8ab5a4f643fc1462f5235a1ab0f6b6498efcc4d00ff22773003e3c4bc317717f

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
13/06/2024, 02:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ab5a4f643fc1462f5235a1ab0f6b6498efcc4d00ff22773003e3c4bc317717f.exe
Size

1.1MB
MD5

a287f6e56d12a9fabca2938e6b3d9061
SHA1

20d6adbc291fc085cbbecfe25622df117594e156
SHA256

8ab5a4f643fc1462f5235a1ab0f6b6498efcc4d00ff22773003e3c4bc317717f
SHA512

824ff3f7e1adc45f00525e9fbea1779840da43b01091c2074fda8bffd8a4fca315717d50c915f4a7af41fc08d5e87783d5e6f4fbcc0b25f5bb3315b99d767327
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QA:acallSllG4ZM7QzMH

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2424	svchcst.exe

Executes dropped EXE 27 IoCs

pid	Process
2424	svchcst.exe
2656	svchcst.exe
1676	svchcst.exe
2236	svchcst.exe
1408	svchcst.exe
844	svchcst.exe
1900	svchcst.exe
2956	svchcst.exe
2732	svchcst.exe
1892	svchcst.exe
1588	svchcst.exe
2860	svchcst.exe
1192	svchcst.exe
1724	svchcst.exe
2232	svchcst.exe
1912	svchcst.exe
2296	svchcst.exe
1532	svchcst.exe
2564	svchcst.exe
2144	svchcst.exe
2284	svchcst.exe
2844	svchcst.exe
1060	svchcst.exe
2244	svchcst.exe
2260	svchcst.exe
1216	svchcst.exe
3064	svchcst.exe

Loads dropped DLL 44 IoCs

pid	Process
2564	WScript.exe
2564	WScript.exe
2240	WScript.exe
2604	WScript.exe
1968	WScript.exe
1968	WScript.exe
1968	WScript.exe
1744	WScript.exe
1472	WScript.exe
1472	WScript.exe
1472	WScript.exe
2060	WScript.exe
2060	WScript.exe
2060	WScript.exe
2060	WScript.exe
2668	WScript.exe
2668	WScript.exe
1020	WScript.exe
1020	WScript.exe
1704	WScript.exe
1704	WScript.exe
2088	WScript.exe
2088	WScript.exe
888	WScript.exe
888	WScript.exe
2836	WScript.exe
2836	WScript.exe
2732	WScript.exe
2732	WScript.exe
3056	WScript.exe
3056	WScript.exe
3048	WScript.exe
1564	WScript.exe
1564	WScript.exe
2460	WScript.exe
2460	WScript.exe
564	WScript.exe
564	WScript.exe
816	WScript.exe
816	WScript.exe
2948	WScript.exe
2948	WScript.exe
1772	WScript.exe
1772	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3056	8ab5a4f643fc1462f5235a1ab0f6b6498efcc4d00ff22773003e3c4bc317717f.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3056	8ab5a4f643fc1462f5235a1ab0f6b6498efcc4d00ff22773003e3c4bc317717f.exe

Suspicious use of SetWindowsHookEx 56 IoCs

pid	Process
3056	8ab5a4f643fc1462f5235a1ab0f6b6498efcc4d00ff22773003e3c4bc317717f.exe
3056	8ab5a4f643fc1462f5235a1ab0f6b6498efcc4d00ff22773003e3c4bc317717f.exe
2424	svchcst.exe
2424	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
1676	svchcst.exe
1676	svchcst.exe
2236	svchcst.exe
2236	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
844	svchcst.exe
844	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
1892	svchcst.exe
1892	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
2860	svchcst.exe
2860	svchcst.exe
1192	svchcst.exe
1192	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
1912	svchcst.exe
1912	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
1532	svchcst.exe
1532	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
2244	svchcst.exe
2244	svchcst.exe
2260	svchcst.exe
2260	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
3064	svchcst.exe
3064	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2564	3056	8ab5a4f643fc1462f5235a1ab0f6b6498efcc4d00ff22773003e3c4bc317717f.exe	28
PID 3056 wrote to memory of 2564	3056	8ab5a4f643fc1462f5235a1ab0f6b6498efcc4d00ff22773003e3c4bc317717f.exe	28
PID 3056 wrote to memory of 2564	3056	8ab5a4f643fc1462f5235a1ab0f6b6498efcc4d00ff22773003e3c4bc317717f.exe	28
PID 3056 wrote to memory of 2564	3056	8ab5a4f643fc1462f5235a1ab0f6b6498efcc4d00ff22773003e3c4bc317717f.exe	28
PID 2564 wrote to memory of 2424	2564	WScript.exe	30
PID 2564 wrote to memory of 2424	2564	WScript.exe	30
PID 2564 wrote to memory of 2424	2564	WScript.exe	30
PID 2564 wrote to memory of 2424	2564	WScript.exe	30
PID 2424 wrote to memory of 2240	2424	svchcst.exe	31
PID 2424 wrote to memory of 2240	2424	svchcst.exe	31
PID 2424 wrote to memory of 2240	2424	svchcst.exe	31
PID 2424 wrote to memory of 2240	2424	svchcst.exe	31
PID 2240 wrote to memory of 2656	2240	WScript.exe	32
PID 2240 wrote to memory of 2656	2240	WScript.exe	32
PID 2240 wrote to memory of 2656	2240	WScript.exe	32
PID 2240 wrote to memory of 2656	2240	WScript.exe	32
PID 2656 wrote to memory of 2604	2656	svchcst.exe	33
PID 2656 wrote to memory of 2604	2656	svchcst.exe	33
PID 2656 wrote to memory of 2604	2656	svchcst.exe	33
PID 2656 wrote to memory of 2604	2656	svchcst.exe	33
PID 2604 wrote to memory of 1676	2604	WScript.exe	34
PID 2604 wrote to memory of 1676	2604	WScript.exe	34
PID 2604 wrote to memory of 1676	2604	WScript.exe	34
PID 2604 wrote to memory of 1676	2604	WScript.exe	34
PID 1676 wrote to memory of 1968	1676	svchcst.exe	35
PID 1676 wrote to memory of 1968	1676	svchcst.exe	35
PID 1676 wrote to memory of 1968	1676	svchcst.exe	35
PID 1676 wrote to memory of 1968	1676	svchcst.exe	35
PID 1968 wrote to memory of 2236	1968	WScript.exe	36
PID 1968 wrote to memory of 2236	1968	WScript.exe	36
PID 1968 wrote to memory of 2236	1968	WScript.exe	36
PID 1968 wrote to memory of 2236	1968	WScript.exe	36
PID 2236 wrote to memory of 2408	2236	svchcst.exe	37
PID 2236 wrote to memory of 2408	2236	svchcst.exe	37
PID 2236 wrote to memory of 2408	2236	svchcst.exe	37
PID 2236 wrote to memory of 2408	2236	svchcst.exe	37
PID 1968 wrote to memory of 1408	1968	WScript.exe	38
PID 1968 wrote to memory of 1408	1968	WScript.exe	38
PID 1968 wrote to memory of 1408	1968	WScript.exe	38
PID 1968 wrote to memory of 1408	1968	WScript.exe	38
PID 1408 wrote to memory of 1744	1408	svchcst.exe	39
PID 1408 wrote to memory of 1744	1408	svchcst.exe	39
PID 1408 wrote to memory of 1744	1408	svchcst.exe	39
PID 1408 wrote to memory of 1744	1408	svchcst.exe	39
PID 1968 wrote to memory of 844	1968	WScript.exe	40
PID 1968 wrote to memory of 844	1968	WScript.exe	40
PID 1968 wrote to memory of 844	1968	WScript.exe	40
PID 1968 wrote to memory of 844	1968	WScript.exe	40
PID 844 wrote to memory of 1472	844	svchcst.exe	41
PID 844 wrote to memory of 1472	844	svchcst.exe	41
PID 844 wrote to memory of 1472	844	svchcst.exe	41
PID 844 wrote to memory of 1472	844	svchcst.exe	41
PID 1744 wrote to memory of 1900	1744	WScript.exe	42
PID 1744 wrote to memory of 1900	1744	WScript.exe	42
PID 1744 wrote to memory of 1900	1744	WScript.exe	42
PID 1744 wrote to memory of 1900	1744	WScript.exe	42
PID 1472 wrote to memory of 2956	1472	WScript.exe	43
PID 1472 wrote to memory of 2956	1472	WScript.exe	43
PID 1472 wrote to memory of 2956	1472	WScript.exe	43
PID 1472 wrote to memory of 2956	1472	WScript.exe	43
PID 2956 wrote to memory of 2060	2956	svchcst.exe	44
PID 2956 wrote to memory of 2060	2956	svchcst.exe	44
PID 2956 wrote to memory of 2060	2956	svchcst.exe	44
PID 2956 wrote to memory of 2060	2956	svchcst.exe	44

C:\Users\Admin\AppData\Local\Temp\8ab5a4f643fc1462f5235a1ab0f6b6498efcc4d00ff22773003e3c4bc317717f.exe
"C:\Users\Admin\AppData\Local\Temp\8ab5a4f643fc1462f5235a1ab0f6b6498efcc4d00ff22773003e3c4bc317717f.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2240
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2656
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1900
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:844
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        
        PID:2060
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1892
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1588
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2860
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        
        PID:2668
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1192
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:1020
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1724
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:1704
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2232
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2088
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1912
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:888
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2296
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:2836
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1532
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:2732
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2564
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:3048
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2284
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:1564
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2844
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:2460
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1060
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:564
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2244
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:816
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2260
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:2948
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1216
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:1772
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3064
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        
        PID:448
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:3056
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2144
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
dcda7be7bee467e770890045f8b7ae2a

SHA1
c2d1c9669b5115473dd2fcb27bb76aed83afdcd1

SHA256
5818c70269cba768813218e1a65265488b4c36ebee593535af98a52bf1eeed33

SHA512
5a69286101d6a3f52a919910584f2618e2e7adcf8b77806b5e4ecd8b881a86693df968818cec771b93b50d05849e165da0d66c5cfb121297f56cf7bef804a408

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a28791ebea83786bb5889ef857a9e493

SHA1
0c7cc3d05c844d5edd4535fbd48d2c73b2764630

SHA256
ad8607d9518b14cf6e9f567194700afa64c424bbe7da5b1819babbc7678a98bf

SHA512
d357643579f32de1c3f28b9d717d4d82a91d2ae25014a2ab52c0b6340ea577c31386cfa7901694f47889e5966ab11ff6888ae19a8602f812d2484827295d12ce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e5bba46683440caa1508061b6e638120

SHA1
538ff5b7cb3ca90cee3e60bae0b487f4b78912de

SHA256
9b324dbd185a14c0ebfd2cd2731f6bb32c501dfefa7aef4f65b137357502c65d

SHA512
466f00fee10e323273e5d1151062e9fcc36f5657a404c6dd3c0c9ecb56e5205930087e612b13a9c6d1a56df7e05a2bd9c14e95debd5e5aed96ad2ef867e8de4d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1ca638ab56e1883ffe75969d1d8c4a61

SHA1
2f32fe1ad07a21f4aade2693ef174e30427e4f26

SHA256
ab716890ffa3b303c706ba2fc2ff48ba57e82b94b3bb3198cbb5700d74218c9d

SHA512
91f259046507902e077ac73aa23005f33cb3f93b6822e325bf3dd785b7616128bae36e13ba016f6a67cdddedef644d9cf44d49bba7d989dc5e59b93d446d626c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1c0ff223574a58a062d6e26c4b0bb7cd

SHA1
b61341ae86f6fd2a2e76592a2fc693479b62f37c

SHA256
b9baaa35fb2544dd650a875b31c12ae5393b345528009fc8c438296ac71da48b

SHA512
b89b388955e99d95ea0a6be87df42a49823ca71ab65505e19689b8ecc56484246bc36abaac9b7b76874b8c287a33645932573b90786886e0289dff05a6874cc5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
423a0fabd3a9fd2cbedc3aba67c69650

SHA1
880097557ac6718e93822ac7efc9a3e2986c51de

SHA256
d77f549afde3b88ac747c3d0dee3069f914fac77b572ae08737ffc05f696491b

SHA512
c65d3db8250c7885b05075ebc3485db4506dde6c435247ad6a86e9085d59b039f4629583b327662a2eb40c79bc135d5d17b5bfb01f63ee02726aa57ecd7ed139

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5c256ba320c7487a2c3cdb62bea97bb5

SHA1
2a28e5d7bd4483a40fb6035f1ec6fcf1d66cb2fc

SHA256
854aeaf6ba44537fc01088f8c336552a1aab4c6df84938d241c8616b6f0802e4

SHA512
bb55f293471dda9b074664d4cf2dad094f8f0c2479c1fd754dd85199d1d1b1012cfa3b050711ac0b59368d6bf1756cfcadcaff1e47d4f103a093a0b77782fdc0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e94e88174ec781f873054a1341dde3c1

SHA1
1bfcc1fd57262661e3e17db7f582004d481e95d9

SHA256
83a3606b4d4b48761b768ff2bd5668a599025f46b5d31b73bd0b014f6f95e225

SHA512
10dd4c89ea250920267a33317f693093471b805e33f18b38ffd7e3b9fb12624047f6bca7c82b0a2c83a3d6cead4d289f3da723b249a7ab6a9c40b339977fe7f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6491ffe6ef75436d9e660280f5c7fa8f

SHA1
aa563dfffa849153924e8a50f5b562663d1549b5

SHA256
61926578340a542bb64c6abd62437790f27fe9f3c91f6e7bc3268fe318333382

SHA512
7caf0a3528181a867f6a7d1e705531db6eb12a82faa881fde4693b6d1f57be05e589c9276fc6364204494cd9c65f355a35d1dafb0d02582346057b5c4b8c2193

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7c7211c6ab078878929bb3683f705560

SHA1
5a52049f54692294392837b5922d865e9c407022

SHA256
bb9e2a89c0fc9574eac35f2b2c4bc696f3642fc96ff2fd1f6a2d3467784fbeff

SHA512
4d9b5d0053b0f57651c08084c87416d2ae8613b9ea74651e51f251e5d806f36c194735e4f6f3152d7c72592f60f2a7e971ee82c60410762472942823b1956c38

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
46f3eb682550fe0ba5765974d2cfcdec

SHA1
dcbfdcb97a0d7b7b7543515ab792ea5802da6744

SHA256
d16e376f1d898ef241e8af03db1fe7d689cd1ba957d5c4daa4951f16b2827d6d

SHA512
b8a4c689d65b2955bbffb570dbe859bdc741c477e5d1413577382dc364626f36cf0ae9b7f497b4ccde54ef28e9077d8eb61f99ce01cf9de6d7b993b4f6bf8e73

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d6aef0b19d7d8dc2eda464cf358007b7

SHA1
c271fa23eee2c534cc862f7575df47f660c94d27

SHA256
70965d19e9afccec497ac21e98bfea9be46cf5df938982b3d19e6295aab3bb1d

SHA512
c547f50069f9f97dd9877bdb529f4ed49f9761d5cab1ff703e5185a6071e7591b98237834c6bd386b68b9c6504b76bdc581bf17a6fcef94e74b1483d47cf764a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f68761d0622df41d256ee6fc39583d8a

SHA1
2dd40e574a86ff4b4be5e6aca6fda4d7fcc33d56

SHA256
b4bf1092c76497e935596e32fcb9119a44acab11e9b80b660ecea53867655245

SHA512
fd70e0b445bcd24117b449853c98a4996063d49f774a55bc5aca087b44cdb5381974551c4fcd2d3d1c82cd708fcb616009519f3914267ea5c37cdda4d31ea3a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a7abbe21bd06224da6044ceefc079882

SHA1
45948d51fb8d65cd1032448311043927dcfa0d2f

SHA256
5f4905388f1de9cd98bc931f1f041dd2543394219661a271c11fff5b0d8222b2

SHA512
3371b7d36aadb7aa31617ba0d8cb23e2ccd36c8268946e8ec526e98e61d0312622b089331f05a36775fd59174fa8a68595e664a665feeb9afce17c906a8b1bd5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
07c1e1865ebbb363fefe91f76bdb7eda

SHA1
3ae327a1649953ae9a4eae9e6525fc11ee704763

SHA256
87c7ffda2fd1c9dcfec13b7d06a1b558121fa2d5699959f8abf1924b648be9da

SHA512
06c151133622730a71f1f80a03c3f3271e2bfceb3cba1f89049e77539fdc2835c5e1964334925941e84317d9c905b112079f173de12e9e30b3720ccf3ab4add6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7a2a4c28ec658a861957c54774fecbca

SHA1
684b8bd81b62a1c5af46f34be690ef4b3d193dba

SHA256
bc6f472b0a8a967f6776d10f81afe80b553f3fbfc099e3a8388229f00d9b0807

SHA512
70a27321ff5f337d79b798888fefdbaac8b2b589eb6f200fb83cde642e8aa11b967efb4ce80da8485f7dd0fc2360a5881aae6fc369cb11489107368720e0dd97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
206fcfe24cdfe88f8be3ea3d7f9b288e

SHA1
5f9b8da6b81cf0fdc14109e0380ac7189ff64213

SHA256
8986a7942dfb45752b2c94a45199c9a2c54b8d1e3be963f12052a1f17c7523d8

SHA512
0d2bff5d9638ba180547e9c5c67babf0d8db63d3dc70aced863830a3ab48b6becfae524c3531e8ada7bf0904c8130ca35ffa0ded1b7ca36a822cac8480ab83b7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
25fea41525967a4672b3194db3247c59

SHA1
9ffedc15d9e21c22daea542252f3e030402410bc

SHA256
9917694e45a8b6ea6eaf75677568d374f965e6719f2f52889ffbc6e4b4a1861b

SHA512
38ae52f43e8c1f328c9068cf81060b47c419c9d14a094e0ee1fd440840b977e572c512ed67ab609b01a806abaf560193cf4d6ed62d1bb39187540f5d29c4a947

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7d3ea353b80fffb2c25f99652248e9eb

SHA1
f4177a3e1fec799731931b30c8242691950c8bf5

SHA256
e6a759d783e608274c79cf851f817389b8aa0ed4107813e5fb82beea933896a7

SHA512
b40d84fdb0fce4a9917d37aebc00e0774e1b971909396165def5e9650ded96fab9200a69797acf1b6c2f7aa9f01222060e5e96dbed6b5c61b30373d22484f811

Download Submit
memory/816-232-0x0000000005AA0000-0x0000000005BFF000-memory.dmp

Filesize
1.4MB

Download
memory/816-233-0x0000000005AA0000-0x0000000005BFF000-memory.dmp

Filesize
1.4MB

Download
memory/844-72-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/844-82-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/888-171-0x0000000005A30000-0x0000000005B8F000-memory.dmp

Filesize
1.4MB

Download
memory/1020-147-0x0000000005EF0000-0x000000000604F000-memory.dmp

Filesize
1.4MB

Download
memory/1060-214-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1060-223-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1192-143-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1216-241-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1216-248-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1408-66-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1408-62-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1472-99-0x0000000005B50000-0x0000000005CAF000-memory.dmp

Filesize
1.4MB

Download
memory/1472-85-0x0000000004470000-0x00000000045CF000-memory.dmp

Filesize
1.4MB

Download
memory/1532-188-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1532-179-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1588-117-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1588-108-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1676-44-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1676-35-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1724-154-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1744-78-0x0000000004450000-0x00000000045AF000-memory.dmp

Filesize
1.4MB

Download
memory/1892-103-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1892-102-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1900-81-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1900-80-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1912-169-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1912-162-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1968-107-0x0000000004780000-0x00000000048DF000-memory.dmp

Filesize
1.4MB

Download
memory/2060-121-0x0000000005BC0000-0x0000000005D1F000-memory.dmp

Filesize
1.4MB

Download
memory/2144-198-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2232-161-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2236-50-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2236-55-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2244-231-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2244-224-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2260-240-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2284-206-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2296-170-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2296-178-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2424-22-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2564-199-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2564-190-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2656-32-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2668-134-0x00000000045F0000-0x000000000474F000-memory.dmp

Filesize
1.4MB

Download
memory/2732-189-0x0000000004090000-0x00000000041EF000-memory.dmp

Filesize
1.4MB

Download
memory/2732-104-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2844-213-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2860-130-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2956-86-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2956-94-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3056-197-0x00000000043D0000-0x000000000452F000-memory.dmp

Filesize
1.4MB

Download
memory/3056-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3056-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download