4482e9e0aaaff828cf2729c2103637754884039c109be00221c3f89dce3edc74

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
05-06-2024 02:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4482e9e0aaaff828cf2729c2103637754884039c109be00221c3f89dce3edc74.exe
Size

1.1MB
MD5

206ac71bc4ee059792e669a5de825b20
SHA1

459a94a7a3afb225f0941af1db1b06ff0a39a38d
SHA256

4482e9e0aaaff828cf2729c2103637754884039c109be00221c3f89dce3edc74
SHA512

003a29e1f4452a61f6675a62b7037523457438fe991d643c97bb16b7e84152d9e3955a8895e2242415eb040968edb8ea0671b277fe454f9a113e56aa502b230f
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qy:acallSllG4ZM7QzMh

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2412	svchcst.exe

Executes dropped EXE 26 IoCs

pid	Process
2412	svchcst.exe
1656	svchcst.exe
1892	svchcst.exe
1192	svchcst.exe
324	svchcst.exe
1876	svchcst.exe
1036	svchcst.exe
2992	svchcst.exe
2196	svchcst.exe
2876	svchcst.exe
2428	svchcst.exe
360	svchcst.exe
1912	svchcst.exe
2472	svchcst.exe
2220	svchcst.exe
1932	svchcst.exe
1012	svchcst.exe
1820	svchcst.exe
2468	svchcst.exe
876	svchcst.exe
1624	svchcst.exe
2648	svchcst.exe
2476	svchcst.exe
688	svchcst.exe
1764	svchcst.exe
3020	svchcst.exe

Loads dropped DLL 37 IoCs

pid	Process
2068	WScript.exe
2068	WScript.exe
848	WScript.exe
2704	WScript.exe
2704	WScript.exe
2424	WScript.exe
2424	WScript.exe
1548	WScript.exe
276	WScript.exe
1548	WScript.exe
2128	WScript.exe
2560	WScript.exe
2128	WScript.exe
2560	WScript.exe
1952	WScript.exe
1748	WScript.exe
1748	WScript.exe
1132	WScript.exe
1132	WScript.exe
1132	WScript.exe
1132	WScript.exe
2348	WScript.exe
2348	WScript.exe
2624	WScript.exe
2624	WScript.exe
2620	WScript.exe
2620	WScript.exe
2052	WScript.exe
2052	WScript.exe
2092	WScript.exe
2092	WScript.exe
1328	WScript.exe
1328	WScript.exe
3064	WScript.exe
3064	WScript.exe
2704	WScript.exe
2704	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2468	4482e9e0aaaff828cf2729c2103637754884039c109be00221c3f89dce3edc74.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
1656	svchcst.exe
1656	svchcst.exe
1656	svchcst.exe
1656	svchcst.exe
1656	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2468	4482e9e0aaaff828cf2729c2103637754884039c109be00221c3f89dce3edc74.exe

Suspicious use of SetWindowsHookEx 54 IoCs

pid	Process
2468	4482e9e0aaaff828cf2729c2103637754884039c109be00221c3f89dce3edc74.exe
2468	4482e9e0aaaff828cf2729c2103637754884039c109be00221c3f89dce3edc74.exe
2412	svchcst.exe
2412	svchcst.exe
1656	svchcst.exe
1656	svchcst.exe
1892	svchcst.exe
1892	svchcst.exe
1192	svchcst.exe
1192	svchcst.exe
324	svchcst.exe
324	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
2992	svchcst.exe
2992	svchcst.exe
2196	svchcst.exe
2196	svchcst.exe
2876	svchcst.exe
2876	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
360	svchcst.exe
360	svchcst.exe
1912	svchcst.exe
1912	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
1932	svchcst.exe
1932	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1820	svchcst.exe
1820	svchcst.exe
2468	svchcst.exe
2468	svchcst.exe
876	svchcst.exe
876	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
688	svchcst.exe
688	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 2068	2468	4482e9e0aaaff828cf2729c2103637754884039c109be00221c3f89dce3edc74.exe	28
PID 2468 wrote to memory of 2068	2468	4482e9e0aaaff828cf2729c2103637754884039c109be00221c3f89dce3edc74.exe	28
PID 2468 wrote to memory of 2068	2468	4482e9e0aaaff828cf2729c2103637754884039c109be00221c3f89dce3edc74.exe	28
PID 2468 wrote to memory of 2068	2468	4482e9e0aaaff828cf2729c2103637754884039c109be00221c3f89dce3edc74.exe	28
PID 2068 wrote to memory of 2412	2068	WScript.exe	30
PID 2068 wrote to memory of 2412	2068	WScript.exe	30
PID 2068 wrote to memory of 2412	2068	WScript.exe	30
PID 2068 wrote to memory of 2412	2068	WScript.exe	30
PID 2412 wrote to memory of 848	2412	svchcst.exe	31
PID 2412 wrote to memory of 848	2412	svchcst.exe	31
PID 2412 wrote to memory of 848	2412	svchcst.exe	31
PID 2412 wrote to memory of 848	2412	svchcst.exe	31
PID 848 wrote to memory of 1656	848	WScript.exe	32
PID 848 wrote to memory of 1656	848	WScript.exe	32
PID 848 wrote to memory of 1656	848	WScript.exe	32
PID 848 wrote to memory of 1656	848	WScript.exe	32
PID 1656 wrote to memory of 2704	1656	svchcst.exe	33
PID 1656 wrote to memory of 2704	1656	svchcst.exe	33
PID 1656 wrote to memory of 2704	1656	svchcst.exe	33
PID 1656 wrote to memory of 2704	1656	svchcst.exe	33
PID 2704 wrote to memory of 1892	2704	WScript.exe	34
PID 2704 wrote to memory of 1892	2704	WScript.exe	34
PID 2704 wrote to memory of 1892	2704	WScript.exe	34
PID 2704 wrote to memory of 1892	2704	WScript.exe	34
PID 1892 wrote to memory of 2284	1892	svchcst.exe	35
PID 1892 wrote to memory of 2284	1892	svchcst.exe	35
PID 1892 wrote to memory of 2284	1892	svchcst.exe	35
PID 1892 wrote to memory of 2284	1892	svchcst.exe	35
PID 2704 wrote to memory of 1192	2704	WScript.exe	36
PID 2704 wrote to memory of 1192	2704	WScript.exe	36
PID 2704 wrote to memory of 1192	2704	WScript.exe	36
PID 2704 wrote to memory of 1192	2704	WScript.exe	36
PID 1192 wrote to memory of 2424	1192	svchcst.exe	37
PID 1192 wrote to memory of 2424	1192	svchcst.exe	37
PID 1192 wrote to memory of 2424	1192	svchcst.exe	37
PID 1192 wrote to memory of 2424	1192	svchcst.exe	37
PID 2424 wrote to memory of 324	2424	WScript.exe	38
PID 2424 wrote to memory of 324	2424	WScript.exe	38
PID 2424 wrote to memory of 324	2424	WScript.exe	38
PID 2424 wrote to memory of 324	2424	WScript.exe	38
PID 324 wrote to memory of 1548	324	svchcst.exe	39
PID 324 wrote to memory of 1548	324	svchcst.exe	39
PID 324 wrote to memory of 1548	324	svchcst.exe	39
PID 324 wrote to memory of 1548	324	svchcst.exe	39
PID 2424 wrote to memory of 1876	2424	WScript.exe	40
PID 2424 wrote to memory of 1876	2424	WScript.exe	40
PID 2424 wrote to memory of 1876	2424	WScript.exe	40
PID 2424 wrote to memory of 1876	2424	WScript.exe	40
PID 1876 wrote to memory of 276	1876	svchcst.exe	41
PID 1876 wrote to memory of 276	1876	svchcst.exe	41
PID 1876 wrote to memory of 276	1876	svchcst.exe	41
PID 1876 wrote to memory of 276	1876	svchcst.exe	41
PID 1548 wrote to memory of 1036	1548	WScript.exe	42
PID 1548 wrote to memory of 1036	1548	WScript.exe	42
PID 1548 wrote to memory of 1036	1548	WScript.exe	42
PID 1548 wrote to memory of 1036	1548	WScript.exe	42
PID 1036 wrote to memory of 2128	1036	svchcst.exe	43
PID 1036 wrote to memory of 2128	1036	svchcst.exe	43
PID 1036 wrote to memory of 2128	1036	svchcst.exe	43
PID 1036 wrote to memory of 2128	1036	svchcst.exe	43
PID 276 wrote to memory of 2992	276	WScript.exe	44
PID 276 wrote to memory of 2992	276	WScript.exe	44
PID 276 wrote to memory of 2992	276	WScript.exe	44
PID 276 wrote to memory of 2992	276	WScript.exe	44

C:\Users\Admin\AppData\Local\Temp\4482e9e0aaaff828cf2729c2103637754884039c109be00221c3f89dce3edc74.exe
"C:\Users\Admin\AppData\Local\Temp\4482e9e0aaaff828cf2729c2103637754884039c109be00221c3f89dce3edc74.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2412
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:848
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1656
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1192
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:324
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        
        PID:2128
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2876
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:360
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        
        PID:1952
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2472
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2196
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        
        PID:2560
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2428
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1912
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        
        PID:1748
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2220
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1932
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:1132
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1012
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1820
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2348
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2468
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2624
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:876
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:2620
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1624
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:2052
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2648
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:2092
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2476
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:1328
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:688
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:3064
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1764
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:2704
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3020
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:276
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
9011effd0fc3a085afefbadc5799c120

SHA1
e1f77065774df16a900692719b8a8a8cee82b64f

SHA256
737cda50d346b7092384dd5ea6635efcd059fbfa2da250a9e0588633dd894924

SHA512
52aff220c42576f5e5d6ee19d5a859f129b58a9885de043f19d912664f3a45d36bc15a6ec64a44f1c1461b8d550675fc5ad996681790aaf0bb81e4dadce5c209

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
bd0cc8385e2c94da465451e7bd8d4303

SHA1
6866d3d8d4bc37bbd976b44b74d4cef9b018da66

SHA256
099ad392a60ee09509cf2982deb126acb373115124e33c1c9d18931fa32af630

SHA512
5212403107457416b6b8e3c033c9521f744845edbf0c9bba5c962bea5946c2a24e1081cf472e907b3e16fb593b98c119802e3162e5260b30574f2c086af3d6b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0746413c017663c2889cbadf684741eb

SHA1
6a61f92238e17b83adba719b52d2f3d9cd205b8a

SHA256
5e9eb3cc7e536ea1249b6bdb65b934565018fa760198e2b2c8f5537de84b86bd

SHA512
e222a18584aadd15f5c4706601acc6fa30d6a08325f2679724eba4b2952e56d4d7e1a97c42ae88aefacfa59b87723118d2dd28c1541204715dc1e11b4867b05c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c5ae655707a21f6473c5f382a787e100

SHA1
1d2078ebfae286212eb90e60c9dbce5e70ac24f1

SHA256
baf83e476c96ab1af7a7482de26dae9909744fad6d12c6ae818f51b834cecb50

SHA512
af80731f380d75a643ab885ba152cb7118297ab4e70ff44dd96b7bae8542881f0d06cdbe0ac524cdc30ddca970c2b27adf6398f8efc6e510cea6cc0b2a59b34f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7c92f92a39b74a1a62d4e78cab1e85ce

SHA1
12be3de5566511f06ef1d1354ce14e74381ef078

SHA256
919b452d34117c54e6e79cf6c3d338679c3553dd3ef1bb8d750da8738f6f4166

SHA512
ad945215baeb1b488a43705d18520fea653a881632cfcd8bc79182ce2863d7167e8631043bdea1ee1071eabfb87f7ce63f460becf63c9c2060e51a30fc8171b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1ac4421f71447c6f92ce3ac17a3d9d38

SHA1
97f4ebc5875af7ee54f93ba70089361ca88da8af

SHA256
615df52b00308d2a7f8aed927fd28d1e40b5ac6cf5e6da78ec69acd149618d59

SHA512
3d7d6a0124324731462a5e71d797c77e9942371fbdda8b870cb9d035db293ef1765e1890737fd89fd1b9d56941bd04745f93c95c844057830605365367ea410e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e5bba46683440caa1508061b6e638120

SHA1
538ff5b7cb3ca90cee3e60bae0b487f4b78912de

SHA256
9b324dbd185a14c0ebfd2cd2731f6bb32c501dfefa7aef4f65b137357502c65d

SHA512
466f00fee10e323273e5d1151062e9fcc36f5657a404c6dd3c0c9ecb56e5205930087e612b13a9c6d1a56df7e05a2bd9c14e95debd5e5aed96ad2ef867e8de4d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5f762b3b2477d92959f29d768008d453

SHA1
ceaa2b37d64bcffd7f862a75e1d0fb06edbddb97

SHA256
5827d14409ed9f3361d81904d50e067223457590dda163a680ce4216e495a3d5

SHA512
fd1445d89a0fa5d185ce51442c402d9906fa8bf7c1458a862568ad0649dfa22c5f90ed243b98339ec9706541d244b0217f1cd05e715dc49067e059fe08d80420

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c94fda6716d92036e02a0e70b433735f

SHA1
eb4e57b1461e03a201dbfd20dd308ca88694e55d

SHA256
ca8d32856a5ad76e2bf41249ee83a498c238f51d9d3addbd5ca456ee6a6108ba

SHA512
bf4b3613a4d6d2854f7750a73f84579a3022c2aaae770c392c3d4b273cbb2b493028f8109856ba66ee4636bcfac53b61b7f9b689002858a040b62b47d097d24f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f76c7cf504b872903a1325a57e8baaf9

SHA1
896ac9d8338b41c7673781f07915612c538c385f

SHA256
46436b128cbdb907e9666c1aa6257164f7e5a2ebe1c79b9198b36e50115a8163

SHA512
59c0e9f508682af572185dd2578ad1e62abb99297a99018af7638bc8d2f6693fe00900bd739e00a912088f77624f08034dba041ce1677e2924cb8ab3196b6054

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ddd204c2596c95e0b37f2faf17345158

SHA1
fb5c9a676eb0b0e08ed0498a5696bbd7d443b1a2

SHA256
6ba8498e50d16dedd7a4479998981b504b684f524c08329269fd4eb6e3fe52a2

SHA512
17f8ff158d74cb8b37954cd5d458440cbf7e41dd03d08d5101b55f7ca259fdd1e36967e5231a31362c68456d0e91bdbac1c83cc19876ab7ec1c97bde0ec03244

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
441c37afef28c495ba4b89ebdb26fb6e

SHA1
68665fe36df24f6d0bf2b0c4bfae61faf38f8985

SHA256
75ccfaff45b60e09b89a2c170c54299d4efbdc4408e565f5f615e785c64d7860

SHA512
7918addf44fc7dd0d578bcaa39ce9755b4c6c8811823939b79e6f588d1b8c5c498b96e86ab4c8335e6130338fe041982e14844c36b6549d55103ce52632d6b0f

Download Submit
memory/276-96-0x00000000046E0000-0x000000000483F000-memory.dmp

Filesize
1.4MB

Download
memory/324-72-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/324-63-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/360-136-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/360-129-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/688-235-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/688-228-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/876-194-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/876-202-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1012-168-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1012-175-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1036-98-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1036-90-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1132-167-0x0000000005C30000-0x0000000005D8F000-memory.dmp

Filesize
1.4MB

Download
memory/1132-177-0x0000000005DB0000-0x0000000005F0F000-memory.dmp

Filesize
1.4MB

Download
memory/1132-176-0x0000000005DB0000-0x0000000005F0F000-memory.dmp

Filesize
1.4MB

Download
memory/1192-58-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1192-52-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1624-210-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1624-203-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1656-27-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1656-35-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1764-244-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1764-236-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1820-185-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1820-178-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1876-76-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1876-83-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1892-38-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1892-47-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1912-150-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1912-145-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1932-166-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1932-159-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2092-219-0x0000000003C20000-0x0000000003D7F000-memory.dmp

Filesize
1.4MB

Download
memory/2128-107-0x0000000005C50000-0x0000000005DAF000-memory.dmp

Filesize
1.4MB

Download
memory/2196-101-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2196-114-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2220-158-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2412-14-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2412-24-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2424-62-0x0000000005920000-0x0000000005A7F000-memory.dmp

Filesize
1.4MB

Download
memory/2424-75-0x0000000005920000-0x0000000005A7F000-memory.dmp

Filesize
1.4MB

Download
memory/2428-126-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2428-122-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2468-186-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2468-193-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2468-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2468-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2472-146-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2476-220-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2476-227-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2624-195-0x0000000005CE0000-0x0000000005E3F000-memory.dmp

Filesize
1.4MB

Download
memory/2648-211-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2648-218-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2704-50-0x0000000005BE0000-0x0000000005D3F000-memory.dmp

Filesize
1.4MB

Download
memory/2876-108-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2876-109-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2992-97-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3064-237-0x0000000005A10000-0x0000000005B6F000-memory.dmp

Filesize
1.4MB

Download