfa11635db5c13d61774863e68850a1ded1f9258276828c5e40984b82f2520450fc3dc44838bb85e00c6d3f5ae4f7addfd50ef584c654c2dc6cd93b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
52cc211229b97bf378ee1bfaeefe1fd6

SHA1
c4a7189cc52c5d9228ad4ac928f5e8e79f46f480

SHA256
acc519c37b7ed4ccfcd061302008160647b3be1d3e4ee7e32a6881405459a1ed

SHA512
106b4b34f0c05914501fd4265792453b82b07d5723968aa25b686f72d8540a493ebb17f2167d64be9984b83fa49d3d57764217dca8fca4185e1f23d8e2e993eb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
164d1f52d7341d129ec72a6fdac0ae47

SHA1
f6899c1ede9265e79de9baca722e1cd03eedd3d6

SHA256
1a0c66eb66ffe882eea79b8e5fc44a137c8bcac84e09aef3006036a2fd9341e3

SHA512
16ac477c13181e845e28ebfb6498c013c21b70a2f410fb2c6f46b159cef0e73aa6aa8f9ea0a1ffba92b5c41e49bbbb92cf278b57566223102182c665c44f9adb

Download Submit
memory/2132-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download