32a04c48e1166a925e1350ede6d7ceed719a59a621eb4f92e49d086f9bacf0a7

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
31/05/2024, 10:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32a04c48e1166a925e1350ede6d7ceed719a59a621eb4f92e49d086f9bacf0a7.exe
Size

1.1MB
MD5

e64fd8e0e3189585fd9ed008f7e6b0de
SHA1

eae18ad1ff956d3fe164f54e9fbc9188840dc4a8
SHA256

32a04c48e1166a925e1350ede6d7ceed719a59a621eb4f92e49d086f9bacf0a7
SHA512

84a3d84fabda0a16e5edf1ba9b6bd5368d31832426bc90445dd5891fd40e44d08c1b12a59de323d71d3c0d0eccd4334ad0a3df6f7a07a99bd3d1592e436e8bd3
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QR:CcaClSFlG4ZM7QzMy

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2872	svchcst.exe

Executes dropped EXE 25 IoCs

pid	Process
2872	svchcst.exe
1340	svchcst.exe
2248	svchcst.exe
1084	svchcst.exe
336	svchcst.exe
1324	svchcst.exe
952	svchcst.exe
1244	svchcst.exe
2060	svchcst.exe
2960	svchcst.exe
2780	svchcst.exe
1620	svchcst.exe
2948	svchcst.exe
240	svchcst.exe
1740	svchcst.exe
2108	svchcst.exe
1316	svchcst.exe
820	svchcst.exe
2328	svchcst.exe
2196	svchcst.exe
2672	svchcst.exe
2692	svchcst.exe
2348	svchcst.exe
1536	svchcst.exe
1800	svchcst.exe

Loads dropped DLL 35 IoCs

pid	Process
3044	WScript.exe
3044	WScript.exe
2560	WScript.exe
2828	WScript.exe
2828	WScript.exe
2284	WScript.exe
2284	WScript.exe
1916	WScript.exe
1916	WScript.exe
2540	WScript.exe
2540	WScript.exe
2464	WScript.exe
1756	WScript.exe
1756	WScript.exe
1748	WScript.exe
1756	WScript.exe
584	WScript.exe
584	WScript.exe
1748	WScript.exe
1976	WScript.exe
1976	WScript.exe
1884	WScript.exe
1884	WScript.exe
2524	WScript.exe
2524	WScript.exe
3044	WScript.exe
3044	WScript.exe
2960	WScript.exe
2960	WScript.exe
1644	WScript.exe
1644	WScript.exe
488	WScript.exe
488	WScript.exe
1640	WScript.exe
1640	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2060	32a04c48e1166a925e1350ede6d7ceed719a59a621eb4f92e49d086f9bacf0a7.exe
2872	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
1340	svchcst.exe
1340	svchcst.exe
1340	svchcst.exe
1340	svchcst.exe
1340	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2060	32a04c48e1166a925e1350ede6d7ceed719a59a621eb4f92e49d086f9bacf0a7.exe

Suspicious use of SetWindowsHookEx 52 IoCs

pid	Process
2060	32a04c48e1166a925e1350ede6d7ceed719a59a621eb4f92e49d086f9bacf0a7.exe
2060	32a04c48e1166a925e1350ede6d7ceed719a59a621eb4f92e49d086f9bacf0a7.exe
2872	svchcst.exe
2872	svchcst.exe
1340	svchcst.exe
1340	svchcst.exe
2248	svchcst.exe
2248	svchcst.exe
1084	svchcst.exe
1084	svchcst.exe
336	svchcst.exe
336	svchcst.exe
1324	svchcst.exe
1324	svchcst.exe
952	svchcst.exe
952	svchcst.exe
1244	svchcst.exe
1244	svchcst.exe
2060	svchcst.exe
2060	svchcst.exe
2960	svchcst.exe
2960	svchcst.exe
2780	svchcst.exe
2780	svchcst.exe
1620	svchcst.exe
1620	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
240	svchcst.exe
240	svchcst.exe
1740	svchcst.exe
1740	svchcst.exe
2108	svchcst.exe
2108	svchcst.exe
1316	svchcst.exe
1316	svchcst.exe
820	svchcst.exe
820	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2196	svchcst.exe
2196	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2348	svchcst.exe
2348	svchcst.exe
1536	svchcst.exe
1536	svchcst.exe
1800	svchcst.exe
1800	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 3044	2060	32a04c48e1166a925e1350ede6d7ceed719a59a621eb4f92e49d086f9bacf0a7.exe	28
PID 2060 wrote to memory of 3044	2060	32a04c48e1166a925e1350ede6d7ceed719a59a621eb4f92e49d086f9bacf0a7.exe	28
PID 2060 wrote to memory of 3044	2060	32a04c48e1166a925e1350ede6d7ceed719a59a621eb4f92e49d086f9bacf0a7.exe	28
PID 2060 wrote to memory of 3044	2060	32a04c48e1166a925e1350ede6d7ceed719a59a621eb4f92e49d086f9bacf0a7.exe	28
PID 3044 wrote to memory of 2872	3044	WScript.exe	30
PID 3044 wrote to memory of 2872	3044	WScript.exe	30
PID 3044 wrote to memory of 2872	3044	WScript.exe	30
PID 3044 wrote to memory of 2872	3044	WScript.exe	30
PID 2872 wrote to memory of 2560	2872	svchcst.exe	31
PID 2872 wrote to memory of 2560	2872	svchcst.exe	31
PID 2872 wrote to memory of 2560	2872	svchcst.exe	31
PID 2872 wrote to memory of 2560	2872	svchcst.exe	31
PID 2560 wrote to memory of 1340	2560	WScript.exe	32
PID 2560 wrote to memory of 1340	2560	WScript.exe	32
PID 2560 wrote to memory of 1340	2560	WScript.exe	32
PID 2560 wrote to memory of 1340	2560	WScript.exe	32
PID 1340 wrote to memory of 2828	1340	svchcst.exe	33
PID 1340 wrote to memory of 2828	1340	svchcst.exe	33
PID 1340 wrote to memory of 2828	1340	svchcst.exe	33
PID 1340 wrote to memory of 2828	1340	svchcst.exe	33
PID 2828 wrote to memory of 2248	2828	WScript.exe	34
PID 2828 wrote to memory of 2248	2828	WScript.exe	34
PID 2828 wrote to memory of 2248	2828	WScript.exe	34
PID 2828 wrote to memory of 2248	2828	WScript.exe	34
PID 2248 wrote to memory of 2784	2248	svchcst.exe	35
PID 2248 wrote to memory of 2784	2248	svchcst.exe	35
PID 2248 wrote to memory of 2784	2248	svchcst.exe	35
PID 2248 wrote to memory of 2784	2248	svchcst.exe	35
PID 2828 wrote to memory of 1084	2828	WScript.exe	36
PID 2828 wrote to memory of 1084	2828	WScript.exe	36
PID 2828 wrote to memory of 1084	2828	WScript.exe	36
PID 2828 wrote to memory of 1084	2828	WScript.exe	36
PID 1084 wrote to memory of 2284	1084	svchcst.exe	37
PID 1084 wrote to memory of 2284	1084	svchcst.exe	37
PID 1084 wrote to memory of 2284	1084	svchcst.exe	37
PID 1084 wrote to memory of 2284	1084	svchcst.exe	37
PID 2284 wrote to memory of 336	2284	WScript.exe	38
PID 2284 wrote to memory of 336	2284	WScript.exe	38
PID 2284 wrote to memory of 336	2284	WScript.exe	38
PID 2284 wrote to memory of 336	2284	WScript.exe	38
PID 336 wrote to memory of 2424	336	svchcst.exe	39
PID 336 wrote to memory of 2424	336	svchcst.exe	39
PID 336 wrote to memory of 2424	336	svchcst.exe	39
PID 336 wrote to memory of 2424	336	svchcst.exe	39
PID 2284 wrote to memory of 1324	2284	WScript.exe	40
PID 2284 wrote to memory of 1324	2284	WScript.exe	40
PID 2284 wrote to memory of 1324	2284	WScript.exe	40
PID 2284 wrote to memory of 1324	2284	WScript.exe	40
PID 1324 wrote to memory of 1916	1324	svchcst.exe	41
PID 1324 wrote to memory of 1916	1324	svchcst.exe	41
PID 1324 wrote to memory of 1916	1324	svchcst.exe	41
PID 1324 wrote to memory of 1916	1324	svchcst.exe	41
PID 1916 wrote to memory of 952	1916	WScript.exe	42
PID 1916 wrote to memory of 952	1916	WScript.exe	42
PID 1916 wrote to memory of 952	1916	WScript.exe	42
PID 1916 wrote to memory of 952	1916	WScript.exe	42
PID 952 wrote to memory of 2328	952	svchcst.exe	43
PID 952 wrote to memory of 2328	952	svchcst.exe	43
PID 952 wrote to memory of 2328	952	svchcst.exe	43
PID 952 wrote to memory of 2328	952	svchcst.exe	43
PID 1916 wrote to memory of 1244	1916	WScript.exe	46
PID 1916 wrote to memory of 1244	1916	WScript.exe	46
PID 1916 wrote to memory of 1244	1916	WScript.exe	46
PID 1916 wrote to memory of 1244	1916	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\32a04c48e1166a925e1350ede6d7ceed719a59a621eb4f92e49d086f9bacf0a7.exe
"C:\Users\Admin\AppData\Local\Temp\32a04c48e1166a925e1350ede6d7ceed719a59a621eb4f92e49d086f9bacf0a7.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2560
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1340
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:336
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1244
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        
        PID:2540
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2060
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2960
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        
        PID:2464
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2780
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:1756
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1620
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:1748
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:240
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1316
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2948
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:584
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2108
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:1976
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:820
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:1884
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2328
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:2524
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2196
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:3044
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2672
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:2960
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2692
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:1644
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2348
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:488
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1536
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:1640
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1800
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1740
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        
        PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
050b8a8152fbb07db316b317dd710a21

SHA1
78b18f490a33061d38cea8a4beef9fceac7fa527

SHA256
d872852c1f5ab4e08c9c027c762257c0b92bc1487005fdd5965bfc3014e89808

SHA512
8fb10dbe38d343d5d68efe0ed0df045b60788bfd991e1a7eb882f6e2b79474e34345664e14a2708e6374ed6033bcc66ea8579587137624bdcb6fc5690f6108bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b42266100fb9f5e0b7be593aac3c37cf

SHA1
7cd55f31fd2871d09de73a6f62e3a7e1a53327b2

SHA256
1a6710caaf3886be368f3205ee8c9905e10f8ed754d80598c80f1455a700d846

SHA512
d3e5a4f7395d6196403e60214239043b2da6e546cbe080f74c3a680a6f4a7fe1374988df0a1aa84dbc0e41199efd8fb11050d1d1295f3b45811935d740a5108b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
4433cc23fc280ad8dcff9966bac19fe4

SHA1
62cc2abfe6e2ee0fd6b5cbce20daff4ba787bff0

SHA256
ca7cfd972b03d0b30404c8233125adda1dacc81a2e43e919d70bf1c2700af55b

SHA512
6a5e7454dde98251a987bedc21e628550c469480cbe41f3b3644789da38e782c8b94660d4a076697cc7abf3fcc767650d00ac3639b11cfeba96ece8110920b4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0e6005a9dcb5a78d6fdd54527602f926

SHA1
90adc62e99f3c94c643596af0e17b5853b91fe1f

SHA256
847552b1ad30bd72f24acfe4afa5c326d3e79d7c2f147c958d72e92daca716da

SHA512
b4acfd81c1e926fcd305690aa3780bbec50460bcf947d17c20d6445faca4e774294b9da3a144207ccb3855e3ea2008a2d82ef691f32a4db6c7c3eb8202c6b568

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b80e64a84f22d05c1da6e47ce54973aa

SHA1
5cad9390328f2c7439c775fabb7a0456663085d9

SHA256
9dd0f5f176d3fad7c0eb3bdd6f14036a878cbce9fd50fb1a47318da147bfd82e

SHA512
983affb7f9189c1eb80982438c288ee607e7ee91675b6a6e854873c476961b39ddec66801e0a09bedd0f133a0132693a5fed5c8ff0f8c3d3aa4f470fdb8c39b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1931659cf1a0b565c26fde26192e60ea

SHA1
290204916cf2bd320dd6af5de4fea33f4b987a23

SHA256
8d4ff60de30d55f81dda162ccf8ad556e3a1c9a9e20260d8a767def90595191a

SHA512
9a90635a350ecaf5d4f9c5787f4079e90d6e2983b87e8dc6db38a2d0121e68422d2fc8c7e322c0b6556cd92870713380edf55950260e9369350e96d4603f390e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e941c404604f780e37c7e63233301fa0

SHA1
d27c9a3b90881add1a06b41b5931267fc818ff08

SHA256
6add2531fc05662418f48a46f522fa4507053ece8d0d94a04c0c213d27da81ce

SHA512
1f448e52f5aa81f30ecf10d6222fa0913ab7a5f3c0f2c7e6a9deb231e9bf55937c4fb0f84bbaeccdd9040e163ae371daec55eff48d633cd6d6bd409433fbf4f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8364c7b31d7cc2ff033d43e692633d35

SHA1
8c51dd902e1739104aff48093aecb669522fea1f

SHA256
7ac0c74de647ef78ef6fffba49310f3c9c1b7d9ad19121d3502ec03c6e412a42

SHA512
0615c03be93f2b8cadfa7f0fca0ec6a790728d61980a9cd5edc372c99d3d73c5bdd1e6abfc055d4bd7ff2a2aa67f6fd5221c0d0479e33ac6736522fdc0572571

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ed546bb522a06b2fe1964359d1c00489

SHA1
f645b56f6b42e6e187d97e90006e64493e168dfd

SHA256
770b107915197c74e581cfd8ea4047ad94180a81a2e6422eb5a8139839645257

SHA512
bc0172ea605aeb832088b2e5d3cd3c4ba9f052a1f4afaa3696e8672f3e6a5776537472d56805f0dea9d8474ffca77d9b574331c9dc57bc7a6e029e01169de0b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6491ffe6ef75436d9e660280f5c7fa8f

SHA1
aa563dfffa849153924e8a50f5b562663d1549b5

SHA256
61926578340a542bb64c6abd62437790f27fe9f3c91f6e7bc3268fe318333382

SHA512
7caf0a3528181a867f6a7d1e705531db6eb12a82faa881fde4693b6d1f57be05e589c9276fc6364204494cd9c65f355a35d1dafb0d02582346057b5c4b8c2193

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ddd204c2596c95e0b37f2faf17345158

SHA1
fb5c9a676eb0b0e08ed0498a5696bbd7d443b1a2

SHA256
6ba8498e50d16dedd7a4479998981b504b684f524c08329269fd4eb6e3fe52a2

SHA512
17f8ff158d74cb8b37954cd5d458440cbf7e41dd03d08d5101b55f7ca259fdd1e36967e5231a31362c68456d0e91bdbac1c83cc19876ab7ec1c97bde0ec03244

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
321085c6e57a8455a3e915906a6c160b

SHA1
9cd284183cd00b8ed9766cf5ba4433bd041c381e

SHA256
0d5abb9f989e8b184b17b159987cacb4be04d476a85a3c684e797cdbded810cb

SHA512
030c762c6548c28805fb3f9d97ed98ff958a379fb5142b7ba6c4cb2a8dd7a59051135e649abd6c16320361b10c374e4a1003c802560fcc244849089255fb7722

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
beb30f33de3830033e11cbe8c6af766b

SHA1
92246c224ed6a488ad0fcb14831ceb3fc400e7de

SHA256
ee8bb6b7198fe20ec6e0d12c55855cb9e4ef492bcc1b34b344672073d6cf4860

SHA512
de2be7e189adc3c1a089a09a25820cfc73f6d31394080ca68b5f6c079e1578855273f13f76d30ed0a982ceef065296c4e10aa49c93a9aa4afb7630223a8e8748

Download Submit
memory/2060-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download