3892866df4b66dacdb8ec0db1fa2ba93d0f1313bb6dbd0c2ad1db36b43fdb4e2

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
15/06/2024, 20:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3892866df4b66dacdb8ec0db1fa2ba93d0f1313bb6dbd0c2ad1db36b43fdb4e2.exe
Size

1.1MB
MD5

3229e26e46a8157eb2271757acc39e48
SHA1

276de2ead4f01cc3ccd4df695f4156756403496c
SHA256

3892866df4b66dacdb8ec0db1fa2ba93d0f1313bb6dbd0c2ad1db36b43fdb4e2
SHA512

4e1d7fcc8cb376a89f29771594ae309780be9bc906b73d8798879cbf3e531124fe23e44c4e6dfc04551c9f19f91e32ba0d81bb19c30e09b993b4c738aaa1d3c7
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q1:acallSllG4ZM7QzM+

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2632	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2632	svchcst.exe
2580	svchcst.exe
1552	svchcst.exe
2760	svchcst.exe
2720	svchcst.exe
1548	svchcst.exe
1460	svchcst.exe
1636	svchcst.exe
2424	svchcst.exe
1976	svchcst.exe
2024	svchcst.exe
740	svchcst.exe
2256	svchcst.exe
952	svchcst.exe
1872	svchcst.exe
2488	svchcst.exe
2412	svchcst.exe
1544	svchcst.exe
2636	svchcst.exe
2248	svchcst.exe
996	svchcst.exe
968	svchcst.exe
312	svchcst.exe

Loads dropped DLL 42 IoCs

pid	Process
2968	WScript.exe
2968	WScript.exe
1632	WScript.exe
1632	WScript.exe
2248	WScript.exe
2248	WScript.exe
2036	WScript.exe
1940	WScript.exe
1940	WScript.exe
3008	WScript.exe
3008	WScript.exe
2224	WScript.exe
1920	WScript.exe
1604	WScript.exe
2632	WScript.exe
2632	WScript.exe
1584	WScript.exe
1584	WScript.exe
2012	WScript.exe
2012	WScript.exe
2760	WScript.exe
2760	WScript.exe
1760	WScript.exe
1760	WScript.exe
1964	WScript.exe
1964	WScript.exe
1744	WScript.exe
1744	WScript.exe
2172	WScript.exe
2172	WScript.exe
2288	WScript.exe
2288	WScript.exe
2704	WScript.exe
2704	WScript.exe
1280	WScript.exe
1280	WScript.exe
1356	WScript.exe
1356	WScript.exe
2012	WScript.exe
2012	WScript.exe
404	WScript.exe
404	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2924	3892866df4b66dacdb8ec0db1fa2ba93d0f1313bb6dbd0c2ad1db36b43fdb4e2.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2924	3892866df4b66dacdb8ec0db1fa2ba93d0f1313bb6dbd0c2ad1db36b43fdb4e2.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2924	3892866df4b66dacdb8ec0db1fa2ba93d0f1313bb6dbd0c2ad1db36b43fdb4e2.exe
2924	3892866df4b66dacdb8ec0db1fa2ba93d0f1313bb6dbd0c2ad1db36b43fdb4e2.exe
2632	svchcst.exe
2632	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
2760	svchcst.exe
2760	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
1548	svchcst.exe
1548	svchcst.exe
1460	svchcst.exe
1460	svchcst.exe
1636	svchcst.exe
1636	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
1976	svchcst.exe
1976	svchcst.exe
2024	svchcst.exe
2024	svchcst.exe
740	svchcst.exe
740	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
952	svchcst.exe
952	svchcst.exe
1872	svchcst.exe
1872	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2248	svchcst.exe
2248	svchcst.exe
996	svchcst.exe
996	svchcst.exe
968	svchcst.exe
968	svchcst.exe
312	svchcst.exe
312	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 2968	2924	3892866df4b66dacdb8ec0db1fa2ba93d0f1313bb6dbd0c2ad1db36b43fdb4e2.exe	28
PID 2924 wrote to memory of 2968	2924	3892866df4b66dacdb8ec0db1fa2ba93d0f1313bb6dbd0c2ad1db36b43fdb4e2.exe	28
PID 2924 wrote to memory of 2968	2924	3892866df4b66dacdb8ec0db1fa2ba93d0f1313bb6dbd0c2ad1db36b43fdb4e2.exe	28
PID 2924 wrote to memory of 2968	2924	3892866df4b66dacdb8ec0db1fa2ba93d0f1313bb6dbd0c2ad1db36b43fdb4e2.exe	28
PID 2968 wrote to memory of 2632	2968	WScript.exe	30
PID 2968 wrote to memory of 2632	2968	WScript.exe	30
PID 2968 wrote to memory of 2632	2968	WScript.exe	30
PID 2968 wrote to memory of 2632	2968	WScript.exe	30
PID 2632 wrote to memory of 1632	2632	svchcst.exe	31
PID 2632 wrote to memory of 1632	2632	svchcst.exe	31
PID 2632 wrote to memory of 1632	2632	svchcst.exe	31
PID 2632 wrote to memory of 1632	2632	svchcst.exe	31
PID 1632 wrote to memory of 2580	1632	WScript.exe	32
PID 1632 wrote to memory of 2580	1632	WScript.exe	32
PID 1632 wrote to memory of 2580	1632	WScript.exe	32
PID 1632 wrote to memory of 2580	1632	WScript.exe	32
PID 2580 wrote to memory of 2248	2580	svchcst.exe	33
PID 2580 wrote to memory of 2248	2580	svchcst.exe	33
PID 2580 wrote to memory of 2248	2580	svchcst.exe	33
PID 2580 wrote to memory of 2248	2580	svchcst.exe	33
PID 2248 wrote to memory of 1552	2248	WScript.exe	34
PID 2248 wrote to memory of 1552	2248	WScript.exe	34
PID 2248 wrote to memory of 1552	2248	WScript.exe	34
PID 2248 wrote to memory of 1552	2248	WScript.exe	34
PID 1552 wrote to memory of 2036	1552	svchcst.exe	35
PID 1552 wrote to memory of 2036	1552	svchcst.exe	35
PID 1552 wrote to memory of 2036	1552	svchcst.exe	35
PID 1552 wrote to memory of 2036	1552	svchcst.exe	35
PID 2036 wrote to memory of 2760	2036	WScript.exe	36
PID 2036 wrote to memory of 2760	2036	WScript.exe	36
PID 2036 wrote to memory of 2760	2036	WScript.exe	36
PID 2036 wrote to memory of 2760	2036	WScript.exe	36
PID 2760 wrote to memory of 1940	2760	svchcst.exe	37
PID 2760 wrote to memory of 1940	2760	svchcst.exe	37
PID 2760 wrote to memory of 1940	2760	svchcst.exe	37
PID 2760 wrote to memory of 1940	2760	svchcst.exe	37
PID 1940 wrote to memory of 2720	1940	WScript.exe	38
PID 1940 wrote to memory of 2720	1940	WScript.exe	38
PID 1940 wrote to memory of 2720	1940	WScript.exe	38
PID 1940 wrote to memory of 2720	1940	WScript.exe	38
PID 2720 wrote to memory of 3008	2720	svchcst.exe	39
PID 2720 wrote to memory of 3008	2720	svchcst.exe	39
PID 2720 wrote to memory of 3008	2720	svchcst.exe	39
PID 2720 wrote to memory of 3008	2720	svchcst.exe	39
PID 3008 wrote to memory of 1548	3008	WScript.exe	40
PID 3008 wrote to memory of 1548	3008	WScript.exe	40
PID 3008 wrote to memory of 1548	3008	WScript.exe	40
PID 3008 wrote to memory of 1548	3008	WScript.exe	40
PID 1548 wrote to memory of 2224	1548	svchcst.exe	41
PID 1548 wrote to memory of 2224	1548	svchcst.exe	41
PID 1548 wrote to memory of 2224	1548	svchcst.exe	41
PID 1548 wrote to memory of 2224	1548	svchcst.exe	41
PID 2224 wrote to memory of 1460	2224	WScript.exe	42
PID 2224 wrote to memory of 1460	2224	WScript.exe	42
PID 2224 wrote to memory of 1460	2224	WScript.exe	42
PID 2224 wrote to memory of 1460	2224	WScript.exe	42
PID 1460 wrote to memory of 1920	1460	svchcst.exe	43
PID 1460 wrote to memory of 1920	1460	svchcst.exe	43
PID 1460 wrote to memory of 1920	1460	svchcst.exe	43
PID 1460 wrote to memory of 1920	1460	svchcst.exe	43
PID 1920 wrote to memory of 1636	1920	WScript.exe	44
PID 1920 wrote to memory of 1636	1920	WScript.exe	44
PID 1920 wrote to memory of 1636	1920	WScript.exe	44
PID 1920 wrote to memory of 1636	1920	WScript.exe	44

C:\Users\Admin\AppData\Local\Temp\3892866df4b66dacdb8ec0db1fa2ba93d0f1313bb6dbd0c2ad1db36b43fdb4e2.exe
"C:\Users\Admin\AppData\Local\Temp\3892866df4b66dacdb8ec0db1fa2ba93d0f1313bb6dbd0c2ad1db36b43fdb4e2.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1632
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2580
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1636
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:1604
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2424
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2632
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1976
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:1584
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2024
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:2012
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:740
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:2760
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2256
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:1760
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:952
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:1964
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1872
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:1744
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2488
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:2172
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2412
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:2288
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1544
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:2704
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2636
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:1280
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2248
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:1356
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:996
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        
        PID:2012
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:968
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        
        PID:404
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:312
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        
        PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
4d16622604bc3a46477d5644dc9c1233

SHA1
f977bab37ff4d3d99d986cfc6e7ca62cbfe11d2a

SHA256
cf2df3d2671425e07ab1633ef1c199c994d8f5736e4fef17ce1ef2fe90f1721c

SHA512
e326815eab6d6f8a7fc585e4d4c2229243bf5f8e2ad3dc77f800aa6f6b02c556343837eb195b7a5046c51a0c1fceaf26896410f4f95a4f9e4d70467b4b07fcb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
99c82369839776d3d954a85361e76565

SHA1
fe01d71a20a80f468e5fa4df991eacca97e650a1

SHA256
ecfe1904a389f25b460a8eec64349498fde06733fa12cd5ae8e0c49a9699154f

SHA512
5deb6fd1534298cbc80f4653e60b9dcaba6cfd4af1f3b1e5369929472ab4f8cba7d50d3f63d7154170b5ea84f40f7511f1839f2e89340c6942fede255c93b69f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1a9d2727f5157f704f57fb2f0e0a7939

SHA1
4085542ccb9a53b29208916307ee515880d6410f

SHA256
46c5d3b8a158fe319dfd325df66634b1bdef724bab79b7007f565e44beb34f31

SHA512
7ec52df630965769dae3e05a1b9fd489c7d5413ea77b28cbe2435e839f80d7eabdbbcc74af4cf544b9f0f57403a505501b08753ffeaec8cf6c32972fc3e72d68

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
30eafc82ac9962314c98d54ef2588957

SHA1
3bf1e1f24264448ba2688366b10b083c808e1e7a

SHA256
fc93c94af2daa9c8b70b9f6104f613a1cf0ac39bf1856542a3dbb6f828d2bee6

SHA512
5cd90109e61e06fda91874fd3cd28d83b42b6e586446ce99cf69a611f0015f56010937fadca4accef57ab47b5bca54b4171479a9a989ab5b1a015d491f985fb5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
02bec440e11bdc76b5de3232abd91f03

SHA1
2118a1f2249848ea084c7d98709f7ba7906e43a3

SHA256
4382e8d6fd98aeb7c574b195019c1687ac6628e8f97485614ad743ae5a0616b0

SHA512
f86e900e6bd38151fad12b160c0489823bd18d15609346172ca1f815593e69f9269cb28a0eaea6a588a29d41343f3b9d4c6489cc3c50e2b24a31720de26e0411

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
608aea68519434d685c413b31a12c6ce

SHA1
7a62e13cab985d0588a0faea63751fd0355da7fc

SHA256
5ed3aa382febd7a4e6c3a921a5add055f6e2bbea7558b21da46752f037d52b1a

SHA512
6ddca4b85fc1b6ecb6c1081b32067eb438ed5167b48565ea449e6babb1f27a01c75599c6b0f10b29ac9278e619891588d654466ce882d8080f4d2435f450d198

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b43cc190210c9c6b2742cc52bd8296bc

SHA1
5476b0b4ca6b80be460b3e183f51d50599750324

SHA256
0081c1fe196153e4e7651f0c4a3888bda7623ba8f76218b8df10dc5147d778c0

SHA512
dee2b38b2222020a8fdf2bb241461b3e58978761cfa4c2099184badfc7a98d4acdd0f75d9417a94928a62da7f7c10e9cc04546636e88004897dd3c73cabeed27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2c6490a42a6a0c40ff0c4e23b3e1aa2f

SHA1
673399038e095a86936267b5014fc7d216ee5c0a

SHA256
4b5b75f23c5d2765bccf9691327947fcdd4e1e17e6da73c1b1c47dab8db99b3d

SHA512
8ffd13c3e9ecd8c522703bf13f839b3925bf3dd0418c33e8b4edc5cd07ca53d76d21e3d8f2e47622d51cc73ac3eed7dd2f7308bb332cde1bd1e6f1cb8f8bb8d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ebf405e49dade13da94f737cdc03dba1

SHA1
8a0c39e59beed0deb4e726566b235c42c70942bb

SHA256
d15af3885670c4fea9dd97da21025faa5fd2b42bddc310bad2893e23a3ed2bef

SHA512
bbdef781757a387898665650d8f951e7fc495770d34595d9badbe5a39d46ec49a06ec00cbe28ed5e2677e5eeea518241fb638580668baca8d7728c44f2069ea2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
052d0351a5a2283ca385805bf30cc37b

SHA1
0f86c2c33b5641b89bcc430a98956447cb8f6f06

SHA256
643f8c0adfd63b72f9419f5b077829fa7f6d454b738cbcaeead63cd1feb4a9af

SHA512
6e4f1c407fa96a3ed03b416fcf4cb300f7ecefd2e67ddc0d45407b0f97f254ffa55cf34fac7c8ed1e69ece8704fae1d483612948dab8fb6d0c9d39e06bbb23ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2caa2e102cde23b48c1d5a47d901c3ff

SHA1
715fcb390ad3d9016885ab48ea99b2e204d1989b

SHA256
8e1f14065ac316ee2fcefab057390fe8b1ec88d9c35536f0755204ddf0d84ada

SHA512
9f6b298b5becff9b0af67c3181177876366db57d8d48ad3974dffa4f61fe7512b68d770e518d08d59c58d2707c52bd78930d2e36f00ef06f0a26d208e5372ae3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ed13e3e32e20cdbc80eee8f5d667bd4a

SHA1
c321c4e9a08fce4789df193009b1a88f8bf80125

SHA256
da4150476f8ba3a1ab6fe6b7e15a365ed7239cb31ce5f10dd6db1ba3d4bce80f

SHA512
b62ee451339f60348c2416240c9b80561a922d8a29aa67b5fb370895bfe760904c2bfcf8168af967126350cc87ea678fe7d376317ba56c70387166f6b5f9babd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
4f86af6fd8de3b3fbeab1b7841e3a72f

SHA1
5488c42821fa219b3b0bd759f761aef95956874c

SHA256
863a91024930d70eb25d2149ae03ef9d69db99b728728e52061fd399bf00b2ae

SHA512
066b15466eb40703395576276be9aed18715976fcc7f32c6adea80f02e47d191069e3fb29b608eb95b38fa4feb9b6a06ba102ee54adb81d74a790fcd1bf7dd9e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
44f317c19f324e678b3cdcd139bcac7d

SHA1
2f746c446aacd510d7cc42cd482f1ea462d15081

SHA256
5e62db4639e377a5b6b17e67917033f7df014e3e3783441cd0487db95148d6ec

SHA512
88f63185f216021370271cf16dffe49cc94e44d14758eb104e773e25ea32f16a020683f2ee64dd607f9052afe309beb48830eebb68d0d36d6e53b5ad9143ccea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d12cedd3cf7d28c8cb009991338cc8a5

SHA1
2ccf49672c87f4412333014836a6027bb515cecd

SHA256
1f2a2e41e4b96bb509be4335227016c6149928811f1401775e7c8c40b497504c

SHA512
5dc48574d53abc196bf41ddd368b30fc700bf9536a0c4e277df45021d425090d849e60f31a2947b5201cfb464d712c7734506d019611010e985a24bfcd8a1508

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ce60a1a9a96acf55cca6f318ed3ca9a7

SHA1
3f21707b1091071c1a66e5098e4120509b202a85

SHA256
ce581268526389031d67030c6a1f0797446aed136a4400e5196e5a1269c8f007

SHA512
0b33fac1d2f927bdd728fd354ca1929865a5a42850513167966979469dfef4c6e3f1a094546a70bf68efb0291ac5c014949b5ac8434e6d1c5041806b748a73e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7b2930c6a95ce19656778fd86ca7c74f

SHA1
82cade6f616545b74f29cc00f8fc79bd8c880ece

SHA256
acd65c1521759893ca85ae9e67dbef1a64c4c6f5e16f68d0590991a4f8f6c882

SHA512
c94062bc01590c6e42b1e9b42999de41dc6f65eb23446f8b0b5dfd625c7dcb70a4a09ed50986661d1a5718378b8ecaf519e81a761ecc88334738bce5e7e2b0a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
fd9cac8ef00edf56189c1705a2b9d9e0

SHA1
a8cc2e35ed5e962cd31d2724061fb03080247062

SHA256
1454d389d14f5c87e41d8ddaa0b502addf2ef6403ae2ccb460c104d211ce2125

SHA512
88a70df8665f6756fa0f2c627e831a47e4894696d7cc3617adbe5a9c788e51781d79989d39ddacf9b6f6a91fb4a15e19f548bcc459c65e0ce391eabb0322cb69

Download Submit
memory/312-255-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/404-254-0x0000000004760000-0x00000000048BF000-memory.dmp

Filesize
1.4MB

Download
memory/740-164-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/740-167-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/952-183-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/952-176-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/968-245-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/968-249-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/996-237-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/996-240-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1460-97-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1460-105-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1544-217-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1544-210-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1548-94-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1548-89-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1552-51-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1552-46-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1636-113-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1636-118-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1744-193-0x0000000004A50000-0x0000000004BAF000-memory.dmp

Filesize
1.4MB

Download
memory/1872-191-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1872-184-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1920-108-0x0000000004560000-0x00000000046BF000-memory.dmp

Filesize
1.4MB

Download
memory/1976-145-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1976-137-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2012-246-0x00000000058F0000-0x0000000005A4F000-memory.dmp

Filesize
1.4MB

Download
memory/2024-159-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2036-54-0x0000000005990000-0x0000000005AEF000-memory.dmp

Filesize
1.4MB

Download
memory/2248-88-0x0000000004780000-0x00000000048DF000-memory.dmp

Filesize
1.4MB

Download
memory/2248-232-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2256-168-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2256-175-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2412-209-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2412-202-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2424-122-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2424-131-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2488-194-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2488-201-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2580-37-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2632-136-0x00000000047A0000-0x00000000048FF000-memory.dmp

Filesize
1.4MB

Download
memory/2632-14-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2632-24-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2636-218-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2636-225-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2720-70-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2720-79-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2760-65-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2760-55-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2760-192-0x0000000004810000-0x000000000496F000-memory.dmp

Filesize
1.4MB

Download
memory/2924-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2924-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download