326285ff6367c68e171fe47ffe99ef3227a15f3bec3020afba3948eafaad8f66

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
30/05/2024, 07:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

326285ff6367c68e171fe47ffe99ef3227a15f3bec3020afba3948eafaad8f66.exe
Size

1.1MB
MD5

6ad15bf2c2aac8d4713a89ec8fb5c553
SHA1

d857cfcd40b1004ea8554793d6f72321195d0e31
SHA256

326285ff6367c68e171fe47ffe99ef3227a15f3bec3020afba3948eafaad8f66
SHA512

fe50a0d192acc8ace4a2f5bddcd54eb48c49683d086cfeb9e664c20c71666ab07e5d6ac93cfd08ebf45e8e9192459e47dc826f8c507791577711020285e33ce3
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qf:acallSllG4ZM7QzMI

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2476	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2476	svchcst.exe
2764	svchcst.exe
1324	svchcst.exe
2236	svchcst.exe
1416	svchcst.exe
2960	svchcst.exe
2108	svchcst.exe
2608	svchcst.exe
2492	svchcst.exe
2896	svchcst.exe
2312	svchcst.exe
2036	svchcst.exe
2216	svchcst.exe
1280	svchcst.exe
1652	svchcst.exe
1864	svchcst.exe
2328	svchcst.exe
2540	svchcst.exe
1584	svchcst.exe
1564	svchcst.exe
876	svchcst.exe
2404	svchcst.exe
448	svchcst.exe

Loads dropped DLL 38 IoCs

pid	Process
2564	WScript.exe
2564	WScript.exe
2056	WScript.exe
2056	WScript.exe
340	WScript.exe
340	WScript.exe
2044	WScript.exe
2044	WScript.exe
2200	WScript.exe
2392	WScript.exe
2392	WScript.exe
1744	WScript.exe
2672	WScript.exe
2672	WScript.exe
1568	WScript.exe
2208	WScript.exe
572	WScript.exe
572	WScript.exe
992	WScript.exe
992	WScript.exe
652	WScript.exe
652	WScript.exe
2356	WScript.exe
2356	WScript.exe
2856	WScript.exe
2856	WScript.exe
1648	WScript.exe
1648	WScript.exe
2620	WScript.exe
2620	WScript.exe
1436	WScript.exe
1436	WScript.exe
2180	WScript.exe
2180	WScript.exe
2236	WScript.exe
2236	WScript.exe
1116	WScript.exe
1116	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2912	326285ff6367c68e171fe47ffe99ef3227a15f3bec3020afba3948eafaad8f66.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2912	326285ff6367c68e171fe47ffe99ef3227a15f3bec3020afba3948eafaad8f66.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2912	326285ff6367c68e171fe47ffe99ef3227a15f3bec3020afba3948eafaad8f66.exe
2912	326285ff6367c68e171fe47ffe99ef3227a15f3bec3020afba3948eafaad8f66.exe
2476	svchcst.exe
2476	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
1324	svchcst.exe
1324	svchcst.exe
2236	svchcst.exe
2236	svchcst.exe
1416	svchcst.exe
1416	svchcst.exe
2960	svchcst.exe
2960	svchcst.exe
2108	svchcst.exe
2108	svchcst.exe
2608	svchcst.exe
2608	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2896	svchcst.exe
2896	svchcst.exe
2312	svchcst.exe
2312	svchcst.exe
2036	svchcst.exe
2036	svchcst.exe
2216	svchcst.exe
2216	svchcst.exe
1280	svchcst.exe
1280	svchcst.exe
1652	svchcst.exe
1652	svchcst.exe
1864	svchcst.exe
1864	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1564	svchcst.exe
1564	svchcst.exe
876	svchcst.exe
876	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
448	svchcst.exe
448	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 2564	2912	326285ff6367c68e171fe47ffe99ef3227a15f3bec3020afba3948eafaad8f66.exe	28
PID 2912 wrote to memory of 2564	2912	326285ff6367c68e171fe47ffe99ef3227a15f3bec3020afba3948eafaad8f66.exe	28
PID 2912 wrote to memory of 2564	2912	326285ff6367c68e171fe47ffe99ef3227a15f3bec3020afba3948eafaad8f66.exe	28
PID 2912 wrote to memory of 2564	2912	326285ff6367c68e171fe47ffe99ef3227a15f3bec3020afba3948eafaad8f66.exe	28
PID 2564 wrote to memory of 2476	2564	WScript.exe	30
PID 2564 wrote to memory of 2476	2564	WScript.exe	30
PID 2564 wrote to memory of 2476	2564	WScript.exe	30
PID 2564 wrote to memory of 2476	2564	WScript.exe	30
PID 2476 wrote to memory of 2056	2476	svchcst.exe	31
PID 2476 wrote to memory of 2056	2476	svchcst.exe	31
PID 2476 wrote to memory of 2056	2476	svchcst.exe	31
PID 2476 wrote to memory of 2056	2476	svchcst.exe	31
PID 2056 wrote to memory of 2764	2056	WScript.exe	32
PID 2056 wrote to memory of 2764	2056	WScript.exe	32
PID 2056 wrote to memory of 2764	2056	WScript.exe	32
PID 2056 wrote to memory of 2764	2056	WScript.exe	32
PID 2764 wrote to memory of 340	2764	svchcst.exe	33
PID 2764 wrote to memory of 340	2764	svchcst.exe	33
PID 2764 wrote to memory of 340	2764	svchcst.exe	33
PID 2764 wrote to memory of 340	2764	svchcst.exe	33
PID 340 wrote to memory of 1324	340	WScript.exe	34
PID 340 wrote to memory of 1324	340	WScript.exe	34
PID 340 wrote to memory of 1324	340	WScript.exe	34
PID 340 wrote to memory of 1324	340	WScript.exe	34
PID 1324 wrote to memory of 2044	1324	svchcst.exe	35
PID 1324 wrote to memory of 2044	1324	svchcst.exe	35
PID 1324 wrote to memory of 2044	1324	svchcst.exe	35
PID 1324 wrote to memory of 2044	1324	svchcst.exe	35
PID 2044 wrote to memory of 2236	2044	WScript.exe	36
PID 2044 wrote to memory of 2236	2044	WScript.exe	36
PID 2044 wrote to memory of 2236	2044	WScript.exe	36
PID 2044 wrote to memory of 2236	2044	WScript.exe	36
PID 2236 wrote to memory of 2200	2236	svchcst.exe	37
PID 2236 wrote to memory of 2200	2236	svchcst.exe	37
PID 2236 wrote to memory of 2200	2236	svchcst.exe	37
PID 2236 wrote to memory of 2200	2236	svchcst.exe	37
PID 2200 wrote to memory of 1416	2200	WScript.exe	38
PID 2200 wrote to memory of 1416	2200	WScript.exe	38
PID 2200 wrote to memory of 1416	2200	WScript.exe	38
PID 2200 wrote to memory of 1416	2200	WScript.exe	38
PID 1416 wrote to memory of 2392	1416	svchcst.exe	39
PID 1416 wrote to memory of 2392	1416	svchcst.exe	39
PID 1416 wrote to memory of 2392	1416	svchcst.exe	39
PID 1416 wrote to memory of 2392	1416	svchcst.exe	39
PID 2392 wrote to memory of 2960	2392	WScript.exe	40
PID 2392 wrote to memory of 2960	2392	WScript.exe	40
PID 2392 wrote to memory of 2960	2392	WScript.exe	40
PID 2392 wrote to memory of 2960	2392	WScript.exe	40
PID 2960 wrote to memory of 1816	2960	svchcst.exe	41
PID 2960 wrote to memory of 1816	2960	svchcst.exe	41
PID 2960 wrote to memory of 1816	2960	svchcst.exe	41
PID 2960 wrote to memory of 1816	2960	svchcst.exe	41
PID 2392 wrote to memory of 2108	2392	WScript.exe	42
PID 2392 wrote to memory of 2108	2392	WScript.exe	42
PID 2392 wrote to memory of 2108	2392	WScript.exe	42
PID 2392 wrote to memory of 2108	2392	WScript.exe	42
PID 2108 wrote to memory of 1744	2108	svchcst.exe	43
PID 2108 wrote to memory of 1744	2108	svchcst.exe	43
PID 2108 wrote to memory of 1744	2108	svchcst.exe	43
PID 2108 wrote to memory of 1744	2108	svchcst.exe	43
PID 1744 wrote to memory of 2608	1744	WScript.exe	46
PID 1744 wrote to memory of 2608	1744	WScript.exe	46
PID 1744 wrote to memory of 2608	1744	WScript.exe	46
PID 1744 wrote to memory of 2608	1744	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\326285ff6367c68e171fe47ffe99ef3227a15f3bec3020afba3948eafaad8f66.exe
"C:\Users\Admin\AppData\Local\Temp\326285ff6367c68e171fe47ffe99ef3227a15f3bec3020afba3948eafaad8f66.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2056
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2764
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:340
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2608
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:2672
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2492
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2896
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:1568
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2312
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2208
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2036
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:572
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2216
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:992
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1280
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:652
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1652
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:2356
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1864
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:2856
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2328
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:1648
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2540
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:2620
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1584
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:1436
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1564
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:2180
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:876
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:2236
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2404
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:1116
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:448
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        
        PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
30eafc82ac9962314c98d54ef2588957

SHA1
3bf1e1f24264448ba2688366b10b083c808e1e7a

SHA256
fc93c94af2daa9c8b70b9f6104f613a1cf0ac39bf1856542a3dbb6f828d2bee6

SHA512
5cd90109e61e06fda91874fd3cd28d83b42b6e586446ce99cf69a611f0015f56010937fadca4accef57ab47b5bca54b4171479a9a989ab5b1a015d491f985fb5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ee35194fa07bea6145178b37a18edb25

SHA1
7cbe9989cbc0090cc0ab534c7aa77d64d959e489

SHA256
e323603a594cf3a7e03aea20d2ab69a17040a02f256ac1e3fe02f8a36889a483

SHA512
d292e22575da17d694a33d6132cea65ca1c58a16bd2532dd24db161d2a77cf233039ed1b66b48868210f4d0ffff16678db3be341eca044432b8087b520e59f71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
178fe08e7af85e0ad9610eac960b040a

SHA1
e968cc03ab530b7434d3b6198314b8ac611408fc

SHA256
1db8d7323defeb9d9d02eb618b8a599a2982a83945c0f38b5ece5ec4e9d8db6b

SHA512
0ddd9dce59c84018a8f3af771c37c605a69496f591c8ade87a1cc97ebc00269c5dfc796d4b6f487aecc4dc53525f0e9412e3462858f027dd75773bce2223f59a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0667072f0b99c114be29b17a58be850a

SHA1
8ec8d5ba1f5842c2f07a4332fb04ba60b0bc7143

SHA256
002841eff29a50e5cf34cf60cfb5bbbf780c4d2f8809016ab22a0e084fc10d07

SHA512
5e0c61897463fd935f2e0420389e4d7c6b08232e63175ccc96db2b6f3d294e9196bc5efd6445ccc8f460efc0791c13ea040b36ce3130f12e414a3ab7b678dfd9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a3b1a2435db9006df38c9e78df96e2f2

SHA1
a8a6d302d102686610f54547bdf0245b177a752f

SHA256
8ca1784265581709551e81326c9733c10ac943c899070bee9b799f88dad7870e

SHA512
fe8a0d2a67e28fcf1b31e640132a669186ddb33302b135d11c0706a5c9e98548d53d51be0d2ecc9d20c43efbe393d7865c57ca9b6c651deca93f67aff0968210

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
951aaea1269f2a203f3dd7cd181c5d34

SHA1
3623d216764b24aa0b02cbc136287252bf5b412a

SHA256
228b66ed4c4a1270fe5a6655cdd849de937351e95974b96acafa59b8107b7dd4

SHA512
cd84967ad43a13c3cd57cc80f6533a9e9fd93a5eddf4807825b8d19883da4acda3e7b4ff963f23209c579050fedf834382d8e718386c852ceaf350b2b0f91816

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
619955d43a58558c766025119a5a66cb

SHA1
cfb43d2b9cb68699667ca8d4929e71b25ed115ab

SHA256
a129bff17a859b7b2d6681f519c985c661797dd508ac249d30f02a0a78858cee

SHA512
20f9499cddf2fb824365830736255a1dce689da0e94fa8e999ee4e28883e65637410710ea01204b5f3d48213f697461288da2b7a535511da87f848b1e6e83bc6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7c92f92a39b74a1a62d4e78cab1e85ce

SHA1
12be3de5566511f06ef1d1354ce14e74381ef078

SHA256
919b452d34117c54e6e79cf6c3d338679c3553dd3ef1bb8d750da8738f6f4166

SHA512
ad945215baeb1b488a43705d18520fea653a881632cfcd8bc79182ce2863d7167e8631043bdea1ee1071eabfb87f7ce63f460becf63c9c2060e51a30fc8171b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
321085c6e57a8455a3e915906a6c160b

SHA1
9cd284183cd00b8ed9766cf5ba4433bd041c381e

SHA256
0d5abb9f989e8b184b17b159987cacb4be04d476a85a3c684e797cdbded810cb

SHA512
030c762c6548c28805fb3f9d97ed98ff958a379fb5142b7ba6c4cb2a8dd7a59051135e649abd6c16320361b10c374e4a1003c802560fcc244849089255fb7722

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
56b642f742552f48c6b8b9c099412a21

SHA1
c3cf968546d550feddcded0747d331305147e1e3

SHA256
a91e4afb0d2f495e9c4fd5031514174673505464922192f9d87832fc21ef119b

SHA512
43edab26c4c27b9458d393f139895b68ce6b230685fd112658b4046094beac5479329f63c9c836dace1e76984fc22b96aecdf0c0252cf656e6d1fe639abf403a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
25874246c29e6249372a62c1ffb8a1ae

SHA1
8b271268ba9ae539e8c5ca3233e5f85772899926

SHA256
3d9e506a169afe13ea22a91f88363de0837fc11723beb0425f564262d104bb59

SHA512
bb48d383a7aa5bc14fbe010fd778e40512b1079fa7c66757041b6e79c51bf6a719b058434d6c603db81d8d5bd269f354d153ca899aaae789e25061f005afcdaa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
57e51d7e4374cd875109b11b9b8deb29

SHA1
aa5554bdcf8417f4b5fc9242f1de625e2fb820bf

SHA256
054ccb4671ec5693715c290f0bed875878cda62addcb38ef21257c59037fe30a

SHA512
6f58d52a71466d92d7da68e1bfdd91db03619d810eae2622b4e5623d2ad4e30e294d885c8c5405b775aa3256e3acbd0442a3bb2a4b6eb50001ee5f8848d66da3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
dabf4e9d32908d961aaffdd1c77d4879

SHA1
e41572d98b7452016fb004c843236377364ab1d3

SHA256
3488c64a6d2da3c00e50e954c495ac354ee504e54f3ed6dda6a991c5b9d33e19

SHA512
911d46aca8005857c86eddbb3cbbc4301ee5e173b2358a717053cf12727c06cc3b2d757ddf513f969dafe61c6b88d03b1478d8c483495f153e30bf64585195aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
24e4a44b907089d788280d647e33c77e

SHA1
ac5a4e397dea243c0022c55319e7c7035d013905

SHA256
7fcd076a55f0b7c8e9407217aee7e68893461d15cb8d2946ac5250af35137211

SHA512
c4a8dac1c1d5dfa976cc3e8fd299e423ab620463983b8c602be8a83ecc6598eb3f1d60a7370806e1f85a52dd91e4f1337a6dff2e99459f9a1e429a1ffb65a00b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
23221da2dae761393953ea35c78eead4

SHA1
e87619be012d1d6d7389a693ff3f42ed4a2c5de9

SHA256
3c1edffe864bf3e764f940955b22e255a93a3326d897766412ce5119d62a8a99

SHA512
2c7e26f9fa41cbbfcaf32c50d87b59843d9128f25bdff87e052a23c4faa5292900392556ca1a9734a973c060d75a6e927ac0b25db4e763d02ccf266b3e21ee33

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
6778493f59a11a8b5c628cec86ad8d6d

SHA1
514f2058416d0eef0b5df9a849c8e5bde2ef326e

SHA256
431a7705d37c0d86e47b3f0b804e87f9ec01bdc3f28835369a5d3b92f3485d2a

SHA512
ba33ff49f2f8f5e53d5866d596f2c8a880036449d951ed184fafc90105bda4400e90c2202e498030fbabcc68df26dc60c52be72c0a3b665cf26e55dfdce46337

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2bcc6630ca9d4dd4cba6bb7f3e86c93c

SHA1
cf29e1cd445d0572625e732caa151088fc3fd730

SHA256
025a5d977d1281fd1e9e3431107d74525819173307017b42631481ea275be027

SHA512
ac6ed21346a2ee7d7e177131769a1f8feb12a0f024cca8715333792b5404fd127c3e3e3071e7247539d57fbe5f8c15aedcfc575c57363d61e127ae3655b27fe9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
94532cdf542d1b44c735e5583c182dc8

SHA1
2b474555792207c86a1840fa46897e8f29b02e28

SHA256
f4a06851e0ee3ad9745198acfd8a281cc38cb231fabed6b22e6de112c67a260f

SHA512
3fe4f80841ca884b803d3c6ab037d7dc3c3540a9db18c065b99c7331e1d0bffdf8dce5c0554d0cdd50ecf87df2929da84c82b7a4e449dbe0483164b4a5684441

Download Submit
memory/448-240-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/876-230-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/876-223-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1116-239-0x00000000044B0000-0x000000000460F000-memory.dmp

Filesize
1.4MB

Download
memory/1280-172-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1280-165-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1324-51-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1324-43-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1416-67-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1416-74-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1564-220-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1564-213-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1584-205-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1584-212-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1648-221-0x00000000044D0000-0x000000000462F000-memory.dmp

Filesize
1.4MB

Download
memory/1652-173-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1652-180-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1744-146-0x00000000047D0000-0x000000000492F000-memory.dmp

Filesize
1.4MB

Download
memory/1744-105-0x00000000047D0000-0x000000000492F000-memory.dmp

Filesize
1.4MB

Download
memory/1864-185-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1864-188-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2036-156-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2036-149-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2056-29-0x00000000059B0000-0x0000000005B0F000-memory.dmp

Filesize
1.4MB

Download
memory/2108-99-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2108-91-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2180-222-0x0000000004720000-0x000000000487F000-memory.dmp

Filesize
1.4MB

Download
memory/2216-157-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2216-164-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2236-60-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2236-64-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2312-141-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2312-147-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2328-196-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2328-193-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2392-90-0x0000000005F00000-0x000000000605F000-memory.dmp

Filesize
1.4MB

Download
memory/2404-238-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2404-231-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2476-25-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2476-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2492-119-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2492-124-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2540-197-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2540-204-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2564-15-0x00000000045F0000-0x000000000474F000-memory.dmp

Filesize
1.4MB

Download
memory/2564-13-0x00000000045F0000-0x000000000474F000-memory.dmp

Filesize
1.4MB

Download
memory/2608-106-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2608-110-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2672-114-0x0000000004850000-0x00000000049AF000-memory.dmp

Filesize
1.4MB

Download
memory/2764-38-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2896-130-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2896-134-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2912-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2912-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2960-81-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2960-86-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download