02c781bf0610936247b2af454b9441bfc08636663bb953de1163a31838b85554

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
11-06-2024 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02c781bf0610936247b2af454b9441bfc08636663bb953de1163a31838b85554.exe
Size

1.1MB
MD5

6e175ef9d507ed111b10260035c402ec
SHA1

cc5c7789ebd5d0510c0f9405ce43bc9acb64f043
SHA256

02c781bf0610936247b2af454b9441bfc08636663bb953de1163a31838b85554
SHA512

cab9d8a0dd9a76d51c3cf29fcb0505e2297391e85bb7ed09c6e2868afa538d3a5978c9ddf53b386a1e82ef600157fb2daa7b0343aeeaf5dd33814a8266c06aa3
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q4:acallSllG4ZM7QzMv

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2628	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2628	svchcst.exe
2696	svchcst.exe
2356	svchcst.exe
2052	svchcst.exe
1168	svchcst.exe
2068	svchcst.exe
2424	svchcst.exe
2588	svchcst.exe
2484	svchcst.exe
2960	svchcst.exe
1444	svchcst.exe
2444	svchcst.exe
2000	svchcst.exe
2432	svchcst.exe
1900	svchcst.exe
1948	svchcst.exe
2984	svchcst.exe
1956	svchcst.exe
1904	svchcst.exe
872	svchcst.exe
1164	svchcst.exe
840	svchcst.exe
2904	svchcst.exe

Loads dropped DLL 44 IoCs

pid	Process
1796	WScript.exe
1796	WScript.exe
2968	WScript.exe
2968	WScript.exe
332	WScript.exe
2780	WScript.exe
2804	WScript.exe
2804	WScript.exe
1080	WScript.exe
1080	WScript.exe
780	WScript.exe
780	WScript.exe
1312	WScript.exe
1312	WScript.exe
2416	WScript.exe
2416	WScript.exe
2792	WScript.exe
2792	WScript.exe
2696	WScript.exe
2696	WScript.exe
1456	WScript.exe
1456	WScript.exe
1780	WScript.exe
1780	WScript.exe
1140	WScript.exe
1140	WScript.exe
1332	WScript.exe
1332	WScript.exe
348	WScript.exe
348	WScript.exe
2740	WScript.exe
2740	WScript.exe
2584	WScript.exe
2584	WScript.exe
2744	WScript.exe
2744	WScript.exe
2956	WScript.exe
2956	WScript.exe
2768	WScript.exe
2768	WScript.exe
2896	WScript.exe
2896	WScript.exe
2000	WScript.exe
2000	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2416	02c781bf0610936247b2af454b9441bfc08636663bb953de1163a31838b85554.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2416	02c781bf0610936247b2af454b9441bfc08636663bb953de1163a31838b85554.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2416	02c781bf0610936247b2af454b9441bfc08636663bb953de1163a31838b85554.exe
2416	02c781bf0610936247b2af454b9441bfc08636663bb953de1163a31838b85554.exe
2628	svchcst.exe
2628	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2052	svchcst.exe
2052	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2484	svchcst.exe
2484	svchcst.exe
2960	svchcst.exe
2960	svchcst.exe
1444	svchcst.exe
1444	svchcst.exe
2444	svchcst.exe
2444	svchcst.exe
2000	svchcst.exe
2000	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1948	svchcst.exe
1948	svchcst.exe
2984	svchcst.exe
2984	svchcst.exe
1956	svchcst.exe
1956	svchcst.exe
1904	svchcst.exe
1904	svchcst.exe
872	svchcst.exe
872	svchcst.exe
1164	svchcst.exe
1164	svchcst.exe
840	svchcst.exe
840	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 1796	2416	02c781bf0610936247b2af454b9441bfc08636663bb953de1163a31838b85554.exe	28
PID 2416 wrote to memory of 1796	2416	02c781bf0610936247b2af454b9441bfc08636663bb953de1163a31838b85554.exe	28
PID 2416 wrote to memory of 1796	2416	02c781bf0610936247b2af454b9441bfc08636663bb953de1163a31838b85554.exe	28
PID 2416 wrote to memory of 1796	2416	02c781bf0610936247b2af454b9441bfc08636663bb953de1163a31838b85554.exe	28
PID 1796 wrote to memory of 2628	1796	WScript.exe	30
PID 1796 wrote to memory of 2628	1796	WScript.exe	30
PID 1796 wrote to memory of 2628	1796	WScript.exe	30
PID 1796 wrote to memory of 2628	1796	WScript.exe	30
PID 2628 wrote to memory of 2968	2628	svchcst.exe	31
PID 2628 wrote to memory of 2968	2628	svchcst.exe	31
PID 2628 wrote to memory of 2968	2628	svchcst.exe	31
PID 2628 wrote to memory of 2968	2628	svchcst.exe	31
PID 2968 wrote to memory of 2696	2968	WScript.exe	32
PID 2968 wrote to memory of 2696	2968	WScript.exe	32
PID 2968 wrote to memory of 2696	2968	WScript.exe	32
PID 2968 wrote to memory of 2696	2968	WScript.exe	32
PID 2696 wrote to memory of 332	2696	svchcst.exe	33
PID 2696 wrote to memory of 332	2696	svchcst.exe	33
PID 2696 wrote to memory of 332	2696	svchcst.exe	33
PID 2696 wrote to memory of 332	2696	svchcst.exe	33
PID 332 wrote to memory of 2356	332	WScript.exe	34
PID 332 wrote to memory of 2356	332	WScript.exe	34
PID 332 wrote to memory of 2356	332	WScript.exe	34
PID 332 wrote to memory of 2356	332	WScript.exe	34
PID 2356 wrote to memory of 2780	2356	svchcst.exe	35
PID 2356 wrote to memory of 2780	2356	svchcst.exe	35
PID 2356 wrote to memory of 2780	2356	svchcst.exe	35
PID 2356 wrote to memory of 2780	2356	svchcst.exe	35
PID 2780 wrote to memory of 2052	2780	WScript.exe	36
PID 2780 wrote to memory of 2052	2780	WScript.exe	36
PID 2780 wrote to memory of 2052	2780	WScript.exe	36
PID 2780 wrote to memory of 2052	2780	WScript.exe	36
PID 2052 wrote to memory of 2804	2052	svchcst.exe	37
PID 2052 wrote to memory of 2804	2052	svchcst.exe	37
PID 2052 wrote to memory of 2804	2052	svchcst.exe	37
PID 2052 wrote to memory of 2804	2052	svchcst.exe	37
PID 2804 wrote to memory of 1168	2804	WScript.exe	38
PID 2804 wrote to memory of 1168	2804	WScript.exe	38
PID 2804 wrote to memory of 1168	2804	WScript.exe	38
PID 2804 wrote to memory of 1168	2804	WScript.exe	38
PID 1168 wrote to memory of 1080	1168	svchcst.exe	39
PID 1168 wrote to memory of 1080	1168	svchcst.exe	39
PID 1168 wrote to memory of 1080	1168	svchcst.exe	39
PID 1168 wrote to memory of 1080	1168	svchcst.exe	39
PID 1080 wrote to memory of 2068	1080	WScript.exe	40
PID 1080 wrote to memory of 2068	1080	WScript.exe	40
PID 1080 wrote to memory of 2068	1080	WScript.exe	40
PID 1080 wrote to memory of 2068	1080	WScript.exe	40
PID 2068 wrote to memory of 780	2068	svchcst.exe	41
PID 2068 wrote to memory of 780	2068	svchcst.exe	41
PID 2068 wrote to memory of 780	2068	svchcst.exe	41
PID 2068 wrote to memory of 780	2068	svchcst.exe	41
PID 780 wrote to memory of 2424	780	WScript.exe	42
PID 780 wrote to memory of 2424	780	WScript.exe	42
PID 780 wrote to memory of 2424	780	WScript.exe	42
PID 780 wrote to memory of 2424	780	WScript.exe	42
PID 2424 wrote to memory of 1312	2424	svchcst.exe	43
PID 2424 wrote to memory of 1312	2424	svchcst.exe	43
PID 2424 wrote to memory of 1312	2424	svchcst.exe	43
PID 2424 wrote to memory of 1312	2424	svchcst.exe	43
PID 1312 wrote to memory of 2588	1312	WScript.exe	46
PID 1312 wrote to memory of 2588	1312	WScript.exe	46
PID 1312 wrote to memory of 2588	1312	WScript.exe	46
PID 1312 wrote to memory of 2588	1312	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\02c781bf0610936247b2af454b9441bfc08636663bb953de1163a31838b85554.exe
"C:\Users\Admin\AppData\Local\Temp\02c781bf0610936247b2af454b9441bfc08636663bb953de1163a31838b85554.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2968
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2696
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:332
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2588
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2416
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2484
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2792
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2960
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:2696
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1444
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:1456
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2444
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:1780
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2000
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:1140
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2432
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:1332
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1900
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:348
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1948
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:2740
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2984
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:2584
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1956
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:2744
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1904
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:2956
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:872
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:2768
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1164
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        
        PID:2896
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:840
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        
        PID:2000
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2904
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        
        PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5200291c61f8a54498d5ea3882597c4f

SHA1
7faf4fa36d25b6e6a25fa637cd4d565bacfc98c9

SHA256
370d3f0009b4f5179e917aaf335aa8267dd7e03688f0fff18f72d7d7af43d55f

SHA512
7fab6730403115fe4a56ca1d5d9056a0796ca40f75c0499cb0a1d7cb77ad696163f960414f3248c7893a1cc99dadcdb73251603bca50a54668b45b79bc62b06e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b01deb2dadc8260c4bcb435df78599d9

SHA1
7ac78543d19aefbe54d4e7d12d045cff0e7934f0

SHA256
4f88b370f98b6357f72a7942c293827b72164112e87fbbb6c842d9b206ab53b0

SHA512
319c1925e74af3cace9d3c3fafb7ff3c28ae3240e1d67da7d05ed25b7ec523eec9a974f21ff9914e602334c192e5801a55695ad705dbaa2a32e3b08e7996bb4b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
251a70f0c55d02e74e34c409c5795274

SHA1
b0eb587b5e8d597ef801848722b790692d804be2

SHA256
f5397f02a6c8c59bc9869c0e5c726c096a69c84ad7f0934608fdbd8bc7e5b9f3

SHA512
023cca65a97265961790183f43605fb3dd47426049f2152e5ed90d2daed98607d1e215cb8cabf54d7d2068f7a86d3b01b1d101823e8ed1acfb09076e69b67c71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
4f1c3e04fe09c26eac61a6a5e73d41a6

SHA1
5d61ea8f22af3a41286cfd2e03bf0d5fe912527e

SHA256
fcea651549aa97e3646b2b5857daab87dfa90158918203ea713fbc3d8dc96d2b

SHA512
23a253717242040b3497cc5dd9736a2a19adac084ebdf17f578f11a3c07aa584c78a8155ece8de4317293c4b75fca53b4cc225d05785f69e01d18ef6582e01f5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
619955d43a58558c766025119a5a66cb

SHA1
cfb43d2b9cb68699667ca8d4929e71b25ed115ab

SHA256
a129bff17a859b7b2d6681f519c985c661797dd508ac249d30f02a0a78858cee

SHA512
20f9499cddf2fb824365830736255a1dce689da0e94fa8e999ee4e28883e65637410710ea01204b5f3d48213f697461288da2b7a535511da87f848b1e6e83bc6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
30eafc82ac9962314c98d54ef2588957

SHA1
3bf1e1f24264448ba2688366b10b083c808e1e7a

SHA256
fc93c94af2daa9c8b70b9f6104f613a1cf0ac39bf1856542a3dbb6f828d2bee6

SHA512
5cd90109e61e06fda91874fd3cd28d83b42b6e586446ce99cf69a611f0015f56010937fadca4accef57ab47b5bca54b4171479a9a989ab5b1a015d491f985fb5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
48e04b8c794b661550560f9e02af5bb4

SHA1
973d939e48bc7713c0338e95966219616bd415d0

SHA256
f3bfe9c6c363e0ef4e22d9990175cb4c1c5d7d087aa5a2cff9f912d5ac6676da

SHA512
23ca46c09e1c2c320c7c79e71056dc6cb78d1dbaa75f4cee92e63626fe1eef268d91c519a8a0219f816049d2babd0276d27471ccc57a05825ce339ea88eea778

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ed546bb522a06b2fe1964359d1c00489

SHA1
f645b56f6b42e6e187d97e90006e64493e168dfd

SHA256
770b107915197c74e581cfd8ea4047ad94180a81a2e6422eb5a8139839645257

SHA512
bc0172ea605aeb832088b2e5d3cd3c4ba9f052a1f4afaa3696e8672f3e6a5776537472d56805f0dea9d8474ffca77d9b574331c9dc57bc7a6e029e01169de0b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
8d233f35b7205393c6a6249efb20fff3

SHA1
70a8c328e615a09a4cbfd67d0f4cf615b4d27955

SHA256
e7fb18ff10816ec33448171e3a7577dc84b1d86b53d57ddb16e2593705e905f0

SHA512
8848cc7d1d9d21b74ac45bd0399988bd82315e2a42d9223a7b7c64b5b160b41bae313f8e32181c7864db6095bd3f6218215be0adb23e890c1fec0a6f7ea0b5bc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1cd04c63c025f0297f2ae60e978d92a1

SHA1
047246564f4b2ab71494a82cef25f5bcdeb63469

SHA256
c5d481502d8e9429512066a0eb058459e0d7d60fbfc4aed5169b3ea47966c9ed

SHA512
dede45f2ae3b7da526e64e82f5e550d9f29d7ad0409fe97a0067bcd8ad70859a8f05441dcad0f2364710f8d9bf58997ffea6874b4797948b61486570394325a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
910e8b4a682865877d5b4c6b32ac2db3

SHA1
7df0ffdcff6b2f1d51878af2ca989990c399c005

SHA256
0eaa114fec2febec98337efcccfbb2863979005935decd44f9cd7db110b33b9f

SHA512
eb3e30e57f8ae59dc62d7c7f6c20296c7105a3fead464229b7b037924a20127266c0f09a6090cdeae4bea0f728f6213b2da67b44c3cd85a662c6b0cdf34c24bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5f762b3b2477d92959f29d768008d453

SHA1
ceaa2b37d64bcffd7f862a75e1d0fb06edbddb97

SHA256
5827d14409ed9f3361d81904d50e067223457590dda163a680ce4216e495a3d5

SHA512
fd1445d89a0fa5d185ce51442c402d9906fa8bf7c1458a862568ad0649dfa22c5f90ed243b98339ec9706541d244b0217f1cd05e715dc49067e059fe08d80420

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
fc0937042490ec63998ec3a2472aca1d

SHA1
1103750d487569e7194e2e297f7143c87e8c3d29

SHA256
6665a6e5494344bf97218f5c078fe0ba179e6f67a1b9cd40970e0c906740a89e

SHA512
526b97205cc63fc2be51f2d1ddbd4a6389ae8acc212edce5f72cc91c9ee736342148e00cab916889cb778839b6129826f9188af11fa4666189a170f483d60c7a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
bb565ecf903959da085177aba18c1c4c

SHA1
c2f8c23eccb8f9f03357efe0099137dfce4c88a2

SHA256
98656a07c10bdec3c50b094ac9f7264273bd6a2bddc20b1467631cd83375a2df

SHA512
061d2ef4462735a750ec681007bd1909a638da8097e72d6638eacbf078a71c0cd89cc3c5f3bd28f86f105238a78721a2bd7898eb15cb23826465b3dc9af4ddda

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f8ed843798b5185a03b3fc85dabd84f9

SHA1
0cd4f99bb4e3f6bfeb7eaf7a1389db230377f8fe

SHA256
41bfb2646551ac85f99d0308981398a92a463f7ddce91a636ef760e73cb97af0

SHA512
f20f7dbafcd790b17483fc551899e6f237c7f2db75fceb6d0d447f37a943991ed5587e6e13c11434d0c80d04b44cc033332e628e269814a0cd065230b06b69bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
526ffe845ad3dcdc012df1910f258cd0

SHA1
7b26f926b8118f415f30a74a083a05bea87642bc

SHA256
6ecf81ba31fd5a9231f40d50e3894057b13d3e059953bd28c81a234d5894241a

SHA512
e28ec77d4e907426ade3ca9952d46f192a87d1f1d9e0a5f53d838df4faa7e8b5eae7a9a864701080bc3ba84cda6ccbf97e16fd32b13cb4da0aebcf66948ee957

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9572bdc8ea785ba18086a70db8f19407

SHA1
60494bb1ae9ef40ff87501326ada19e0704ef419

SHA256
2492285c4ebff970ebe6f3351b4fc5a1461b8523d9600388158ab4b694a70c53

SHA512
02ae277ed2edc1ee3cb4167a31901694445f4157848f6199e199783c0d53a09b57b0a2060625b7d618eced700abf61d1ea3870bce1ea768cdd9ce9e1765fbf6a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
6143644127ea8c704236c419cd936502

SHA1
16ee30875946c0a85cd436028a80199f74f4d5de

SHA256
9d94b70692b37a1f911fc428ffa2d163c5de957a88e70257d523d124c6eb6bc3

SHA512
a98bba02c497ac4a51e1a3cb28db56530f2bbdfe0e645207e6175b9107a1f6b4b009d26f993e2b7d6e732241692784eb0eda02c767b5bc1f394a82c5d597ec23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
4eece0ca12c406f1486f3ee300d67386

SHA1
abadb4fc638bb8a43ae79dc68ab0ad851879d73d

SHA256
319ebc0e78e3e63a861590e74f755a5984ab5cdf9d83f17f8b7efbf280a4ef57

SHA512
6015e3a847a52292b0d5fffa29f88ac8a7138769b371257b0c6e6bc87d68e3c5177ac7ab434adbd1a7060d5153fea8b72a6cf53f0cbf85b8c64977e0b5408650

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b1758010afe5a717cc2ee162160b7108

SHA1
98c1b858429fb9fc792475d417adcf560150bfae

SHA256
0b68a9835b6affe221bf2d3d85801a71bf7918b19e80051ad120a139e339b1da

SHA512
c474f27f452f69e63449f7620c8bd9c4ea931a9e0fb8819a640b590a5cf759ddcf4be96133db590661e577867b5eda868f66078198c80b3559c46d72567ee5cb

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
293afdbdd6b0e33c443a1a9755dc65bd

SHA1
8e44a10de0eea8984a8464e7e58f7fa58455056b

SHA256
146762067e72b6a9f8d224372d9f029fb54e7b8682023c29fcfb5e7cbdd71053

SHA512
26a438e3c473e5a1a1d2eb530d1d22c8402856dd33e9c562185761c3c71392a3e9df6f819cd0eaefa1480b46203d04e805edd01ca2bc55d71f929b192a803615

Download Submit
memory/840-247-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/840-240-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/872-224-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/872-231-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1140-170-0x0000000004660000-0x00000000047BF000-memory.dmp

Filesize
1.4MB

Download
memory/1140-171-0x0000000004660000-0x00000000047BF000-memory.dmp

Filesize
1.4MB

Download
memory/1164-239-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1164-232-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1168-76-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1168-67-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1332-180-0x00000000059E0000-0x0000000005B3F000-memory.dmp

Filesize
1.4MB

Download
memory/1332-181-0x00000000059E0000-0x0000000005B3F000-memory.dmp

Filesize
1.4MB

Download
memory/1444-152-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1456-153-0x0000000005930000-0x0000000005A8F000-memory.dmp

Filesize
1.4MB

Download
memory/1780-190-0x0000000005B20000-0x0000000005C7F000-memory.dmp

Filesize
1.4MB

Download
memory/1900-182-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1900-189-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1904-223-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1904-216-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1948-198-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1948-191-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1956-215-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1956-208-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2000-249-0x0000000005A40000-0x0000000005B9F000-memory.dmp

Filesize
1.4MB

Download
memory/2000-162-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2000-169-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2052-61-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2052-53-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2068-88-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2356-48-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2356-41-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2416-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2416-10-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2424-102-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2424-94-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2432-172-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2432-179-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2444-161-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2444-154-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2484-129-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2484-121-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2584-207-0x00000000046B0000-0x000000000480F000-memory.dmp

Filesize
1.4MB

Download
memory/2588-107-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2588-115-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2628-24-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2628-15-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2696-38-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2696-30-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2780-51-0x0000000004870000-0x00000000049CF000-memory.dmp

Filesize
1.4MB

Download
memory/2804-66-0x00000000047F0000-0x000000000494F000-memory.dmp

Filesize
1.4MB

Download
memory/2904-248-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2960-143-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2984-206-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2984-203-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download