2bd006fe591dc8657a1c9fe618d0feffd0c417e019351719e60904501dbca3cf

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
08/06/2024, 20:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2bd006fe591dc8657a1c9fe618d0feffd0c417e019351719e60904501dbca3cf.exe
Size

1.1MB
MD5

c8cf72a17c845608bfdbc128b918ee34
SHA1

2868f3e4ec8b4ff0261b74dbfb490351df41afce
SHA256

2bd006fe591dc8657a1c9fe618d0feffd0c417e019351719e60904501dbca3cf
SHA512

5983a8a0d47b72c90c645414d1edb3a9fd954b9910add052f1ebbfcb1118f3fc7287bb11b1eaca66bbe761339c6e38f93946fbb9f67154db1ffd92416be2efae
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QR:acallSllG4ZM7QzMi

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2588	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2588	svchcst.exe
1416	svchcst.exe
1784	svchcst.exe
1320	svchcst.exe
800	svchcst.exe
1224	svchcst.exe
2844	svchcst.exe
2540	svchcst.exe
2524	svchcst.exe
1728	svchcst.exe
1352	svchcst.exe
2268	svchcst.exe
1216	svchcst.exe
1960	svchcst.exe
1604	svchcst.exe
2876	svchcst.exe
1540	svchcst.exe
1740	svchcst.exe
1240	svchcst.exe
2268	svchcst.exe
692	svchcst.exe
544	svchcst.exe
2076	svchcst.exe

Loads dropped DLL 39 IoCs

pid	Process
3032	WScript.exe
3032	WScript.exe
2936	WScript.exe
2936	WScript.exe
2124	WScript.exe
2124	WScript.exe
692	WScript.exe
692	WScript.exe
2412	WScript.exe
2412	WScript.exe
2856	WScript.exe
1984	WScript.exe
1984	WScript.exe
2932	WScript.exe
1424	WScript.exe
1424	WScript.exe
1424	WScript.exe
1424	WScript.exe
2120	WScript.exe
2816	WScript.exe
864	WScript.exe
1664	WScript.exe
1664	WScript.exe
2000	WScript.exe
2000	WScript.exe
1984	WScript.exe
1984	WScript.exe
2936	WScript.exe
2936	WScript.exe
2776	WScript.exe
2776	WScript.exe
2328	WScript.exe
2328	WScript.exe
2248	WScript.exe
2248	WScript.exe
800	WScript.exe
800	WScript.exe
1916	WScript.exe
1916	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1012	2bd006fe591dc8657a1c9fe618d0feffd0c417e019351719e60904501dbca3cf.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
1416	svchcst.exe
1416	svchcst.exe
1416	svchcst.exe
1416	svchcst.exe
1416	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1012	2bd006fe591dc8657a1c9fe618d0feffd0c417e019351719e60904501dbca3cf.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
1012	2bd006fe591dc8657a1c9fe618d0feffd0c417e019351719e60904501dbca3cf.exe
1012	2bd006fe591dc8657a1c9fe618d0feffd0c417e019351719e60904501dbca3cf.exe
2588	svchcst.exe
2588	svchcst.exe
1416	svchcst.exe
1416	svchcst.exe
1784	svchcst.exe
1784	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
800	svchcst.exe
800	svchcst.exe
1224	svchcst.exe
1224	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
1728	svchcst.exe
1728	svchcst.exe
1352	svchcst.exe
1352	svchcst.exe
2268	svchcst.exe
2268	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
1540	svchcst.exe
1540	svchcst.exe
1740	svchcst.exe
1740	svchcst.exe
1240	svchcst.exe
1240	svchcst.exe
2268	svchcst.exe
2268	svchcst.exe
692	svchcst.exe
692	svchcst.exe
544	svchcst.exe
544	svchcst.exe
2076	svchcst.exe
2076	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1012 wrote to memory of 3032	1012	2bd006fe591dc8657a1c9fe618d0feffd0c417e019351719e60904501dbca3cf.exe	28
PID 1012 wrote to memory of 3032	1012	2bd006fe591dc8657a1c9fe618d0feffd0c417e019351719e60904501dbca3cf.exe	28
PID 1012 wrote to memory of 3032	1012	2bd006fe591dc8657a1c9fe618d0feffd0c417e019351719e60904501dbca3cf.exe	28
PID 1012 wrote to memory of 3032	1012	2bd006fe591dc8657a1c9fe618d0feffd0c417e019351719e60904501dbca3cf.exe	28
PID 3032 wrote to memory of 2588	3032	WScript.exe	30
PID 3032 wrote to memory of 2588	3032	WScript.exe	30
PID 3032 wrote to memory of 2588	3032	WScript.exe	30
PID 3032 wrote to memory of 2588	3032	WScript.exe	30
PID 2588 wrote to memory of 2936	2588	svchcst.exe	31
PID 2588 wrote to memory of 2936	2588	svchcst.exe	31
PID 2588 wrote to memory of 2936	2588	svchcst.exe	31
PID 2588 wrote to memory of 2936	2588	svchcst.exe	31
PID 2936 wrote to memory of 1416	2936	WScript.exe	32
PID 2936 wrote to memory of 1416	2936	WScript.exe	32
PID 2936 wrote to memory of 1416	2936	WScript.exe	32
PID 2936 wrote to memory of 1416	2936	WScript.exe	32
PID 1416 wrote to memory of 2124	1416	svchcst.exe	33
PID 1416 wrote to memory of 2124	1416	svchcst.exe	33
PID 1416 wrote to memory of 2124	1416	svchcst.exe	33
PID 1416 wrote to memory of 2124	1416	svchcst.exe	33
PID 2124 wrote to memory of 1784	2124	WScript.exe	34
PID 2124 wrote to memory of 1784	2124	WScript.exe	34
PID 2124 wrote to memory of 1784	2124	WScript.exe	34
PID 2124 wrote to memory of 1784	2124	WScript.exe	34
PID 1784 wrote to memory of 692	1784	svchcst.exe	35
PID 1784 wrote to memory of 692	1784	svchcst.exe	35
PID 1784 wrote to memory of 692	1784	svchcst.exe	35
PID 1784 wrote to memory of 692	1784	svchcst.exe	35
PID 692 wrote to memory of 1320	692	WScript.exe	36
PID 692 wrote to memory of 1320	692	WScript.exe	36
PID 692 wrote to memory of 1320	692	WScript.exe	36
PID 692 wrote to memory of 1320	692	WScript.exe	36
PID 1320 wrote to memory of 2412	1320	svchcst.exe	37
PID 1320 wrote to memory of 2412	1320	svchcst.exe	37
PID 1320 wrote to memory of 2412	1320	svchcst.exe	37
PID 1320 wrote to memory of 2412	1320	svchcst.exe	37
PID 1320 wrote to memory of 2188	1320	svchcst.exe	38
PID 1320 wrote to memory of 2188	1320	svchcst.exe	38
PID 1320 wrote to memory of 2188	1320	svchcst.exe	38
PID 1320 wrote to memory of 2188	1320	svchcst.exe	38
PID 2412 wrote to memory of 800	2412	WScript.exe	39
PID 2412 wrote to memory of 800	2412	WScript.exe	39
PID 2412 wrote to memory of 800	2412	WScript.exe	39
PID 2412 wrote to memory of 800	2412	WScript.exe	39
PID 800 wrote to memory of 2856	800	svchcst.exe	40
PID 800 wrote to memory of 2856	800	svchcst.exe	40
PID 800 wrote to memory of 2856	800	svchcst.exe	40
PID 800 wrote to memory of 2856	800	svchcst.exe	40
PID 2856 wrote to memory of 1224	2856	WScript.exe	41
PID 2856 wrote to memory of 1224	2856	WScript.exe	41
PID 2856 wrote to memory of 1224	2856	WScript.exe	41
PID 2856 wrote to memory of 1224	2856	WScript.exe	41
PID 1224 wrote to memory of 1984	1224	svchcst.exe	42
PID 1224 wrote to memory of 1984	1224	svchcst.exe	42
PID 1224 wrote to memory of 1984	1224	svchcst.exe	42
PID 1224 wrote to memory of 1984	1224	svchcst.exe	42
PID 1984 wrote to memory of 2844	1984	WScript.exe	45
PID 1984 wrote to memory of 2844	1984	WScript.exe	45
PID 1984 wrote to memory of 2844	1984	WScript.exe	45
PID 1984 wrote to memory of 2844	1984	WScript.exe	45
PID 2844 wrote to memory of 960	2844	svchcst.exe	46
PID 2844 wrote to memory of 960	2844	svchcst.exe	46
PID 2844 wrote to memory of 960	2844	svchcst.exe	46
PID 2844 wrote to memory of 960	2844	svchcst.exe	46

C:\Users\Admin\AppData\Local\Temp\2bd006fe591dc8657a1c9fe618d0feffd0c417e019351719e60904501dbca3cf.exe
"C:\Users\Admin\AppData\Local\Temp\2bd006fe591dc8657a1c9fe618d0feffd0c417e019351719e60904501dbca3cf.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1012
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2936
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1416
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:692
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:800
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2540
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:2932
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2524
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:1424
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1728
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2120
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2268
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1352
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2816
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1216
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:864
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1960
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:1664
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1604
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:2000
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        
        PID:2876
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2464
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:1984
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1540
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:2936
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1740
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:2776
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1240
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:2328
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2268
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:2248
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:692
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:800
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:544
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:1916
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2076
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        
        PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6cefcde7a292edfc29b3882cdeb23dba

SHA1
3588db649319258acc78049555e0c587aae5dcf1

SHA256
4fc01d17db5185ecf506bb8ad2665dc04fbc85d9b55282b364687c5c82689251

SHA512
14f7f31813f271f8ab4c58ad06504769900ae075915db76882bce80dfaa82bb76bc6c40fa76f6eae4f3c65d2311a702d5581510ea5ade452ea8b6f957da1684c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ddd204c2596c95e0b37f2faf17345158

SHA1
fb5c9a676eb0b0e08ed0498a5696bbd7d443b1a2

SHA256
6ba8498e50d16dedd7a4479998981b504b684f524c08329269fd4eb6e3fe52a2

SHA512
17f8ff158d74cb8b37954cd5d458440cbf7e41dd03d08d5101b55f7ca259fdd1e36967e5231a31362c68456d0e91bdbac1c83cc19876ab7ec1c97bde0ec03244

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
7c5d694b584c94ca177e39184aa4b508

SHA1
a775793fcdc44769db6c86934b3adeb57fa5fd71

SHA256
d06810cefc4fcc101f919e97f5626d7c1b5ef56e583b9cfc87ff20be48c15836

SHA512
18847a85746ce97e7bcbb95dde1b7559099fea25261a1c3d263d55b503e9fcad8f748164b94d13930793d644408f8999abd2f29987d09a5d7ec380c605e5cd65

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2c6490a42a6a0c40ff0c4e23b3e1aa2f

SHA1
673399038e095a86936267b5014fc7d216ee5c0a

SHA256
4b5b75f23c5d2765bccf9691327947fcdd4e1e17e6da73c1b1c47dab8db99b3d

SHA512
8ffd13c3e9ecd8c522703bf13f839b3925bf3dd0418c33e8b4edc5cd07ca53d76d21e3d8f2e47622d51cc73ac3eed7dd2f7308bb332cde1bd1e6f1cb8f8bb8d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
418e489a61f524eb101168676ee507c0

SHA1
c2d403388bfdccf0d75b4ef92dd8a453c413057c

SHA256
2ec2f981acbd3a091e05e93f06c952fdf6372e4d4d4ad78e7ddfe60043b1ad3c

SHA512
56033db0322098091059ab662f14f51c8bd98fc6784e3a5c553428c3c91d160fa5f784e43020fde5630515f87a2dbd7dff88865a5ecc4f349f6482eaef1b522a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
427acf0d31e4c051a5ecca486df18aaa

SHA1
66ed2e8e5533846366375ce855fb7b5d574d97fc

SHA256
397aa2536df328968f7006d3c5a2d0e7e53ab1e6d2deae8bb5bc7a242b4ba012

SHA512
aa2fe9a10550076d478762ed2043437460bfa1d81c3e6b793127d1235f8a6e75dc6002aad415f8086387faf7dc75a83f1790662cdfa58aa66596c640ed35b778

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0deab118abcf8e078322ee46edd4cfd3

SHA1
b0f46f2ca33e8ea264812838f6c7a98d0c55a0bf

SHA256
344ce7e23c768177547510b0627c60667804530f220048e11f21e1cda521c502

SHA512
e7e4c041addbecf42ec91877dac6c89a207a3c1eb0247d56c6e4844852a3c7a3a716809d5040d01b03ab332bd155a4f4fb014abc896b9598ac52218c74a1f3c0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e941c404604f780e37c7e63233301fa0

SHA1
d27c9a3b90881add1a06b41b5931267fc818ff08

SHA256
6add2531fc05662418f48a46f522fa4507053ece8d0d94a04c0c213d27da81ce

SHA512
1f448e52f5aa81f30ecf10d6222fa0913ab7a5f3c0f2c7e6a9deb231e9bf55937c4fb0f84bbaeccdd9040e163ae371daec55eff48d633cd6d6bd409433fbf4f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
66073a2944d79129b28645fed6bc1286

SHA1
2cbba938ab66f7f5c9b0cb2a5c58940e2e14599b

SHA256
87d79920ed0fb49971153bdcb8a8ca003a247e5937d8cc3dc3b871e91ef79042

SHA512
95b8dffed82c126394ce16db0af1874ade41cca2b096d9ffe388e9c6a462c86e21723f811c0fb8c8445047906b0dfe035f5a421b5d406b8e8d3e6a1ad5d4351b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
fb757130836576e5f952cb011021776c

SHA1
68f6351ef6dd363f67e76b91e7d8150050948698

SHA256
2d8143967be00cc4d6f3a1b8671885498b80e57ec52a84e19eaf136e64980e5b

SHA512
6f7311c6964be509733152377344d37f311021a6638946d275d282aa1b0212d8d790175b8c4e61fba6f5f4299c0e5da3307b69b03f619273462edd5c3cfce0d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
efa4b9f79f0e80cc4480b4196f965c98

SHA1
56401c277c2e9c8111a865c9225b943fc4a7433b

SHA256
5db1107f337e47becfbcacfdc107678db82fb69fc4a9a1341c0decacff5146c3

SHA512
c3b3f2cd4b0a7257fcb391a7defee9a0db1650febb3dab466732bf81cdec9a8bbfb9e28afd2ffff03d57f2cd2be8adc8da67abeb39e295c94b3dd536fb092180

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
9e8dca236ce949019c46b94428612ac9

SHA1
0917050afcbb7b94fce6fbb9827fb57de7432b0b

SHA256
bd9f06dbb8f2165c3b75da289ad7983f0c57328d236b2c68a2b5798188874fb3

SHA512
23ce9deba9286cbb24c1725503542b63d7e44ea7ada302e5aba6595f84398e2162008d7431f842cccfb2b8fae126216d85c566931d5fcc8c8c5625e2c05f44d6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8e2ae053ceb7062fca84af2a4b776842

SHA1
e0efd0b54009a60e3682ed38deaddd833c8652b6

SHA256
58391f462883b293fdb398c52afb015698a4aa455fde921d706159ccccc6375f

SHA512
71b28f16bbcd83fd3cd69c985cc7482ddb167f287f6f331fc6c2f71b5b9759d6692ad93eb45e3a4039e5234f795076cd090e46c80b2661a00327a19b0ceab7b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
59926e3334864e08ddd6600898dbebb5

SHA1
e634ea67235746aa632c51c8e570377e0310fb45

SHA256
60151859494eb8c55e2d150f306886a31911ff0afa9a092d0dd845bc4c86dd7a

SHA512
0f3ad597601474b6f11e051587bf85f1fa94702698ef0f4fbc6b679cb880634549c43ab022f1cc015fb3416c1dc6512139f2fd0e0acb33f81d1d0d8405556d94

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
86785638d44b26963a64cd50f8bd63a6

SHA1
abd7d2d6cdbb8d7959bc06b312e13505dca25769

SHA256
ddb9a36dc62bca496d76fb46ee205a4f144259b749fec67dc07460effa5dca3d

SHA512
61c0e1d6c04cfdedccb12fba2b5b923a90ae00650732d3116294a9405f61c19526f326c3ab822db042510095245dddf1808732f40931e1febccd8fe5256b85d0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
493460a9c668f075cfa5d8c4eb372fab

SHA1
334ca5a9633b1eb47a7bfbdea35256a169d00bd0

SHA256
9d8fef5a4344879bf352757f1c29759c7664968d03b9d02c5162e116d351dc82

SHA512
f1e66234e856e3d84dcfb28a093328af48bad2e021d08bc3216b49a5ac200918abeaa206215c2948c3a5feee58de82eb59b4659f8ed045fea1c1e5d299dbb20d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
54005e2e4bff442614af36c0349da3fd

SHA1
d81db5e8cc82bf9df8cf585d46b9d59633bb6989

SHA256
b25cc495eb5d47e3248d5fe857b98d72256e08d6c195c61b6a776ea06cc56a14

SHA512
0351d4eda176dc40f551c047f1371d78ac719ba30fa498c30ac3f10710b79da17ba250a2ab3b75041246cc6221b10bb195d4aa6c2cbfaba8e9dc02c2e1e0e025

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a0c1f67c43beaec3d5bbb29283ec022d

SHA1
b2d8e7cbb3b19b47b9edca96c6030a4df89036b6

SHA256
5db616dc2a102333eb790b9bdcf2746c3a185b837c533bfeace0c8be00d52a51

SHA512
fecf618f62c13aa857778a5d9c799e179514049071e43201f078aac9a2a2e9964152cec1b42cbb10ce7af184057aff61f3621e855321eb552be1ffe99cd374dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
81da2bc32c961e0f8630382e8260e5b7

SHA1
edbd6a618e3db0aee2497f82144d496d9b8e382a

SHA256
637dcfe8b9c609f08afe7df2476470e74e59c88abd34fbac1875ef98221329f4

SHA512
74b265b28e31bcbb5ba60badb0024174fc250fa1220b99d4da54a8f54f7e9e5a1b6d54e5781890fa3115bd87c884635d1cf306e47a4f1d6689142711114c323d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ee9a2b455ff7aaabcda97dec02721aa2

SHA1
29e7a157ec3e35063d034048933f6f0b1393a10e

SHA256
d67c0fb5e0ac15c1897f80cad8c1ec19b6a75d18ebc6ba411f026499c5319129

SHA512
bcd64233a1cf39f43981e31671be99e81f92848d93381dd9cd2fa6f31f0ff55ce33a508a4a876be1ec176737fb5ba54b6a769e8c3ddcd02b02a51b4838a62761

Download Submit
memory/544-250-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/544-253-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/692-242-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/692-245-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/800-83-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/800-75-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1012-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1012-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1216-171-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1216-168-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1224-93-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1240-225-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1240-228-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1320-67-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1320-57-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1352-157-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1352-149-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1416-38-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1416-30-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1424-133-0x0000000005C30000-0x0000000005D8F000-memory.dmp

Filesize
1.4MB

Download
memory/1424-132-0x0000000005C30000-0x0000000005D8F000-memory.dmp

Filesize
1.4MB

Download
memory/1424-148-0x0000000005F00000-0x000000000605F000-memory.dmp

Filesize
1.4MB

Download
memory/1540-210-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1540-203-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1604-187-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1728-143-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1728-134-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1740-211-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1740-220-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1784-51-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1960-172-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1960-179-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2076-260-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2120-161-0x0000000005A30000-0x0000000005B8F000-memory.dmp

Filesize
1.4MB

Download
memory/2248-241-0x00000000046C0000-0x000000000481F000-memory.dmp

Filesize
1.4MB

Download
memory/2268-236-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2268-229-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2268-186-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2268-164-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2412-73-0x0000000005A10000-0x0000000005B6F000-memory.dmp

Filesize
1.4MB

Download
memory/2412-72-0x0000000005A10000-0x0000000005B6F000-memory.dmp

Filesize
1.4MB

Download
memory/2464-195-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2464-202-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2524-118-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2524-127-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2540-113-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2588-24-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2588-14-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2816-167-0x0000000005AF0000-0x0000000005C4F000-memory.dmp

Filesize
1.4MB

Download
memory/2844-104-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2876-194-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2876-188-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2932-117-0x00000000044F0000-0x000000000464F000-memory.dmp

Filesize
1.4MB

Download
memory/2936-29-0x00000000044D0000-0x000000000462F000-memory.dmp

Filesize
1.4MB

Download