812cbf49eddeddf09f1459b4661024a4a5c20e900bf968ad46e0260909969973

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
13-06-2024 04:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

812cbf49eddeddf09f1459b4661024a4a5c20e900bf968ad46e0260909969973.exe
Size

1.1MB
MD5

ecdd03327b5b7772de069c9eead50239
SHA1

0cc5066d15a5314caeea56b8aa8c3203df9e1983
SHA256

812cbf49eddeddf09f1459b4661024a4a5c20e900bf968ad46e0260909969973
SHA512

ea498f1ae0050404237add5c063e40b9883562c5fe143765ca603558e718c08ae07129f6c52fd2e3fea23c3b3ee94d6cee4a15ad63341f2153f35e2803b0b6fd
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QO:acallSllG4ZM7QzMV

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2748	svchcst.exe

Executes dropped EXE 24 IoCs

pid	Process
2748	svchcst.exe
3020	svchcst.exe
2508	svchcst.exe
888	svchcst.exe
796	svchcst.exe
2352	svchcst.exe
1096	svchcst.exe
2888	svchcst.exe
856	svchcst.exe
3036	svchcst.exe
1532	svchcst.exe
2032	svchcst.exe
1652	svchcst.exe
1476	svchcst.exe
2296	svchcst.exe
1640	svchcst.exe
1720	svchcst.exe
2532	svchcst.exe
2664	svchcst.exe
2164	svchcst.exe
1680	svchcst.exe
2040	svchcst.exe
1508	svchcst.exe
1804	svchcst.exe

Loads dropped DLL 43 IoCs

pid	Process
1076	WScript.exe
1076	WScript.exe
2864	WScript.exe
2844	WScript.exe
2844	WScript.exe
2844	WScript.exe
2076	WScript.exe
1940	WScript.exe
996	WScript.exe
996	WScript.exe
996	WScript.exe
2216	WScript.exe
2216	WScript.exe
2580	WScript.exe
2580	WScript.exe
2292	WScript.exe
2292	WScript.exe
2480	WScript.exe
2480	WScript.exe
2844	WScript.exe
2844	WScript.exe
2076	WScript.exe
2076	WScript.exe
892	WScript.exe
892	WScript.exe
2204	WScript.exe
2204	WScript.exe
1972	WScript.exe
1972	WScript.exe
2244	WScript.exe
2244	WScript.exe
3040	WScript.exe
3040	WScript.exe
872	WScript.exe
872	WScript.exe
2232	WScript.exe
2232	WScript.exe
1084	WScript.exe
1084	WScript.exe
2328	WScript.exe
2328	WScript.exe
1496	WScript.exe
1496	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2808	812cbf49eddeddf09f1459b4661024a4a5c20e900bf968ad46e0260909969973.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2808	812cbf49eddeddf09f1459b4661024a4a5c20e900bf968ad46e0260909969973.exe

Suspicious use of SetWindowsHookEx 50 IoCs

pid	Process
2808	812cbf49eddeddf09f1459b4661024a4a5c20e900bf968ad46e0260909969973.exe
2808	812cbf49eddeddf09f1459b4661024a4a5c20e900bf968ad46e0260909969973.exe
2748	svchcst.exe
2748	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
2508	svchcst.exe
2508	svchcst.exe
888	svchcst.exe
888	svchcst.exe
796	svchcst.exe
796	svchcst.exe
2352	svchcst.exe
2352	svchcst.exe
1096	svchcst.exe
1096	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
856	svchcst.exe
856	svchcst.exe
3036	svchcst.exe
3036	svchcst.exe
1532	svchcst.exe
1532	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
1652	svchcst.exe
1652	svchcst.exe
1476	svchcst.exe
1476	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
1640	svchcst.exe
1640	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
2040	svchcst.exe
2040	svchcst.exe
1508	svchcst.exe
1508	svchcst.exe
1804	svchcst.exe
1804	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 1076	2808	812cbf49eddeddf09f1459b4661024a4a5c20e900bf968ad46e0260909969973.exe	28
PID 2808 wrote to memory of 1076	2808	812cbf49eddeddf09f1459b4661024a4a5c20e900bf968ad46e0260909969973.exe	28
PID 2808 wrote to memory of 1076	2808	812cbf49eddeddf09f1459b4661024a4a5c20e900bf968ad46e0260909969973.exe	28
PID 2808 wrote to memory of 1076	2808	812cbf49eddeddf09f1459b4661024a4a5c20e900bf968ad46e0260909969973.exe	28
PID 1076 wrote to memory of 2748	1076	WScript.exe	30
PID 1076 wrote to memory of 2748	1076	WScript.exe	30
PID 1076 wrote to memory of 2748	1076	WScript.exe	30
PID 1076 wrote to memory of 2748	1076	WScript.exe	30
PID 2748 wrote to memory of 2864	2748	svchcst.exe	31
PID 2748 wrote to memory of 2864	2748	svchcst.exe	31
PID 2748 wrote to memory of 2864	2748	svchcst.exe	31
PID 2748 wrote to memory of 2864	2748	svchcst.exe	31
PID 2864 wrote to memory of 3020	2864	WScript.exe	32
PID 2864 wrote to memory of 3020	2864	WScript.exe	32
PID 2864 wrote to memory of 3020	2864	WScript.exe	32
PID 2864 wrote to memory of 3020	2864	WScript.exe	32
PID 3020 wrote to memory of 2844	3020	svchcst.exe	33
PID 3020 wrote to memory of 2844	3020	svchcst.exe	33
PID 3020 wrote to memory of 2844	3020	svchcst.exe	33
PID 3020 wrote to memory of 2844	3020	svchcst.exe	33
PID 2844 wrote to memory of 2508	2844	WScript.exe	34
PID 2844 wrote to memory of 2508	2844	WScript.exe	34
PID 2844 wrote to memory of 2508	2844	WScript.exe	34
PID 2844 wrote to memory of 2508	2844	WScript.exe	34
PID 2508 wrote to memory of 1116	2508	svchcst.exe	35
PID 2508 wrote to memory of 1116	2508	svchcst.exe	35
PID 2508 wrote to memory of 1116	2508	svchcst.exe	35
PID 2508 wrote to memory of 1116	2508	svchcst.exe	35
PID 2844 wrote to memory of 888	2844	WScript.exe	36
PID 2844 wrote to memory of 888	2844	WScript.exe	36
PID 2844 wrote to memory of 888	2844	WScript.exe	36
PID 2844 wrote to memory of 888	2844	WScript.exe	36
PID 888 wrote to memory of 2076	888	svchcst.exe	37
PID 888 wrote to memory of 2076	888	svchcst.exe	37
PID 888 wrote to memory of 2076	888	svchcst.exe	37
PID 888 wrote to memory of 2076	888	svchcst.exe	37
PID 2076 wrote to memory of 796	2076	WScript.exe	38
PID 2076 wrote to memory of 796	2076	WScript.exe	38
PID 2076 wrote to memory of 796	2076	WScript.exe	38
PID 2076 wrote to memory of 796	2076	WScript.exe	38
PID 796 wrote to memory of 1940	796	svchcst.exe	39
PID 796 wrote to memory of 1940	796	svchcst.exe	39
PID 796 wrote to memory of 1940	796	svchcst.exe	39
PID 796 wrote to memory of 1940	796	svchcst.exe	39
PID 1940 wrote to memory of 2352	1940	WScript.exe	40
PID 1940 wrote to memory of 2352	1940	WScript.exe	40
PID 1940 wrote to memory of 2352	1940	WScript.exe	40
PID 1940 wrote to memory of 2352	1940	WScript.exe	40
PID 2352 wrote to memory of 996	2352	svchcst.exe	41
PID 2352 wrote to memory of 996	2352	svchcst.exe	41
PID 2352 wrote to memory of 996	2352	svchcst.exe	41
PID 2352 wrote to memory of 996	2352	svchcst.exe	41
PID 996 wrote to memory of 1096	996	WScript.exe	42
PID 996 wrote to memory of 1096	996	WScript.exe	42
PID 996 wrote to memory of 1096	996	WScript.exe	42
PID 996 wrote to memory of 1096	996	WScript.exe	42
PID 1096 wrote to memory of 628	1096	svchcst.exe	43
PID 1096 wrote to memory of 628	1096	svchcst.exe	43
PID 1096 wrote to memory of 628	1096	svchcst.exe	43
PID 1096 wrote to memory of 628	1096	svchcst.exe	43
PID 996 wrote to memory of 2888	996	WScript.exe	46
PID 996 wrote to memory of 2888	996	WScript.exe	46
PID 996 wrote to memory of 2888	996	WScript.exe	46
PID 996 wrote to memory of 2888	996	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\812cbf49eddeddf09f1459b4661024a4a5c20e900bf968ad46e0260909969973.exe
"C:\Users\Admin\AppData\Local\Temp\812cbf49eddeddf09f1459b4661024a4a5c20e900bf968ad46e0260909969973.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1076
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2864
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3020
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:888
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:796
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:996
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2888
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        
        PID:2216
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:856
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:2580
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3036
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2292
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1532
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2480
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2032
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:2844
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1652
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:2076
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1476
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:892
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2296
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:2204
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1640
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:1972
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1720
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:2244
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2532
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:3040
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2664
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:872
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2164
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:2232
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1680
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:1084
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2040
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:2328
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1508
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        
        PID:1496
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1804
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        
        PID:976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5ba8c208c5700f7f25c2e24e00d50ac8

SHA1
9838a0ab093ed94bc85a80b1feee14b68e4df8d1

SHA256
213371c33e19f6f9e28f089e3206fe50c39b190548b0500f7ba8aff869a68cd6

SHA512
065e45ebe4197cdf7e13b799928dfb29e17d4a1741e3e103000b147288b34f16300b72874ec85aefa2c04cc939df115a9fb383d5c95982c1371e75605d1a9b17

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
21ba965ba598c3227fc76824876d82ac

SHA1
f8ca61b15c63d9b787119419f2afac31b5cfdb62

SHA256
7e5370632b14287938dc128290edd46dc0c4a9a20498f27acb48814868a62a4a

SHA512
6cb8372cb97526a09ae4b38cb81eeed3a937f72ab17d8838b8cdad40f13b36878df8eb407c86e26c56a0f9d8f4cfdd77d089c24a243535628275c887368297d6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
951aaea1269f2a203f3dd7cd181c5d34

SHA1
3623d216764b24aa0b02cbc136287252bf5b412a

SHA256
228b66ed4c4a1270fe5a6655cdd849de937351e95974b96acafa59b8107b7dd4

SHA512
cd84967ad43a13c3cd57cc80f6533a9e9fd93a5eddf4807825b8d19883da4acda3e7b4ff963f23209c579050fedf834382d8e718386c852ceaf350b2b0f91816

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ae63ded87a90f9812749cac189d07a57

SHA1
5a37ba565ce8c2445ff71f7c3d7adc38cb68627f

SHA256
6251cc562aff44a7222fe555019800d44c515c0319748fae595621d92f5d9236

SHA512
293cf9a753b1456071db8840910ec3ee7a0a00342caeb27a3bf7c150b54e51a22673e8262fd4376bad6c29eff3b3a77c1c47c1e10c49abffaba899b9193d9429

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
41bdc303960afcda8ebae4f3e29f0b52

SHA1
4cbf649fb04c836614138308a06ecd48dcb2882d

SHA256
da674cdbd4dd762cc32ce0bd2ec36929a626e0e87f7ab7a4a1b1e1ce0123d999

SHA512
800b5b01cc41e7633f203579e7f6ec0a9f6408f7af79dcfa74596be9264dbb8baade6b1439dedb5194496aa27b8b0e2680ce65ad91032138ea0ac2c8a0872cf1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f262d0722b88145e786399f42047785d

SHA1
9f4426b6ac52bb0456945b0619fcd355d118a0b7

SHA256
f20592c5d5216a153e7d9fc67c87e2d3346f3781014162462e824a5dbc4c7aef

SHA512
da8aa8fd4f84c224f7c6f3fe483b030e2307f3313c003f17f6b9c943f9ea9d052d9d9297f93fdf49428eedd235ef6d7efe0199e1620e55cb052f2ca3cb492eb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ae75c3a96c26ddc15e3c678434b18374

SHA1
7abb4cd173f5c8565c891bc5305922439e880fed

SHA256
1b84f073d7c021672b1951a420b183f570b94f4d7c14c86698b22bbd353bf965

SHA512
e817ab91d4d73840a290ff2e999a5136328b315afa16ec831b6ddabea08cf07d8dd61b332cbeded13bde712e7c87538228ff8d163c0f659da84134f04e5a3b7e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
38a699d07d8879db6356427ad5568cde

SHA1
a13f87e47243e126c2ea20018877fbeac913a320

SHA256
33039fb8b50833ea2836de980992405e10426ad862007f2fef2a96147dccc7bb

SHA512
b5373577a397c0eb493b1173f0fa5a583fe10b986eced439f39997707622fdb54dad7f39311c0148da02b9f0eda2c097d6d9e98b6a7c7d4aa5996e7cc5f4791d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
98328aa8ad181fbf0b87edfc21155dce

SHA1
3ca100ca64d5f62a5dceef47f414c0953fd4f559

SHA256
a6928cf27564f6f983d8f62358463a2dee471715b220de03db8b72ebf105f20c

SHA512
75f298c982eeebf184fdd0612436583a863beba740bd55053539dc1b1c20103a1c6f5da46b41621eb00d601cdfc86c1705080a0da08fef7756637805dcb588ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e74576d29f1c1a7185cdf1e12b96a260

SHA1
f76ee203cb56b7dda62a2947ff1e2fc954efa777

SHA256
e31ecb9dcf31c19fbd131b31e5191375f7aeb708ffa678363de99e118715eb65

SHA512
934e3a9171de8fe03c9b398b4e79b3eee77845750ba2b0d16c3a38bc8299d3d72643cedfbb025df848f4c5ab302f5d4b145da13c2ac3ed96bdc1658791d4f5bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0e6005a9dcb5a78d6fdd54527602f926

SHA1
90adc62e99f3c94c643596af0e17b5853b91fe1f

SHA256
847552b1ad30bd72f24acfe4afa5c326d3e79d7c2f147c958d72e92daca716da

SHA512
b4acfd81c1e926fcd305690aa3780bbec50460bcf947d17c20d6445faca4e774294b9da3a144207ccb3855e3ea2008a2d82ef691f32a4db6c7c3eb8202c6b568

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
169856fe1e8bb6504f7eb2afb49a3c2e

SHA1
92d5d4d7880739ee85034301579f6aee9a22f77d

SHA256
2437b3f463c99871dac734a29b6011157513ee942260a615fd407b5b32fb0046

SHA512
212c129646b6805690c20fb50618828a778b7984ce630cc3783f37b6848b90436a8496eae5cf0eec4e4bf9a00a514eb1eb14583e26ee96aa1928315ecaec4945

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f9eb246630d6d39ab8a1d02bf242a1bc

SHA1
48855eb851312000be9cc69c58ea0a10dd2a166d

SHA256
56599e38fcce3f9996435ddc07c5b5db984c3030d6deea966d6cb9d3654b964e

SHA512
8f59b63a7803b268d571702d88325c695a552b57bbcea7fb0233eafa72211e22ec1ccd4881ced18232c066e805c1c90153997fb5ec3bacd7aa3ea164008209a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
79705e21db2cfb8511be5a4898bd6f0c

SHA1
cf968e872d4163fe5989b6293300c3af07362c96

SHA256
35abc5eb7395237f8d0e6e1366f33dd977f7b8e7f8ea75ad7ba186019784e8cd

SHA512
0b53a06fd0e7479136198bf93a12905a67df436c668f66af6085f5e278d26263aa60af23841c9e09493dbb9dea9ee122e958ba8738ef9bcc9a15d88601356ad4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
4ebcfcf6b4ec406056ca6461b1e4e3b8

SHA1
c8aeef346f032148cab1528e0f62ecacd38767de

SHA256
73d3fa5281eaa1b865e5403cc65d0ce36b3e30ab1f11a222e9bbf8a8c7fb0aab

SHA512
251bc60098c23069eacf14cc4f9ea8cbf88775fbe1de2a2aa8f50f110a9da360779adb5717cb8f3ef6dfeed6911fc61d0574c85d0d5beac120d4171306811e9a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2407f34389587526cd9715777dc4647f

SHA1
c8c3a95f33373a3ec8110fac5dc68f523071cf83

SHA256
8cc29991c0b3c2ef1b0aa94141f1fa817e26020cb04bbd94b12f23dd8fbbb682

SHA512
ebc3619737f3982f7adefa8c82e3e4258a09851d96147eb7435d0e78c476098d6fd4b3fedc2f1868781b80b5ad84933b1ba743403b0a6cce449b2cc8b3e33a57

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
816c9ecacaab7a26a609f076ff2e3732

SHA1
8a799040b35b97fdda6754fab2107b416f56205e

SHA256
87c8f418ff976433f7f996fb12ea04e63ab8d562514492b6444be187a2f4fb54

SHA512
2f2e08538139df3596b889e90723806ba9602a9bac67be6372844cbaf94bad9da6f74fcbb2a7ed17dafe7b8e7cc896eb3fbedca565f585009201f6bf938a8c9b

Download Submit
memory/796-63-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/796-72-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/856-114-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/856-122-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/872-224-0x0000000005C90000-0x0000000005DEF000-memory.dmp

Filesize
1.4MB

Download
memory/888-52-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/888-58-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/892-179-0x0000000004580000-0x00000000046DF000-memory.dmp

Filesize
1.4MB

Download
memory/892-180-0x0000000004580000-0x00000000046DF000-memory.dmp

Filesize
1.4MB

Download
memory/996-98-0x0000000005A90000-0x0000000005BEF000-memory.dmp

Filesize
1.4MB

Download
memory/996-85-0x0000000005A90000-0x0000000005BEF000-memory.dmp

Filesize
1.4MB

Download
memory/1084-240-0x00000000042C0000-0x000000000441F000-memory.dmp

Filesize
1.4MB

Download
memory/1096-94-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1096-86-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1476-178-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1496-262-0x00000000047A0000-0x00000000048FF000-memory.dmp

Filesize
1.4MB

Download
memory/1508-257-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1508-250-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1532-149-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1532-142-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1640-190-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1640-197-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1652-166-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1652-169-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1680-232-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1680-239-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1720-206-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1720-199-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1804-263-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1972-198-0x0000000005D70000-0x0000000005ECF000-memory.dmp

Filesize
1.4MB

Download
memory/2032-156-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2032-159-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2040-248-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2040-241-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2076-171-0x0000000005880000-0x00000000059DF000-memory.dmp

Filesize
1.4MB

Download
memory/2076-62-0x0000000005B00000-0x0000000005C5F000-memory.dmp

Filesize
1.4MB

Download
memory/2076-170-0x0000000005880000-0x00000000059DF000-memory.dmp

Filesize
1.4MB

Download
memory/2164-231-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2204-189-0x0000000004530000-0x000000000468F000-memory.dmp

Filesize
1.4MB

Download
memory/2216-113-0x00000000043C0000-0x000000000451F000-memory.dmp

Filesize
1.4MB

Download
memory/2216-112-0x00000000043C0000-0x000000000451F000-memory.dmp

Filesize
1.4MB

Download
memory/2244-207-0x0000000005DD0000-0x0000000005F2F000-memory.dmp

Filesize
1.4MB

Download
memory/2292-141-0x0000000005B70000-0x0000000005CCF000-memory.dmp

Filesize
1.4MB

Download
memory/2296-185-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2296-188-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2328-249-0x0000000004340000-0x000000000449F000-memory.dmp

Filesize
1.4MB

Download
memory/2352-75-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2352-82-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2480-155-0x0000000005920000-0x0000000005A7F000-memory.dmp

Filesize
1.4MB

Download
memory/2480-150-0x0000000005920000-0x0000000005A7F000-memory.dmp

Filesize
1.4MB

Download
memory/2508-45-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2532-208-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2532-215-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2580-126-0x0000000004640000-0x000000000479F000-memory.dmp

Filesize
1.4MB

Download
memory/2664-216-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2664-223-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2748-15-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2748-25-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2808-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2808-10-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2844-164-0x00000000048E0000-0x0000000004A3F000-memory.dmp

Filesize
1.4MB

Download
memory/2844-165-0x0000000005D30000-0x0000000005E8F000-memory.dmp

Filesize
1.4MB

Download
memory/2888-107-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3020-35-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3020-31-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3036-136-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3036-128-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download