83982622f98c60638df81b983b6c3357d38abbaa34c2ec9ed9ef9a9f29d581b9

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
19/06/2024, 21:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83982622f98c60638df81b983b6c3357d38abbaa34c2ec9ed9ef9a9f29d581b9.exe
Size

1.1MB
MD5

d253038d4f59d64de1eb0e2fe7f57e0a
SHA1

2dbbf7f4e88c221263600ae9483430b975c71e20
SHA256

83982622f98c60638df81b983b6c3357d38abbaa34c2ec9ed9ef9a9f29d581b9
SHA512

6cc5573ba84d219e1dc129aad483bd4430c0a4119fa83b0f952baa2da2bac7158882e7edf579ce957fb9c4fee83f1124ffc9488266d2de880c19864bb0047b40
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q7:acallSllG4ZM7QzMc

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2684	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2684	svchcst.exe
2760	svchcst.exe
2404	svchcst.exe
1684	svchcst.exe
828	svchcst.exe
2496	svchcst.exe
3020	svchcst.exe
1052	svchcst.exe
2200	svchcst.exe
552	svchcst.exe
1932	svchcst.exe
2292	svchcst.exe
568	svchcst.exe
2328	svchcst.exe
2452	svchcst.exe
2456	svchcst.exe
3044	svchcst.exe
2992	svchcst.exe
2288	svchcst.exe
2504	svchcst.exe
1508	svchcst.exe
2068	svchcst.exe
1988	svchcst.exe

Loads dropped DLL 42 IoCs

pid	Process
2992	WScript.exe
2992	WScript.exe
2220	WScript.exe
2220	WScript.exe
2160	WScript.exe
2160	WScript.exe
320	WScript.exe
320	WScript.exe
864	WScript.exe
864	WScript.exe
1796	WScript.exe
1796	WScript.exe
1892	WScript.exe
1596	WScript.exe
1596	WScript.exe
2720	WScript.exe
2720	WScript.exe
2720	WScript.exe
2748	WScript.exe
2748	WScript.exe
1672	WScript.exe
1672	WScript.exe
1148	WScript.exe
1148	WScript.exe
1176	WScript.exe
1176	WScript.exe
2004	WScript.exe
2004	WScript.exe
2896	WScript.exe
2896	WScript.exe
2632	WScript.exe
2632	WScript.exe
1728	WScript.exe
1728	WScript.exe
352	WScript.exe
352	WScript.exe
584	WScript.exe
584	WScript.exe
2080	WScript.exe
2080	WScript.exe
1276	WScript.exe
1276	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2116	83982622f98c60638df81b983b6c3357d38abbaa34c2ec9ed9ef9a9f29d581b9.exe
2684	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2760	svchcst.exe
2760	svchcst.exe
2760	svchcst.exe
2760	svchcst.exe
2760	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2116	83982622f98c60638df81b983b6c3357d38abbaa34c2ec9ed9ef9a9f29d581b9.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2116	83982622f98c60638df81b983b6c3357d38abbaa34c2ec9ed9ef9a9f29d581b9.exe
2116	83982622f98c60638df81b983b6c3357d38abbaa34c2ec9ed9ef9a9f29d581b9.exe
2684	svchcst.exe
2684	svchcst.exe
2760	svchcst.exe
2760	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
1684	svchcst.exe
1684	svchcst.exe
828	svchcst.exe
828	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
1052	svchcst.exe
1052	svchcst.exe
2200	svchcst.exe
2200	svchcst.exe
552	svchcst.exe
552	svchcst.exe
1932	svchcst.exe
1932	svchcst.exe
2292	svchcst.exe
2292	svchcst.exe
568	svchcst.exe
568	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2452	svchcst.exe
2452	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
3044	svchcst.exe
3044	svchcst.exe
2992	svchcst.exe
2992	svchcst.exe
2288	svchcst.exe
2288	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
1508	svchcst.exe
1508	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
1988	svchcst.exe
1988	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2992	2116	83982622f98c60638df81b983b6c3357d38abbaa34c2ec9ed9ef9a9f29d581b9.exe	28
PID 2116 wrote to memory of 2992	2116	83982622f98c60638df81b983b6c3357d38abbaa34c2ec9ed9ef9a9f29d581b9.exe	28
PID 2116 wrote to memory of 2992	2116	83982622f98c60638df81b983b6c3357d38abbaa34c2ec9ed9ef9a9f29d581b9.exe	28
PID 2116 wrote to memory of 2992	2116	83982622f98c60638df81b983b6c3357d38abbaa34c2ec9ed9ef9a9f29d581b9.exe	28
PID 2992 wrote to memory of 2684	2992	WScript.exe	30
PID 2992 wrote to memory of 2684	2992	WScript.exe	30
PID 2992 wrote to memory of 2684	2992	WScript.exe	30
PID 2992 wrote to memory of 2684	2992	WScript.exe	30
PID 2684 wrote to memory of 2220	2684	svchcst.exe	31
PID 2684 wrote to memory of 2220	2684	svchcst.exe	31
PID 2684 wrote to memory of 2220	2684	svchcst.exe	31
PID 2684 wrote to memory of 2220	2684	svchcst.exe	31
PID 2220 wrote to memory of 2760	2220	WScript.exe	32
PID 2220 wrote to memory of 2760	2220	WScript.exe	32
PID 2220 wrote to memory of 2760	2220	WScript.exe	32
PID 2220 wrote to memory of 2760	2220	WScript.exe	32
PID 2760 wrote to memory of 2160	2760	svchcst.exe	33
PID 2760 wrote to memory of 2160	2760	svchcst.exe	33
PID 2760 wrote to memory of 2160	2760	svchcst.exe	33
PID 2760 wrote to memory of 2160	2760	svchcst.exe	33
PID 2160 wrote to memory of 2404	2160	WScript.exe	34
PID 2160 wrote to memory of 2404	2160	WScript.exe	34
PID 2160 wrote to memory of 2404	2160	WScript.exe	34
PID 2160 wrote to memory of 2404	2160	WScript.exe	34
PID 2404 wrote to memory of 320	2404	svchcst.exe	35
PID 2404 wrote to memory of 320	2404	svchcst.exe	35
PID 2404 wrote to memory of 320	2404	svchcst.exe	35
PID 2404 wrote to memory of 320	2404	svchcst.exe	35
PID 320 wrote to memory of 1684	320	WScript.exe	36
PID 320 wrote to memory of 1684	320	WScript.exe	36
PID 320 wrote to memory of 1684	320	WScript.exe	36
PID 320 wrote to memory of 1684	320	WScript.exe	36
PID 1684 wrote to memory of 864	1684	svchcst.exe	37
PID 1684 wrote to memory of 864	1684	svchcst.exe	37
PID 1684 wrote to memory of 864	1684	svchcst.exe	37
PID 1684 wrote to memory of 864	1684	svchcst.exe	37
PID 864 wrote to memory of 828	864	WScript.exe	38
PID 864 wrote to memory of 828	864	WScript.exe	38
PID 864 wrote to memory of 828	864	WScript.exe	38
PID 864 wrote to memory of 828	864	WScript.exe	38
PID 828 wrote to memory of 1796	828	svchcst.exe	39
PID 828 wrote to memory of 1796	828	svchcst.exe	39
PID 828 wrote to memory of 1796	828	svchcst.exe	39
PID 828 wrote to memory of 1796	828	svchcst.exe	39
PID 1796 wrote to memory of 2496	1796	WScript.exe	40
PID 1796 wrote to memory of 2496	1796	WScript.exe	40
PID 1796 wrote to memory of 2496	1796	WScript.exe	40
PID 1796 wrote to memory of 2496	1796	WScript.exe	40
PID 2496 wrote to memory of 1892	2496	svchcst.exe	41
PID 2496 wrote to memory of 1892	2496	svchcst.exe	41
PID 2496 wrote to memory of 1892	2496	svchcst.exe	41
PID 2496 wrote to memory of 1892	2496	svchcst.exe	41
PID 1892 wrote to memory of 3020	1892	WScript.exe	44
PID 1892 wrote to memory of 3020	1892	WScript.exe	44
PID 1892 wrote to memory of 3020	1892	WScript.exe	44
PID 1892 wrote to memory of 3020	1892	WScript.exe	44
PID 3020 wrote to memory of 1596	3020	svchcst.exe	45
PID 3020 wrote to memory of 1596	3020	svchcst.exe	45
PID 3020 wrote to memory of 1596	3020	svchcst.exe	45
PID 3020 wrote to memory of 1596	3020	svchcst.exe	45
PID 1596 wrote to memory of 1052	1596	WScript.exe	46
PID 1596 wrote to memory of 1052	1596	WScript.exe	46
PID 1596 wrote to memory of 1052	1596	WScript.exe	46
PID 1596 wrote to memory of 1052	1596	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\83982622f98c60638df81b983b6c3357d38abbaa34c2ec9ed9ef9a9f29d581b9.exe
"C:\Users\Admin\AppData\Local\Temp\83982622f98c60638df81b983b6c3357d38abbaa34c2ec9ed9ef9a9f29d581b9.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2220
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2760
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:828
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1052
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2200
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2720
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:552
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1932
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2748
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2292
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:1672
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:568
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:1148
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2328
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:1176
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2452
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:2004
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2456
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:2896
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3044
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:2632
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2992
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:1728
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2288
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:352
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2504
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:584
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1508
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:2080
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2068
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:1276
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1988
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        
        PID:1828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8e2ae053ceb7062fca84af2a4b776842

SHA1
e0efd0b54009a60e3682ed38deaddd833c8652b6

SHA256
58391f462883b293fdb398c52afb015698a4aa455fde921d706159ccccc6375f

SHA512
71b28f16bbcd83fd3cd69c985cc7482ddb167f287f6f331fc6c2f71b5b9759d6692ad93eb45e3a4039e5234f795076cd090e46c80b2661a00327a19b0ceab7b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5f762b3b2477d92959f29d768008d453

SHA1
ceaa2b37d64bcffd7f862a75e1d0fb06edbddb97

SHA256
5827d14409ed9f3361d81904d50e067223457590dda163a680ce4216e495a3d5

SHA512
fd1445d89a0fa5d185ce51442c402d9906fa8bf7c1458a862568ad0649dfa22c5f90ed243b98339ec9706541d244b0217f1cd05e715dc49067e059fe08d80420

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
427acf0d31e4c051a5ecca486df18aaa

SHA1
66ed2e8e5533846366375ce855fb7b5d574d97fc

SHA256
397aa2536df328968f7006d3c5a2d0e7e53ab1e6d2deae8bb5bc7a242b4ba012

SHA512
aa2fe9a10550076d478762ed2043437460bfa1d81c3e6b793127d1235f8a6e75dc6002aad415f8086387faf7dc75a83f1790662cdfa58aa66596c640ed35b778

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
7fddfdfb3b018fd2cea29f5da32a5edf

SHA1
7b9b92f4b5b6999e1d72e96260ba86256373ac3f

SHA256
affbf5b75e4dcd765a1f5c0eba20fe8faf86b9c4200b1ead44eb52732aec69e8

SHA512
1b59beb82f53285c919e844b5940288e8d5098267e6fafaa58ac9ecaa80d400e8206d092c19ad617f097620a07a52489906c6b874478d5110b7e488d712a419e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
bd0cc8385e2c94da465451e7bd8d4303

SHA1
6866d3d8d4bc37bbd976b44b74d4cef9b018da66

SHA256
099ad392a60ee09509cf2982deb126acb373115124e33c1c9d18931fa32af630

SHA512
5212403107457416b6b8e3c033c9521f744845edbf0c9bba5c962bea5946c2a24e1081cf472e907b3e16fb593b98c119802e3162e5260b30574f2c086af3d6b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
68131c1f4506af5c010d5e01f031bfae

SHA1
51cc54917c040091c3a39dd33ec52fc5f4cb4c15

SHA256
d235953ddf5884a014ce05d8a26b9b93bafd580bdeda08e369e2d6e395d34a95

SHA512
69be7da57430dd6d3f1deea9c2a4f78a0ec41a74fc593f033a7944504cd9c4fe6d2f7a0be052e40238a4389b649c36a603b1725959fab050a0114714a6d65c6d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
99c82369839776d3d954a85361e76565

SHA1
fe01d71a20a80f468e5fa4df991eacca97e650a1

SHA256
ecfe1904a389f25b460a8eec64349498fde06733fa12cd5ae8e0c49a9699154f

SHA512
5deb6fd1534298cbc80f4653e60b9dcaba6cfd4af1f3b1e5369929472ab4f8cba7d50d3f63d7154170b5ea84f40f7511f1839f2e89340c6942fede255c93b69f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
38a699d07d8879db6356427ad5568cde

SHA1
a13f87e47243e126c2ea20018877fbeac913a320

SHA256
33039fb8b50833ea2836de980992405e10426ad862007f2fef2a96147dccc7bb

SHA512
b5373577a397c0eb493b1173f0fa5a583fe10b986eced439f39997707622fdb54dad7f39311c0148da02b9f0eda2c097d6d9e98b6a7c7d4aa5996e7cc5f4791d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
780c5b88f55c3463a252f361d53f98db

SHA1
244e739c7401ce41027d7786f4a48f4806a9939b

SHA256
d8b383df125f83a39c299a3134c88e981cf47755ddd6b44310f70231305c6bb0

SHA512
b12e3266edea4f9dff105ed8617c81a29f9873d646b6b326c5c29c0c590049dd85458b8ff7541957f9ab995896e7bfd08b171959e592ccc6edbedf998fdf1045

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0e6005a9dcb5a78d6fdd54527602f926

SHA1
90adc62e99f3c94c643596af0e17b5853b91fe1f

SHA256
847552b1ad30bd72f24acfe4afa5c326d3e79d7c2f147c958d72e92daca716da

SHA512
b4acfd81c1e926fcd305690aa3780bbec50460bcf947d17c20d6445faca4e774294b9da3a144207ccb3855e3ea2008a2d82ef691f32a4db6c7c3eb8202c6b568

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7f92a34f71720b04d60028801eb07932

SHA1
1701bae49609dc0ad1ab56823ae2414fd6c286c5

SHA256
b7445df62a392850e8ed07fba398dd5896625b6bcd694dfb5a02797ca2c637ee

SHA512
f5173fb410530956a6fcc8a15894c4186ae7fbac8e408714143359b476a2a2b1bd528cdb2e4647d1c16b99f108e452fb4fcb0a6db5eae6750fc6f6d8edd85360

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b43cc190210c9c6b2742cc52bd8296bc

SHA1
5476b0b4ca6b80be460b3e183f51d50599750324

SHA256
0081c1fe196153e4e7651f0c4a3888bda7623ba8f76218b8df10dc5147d778c0

SHA512
dee2b38b2222020a8fdf2bb241461b3e58978761cfa4c2099184badfc7a98d4acdd0f75d9417a94928a62da7f7c10e9cc04546636e88004897dd3c73cabeed27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1fa450ee2b1f945ac9fb03e3bed34745

SHA1
8a2eaf1da435c259daefec559181368600ae9beb

SHA256
6c20318c8cbf1faa8f116fb47d6ff44b0b1efbe03639c9336d06342c7045601a

SHA512
c70ef6c3e1781d5248a3608eb192a888fb4780944da7c9793ccd15a8b3b84061ad9c1e9b9dd5e3fee014ec4f1a3abfe3a631631dba6fdba87a4e031adeaab832

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
3d9ae6c09d9bf69a4a33062fae8fd06a

SHA1
d1be81db32d852dacbfc82d8b2d1337ed4aa5fbb

SHA256
6a949aff9c6eb840fa6fd8e08f2f3644ef99bc6b268d5df889856dcead77e221

SHA512
2dd6b9275c963f2b11c34c5bc031375783563f94ffd58e91f05c4451f2217a9f713b5ab0605f170d2fa0add6c1887e082b2411eea93714ff7dab657d7171ad15

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f0f6586468d7fcd83052873cac1bdd92

SHA1
eb0bf0fddb426664e90d6f984e7f64f5b6c0eb7d

SHA256
f9319bf7d2bbde0653e0e089c5ff40e81e9c3b6d5be586d14e3b4d7aa71d85b2

SHA512
56518a62f0452f3227bdaf95744899c365755441f9a49791a1cf1717e80667cf24c0b222537891125ae266f8800501f1ad24b5a81ff8d9aa80a1999b7ac7490e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7a94626d1a227840f38d5e24c00f0019

SHA1
952c90037a5183ff3bc265cd9a510599cf9bdcc3

SHA256
4e5f02d708cf71df2df51d5e764792af0c2b03ecbf5a39144b48936bfe7303d3

SHA512
1da481e5f62d2075940643216008b09f4514b4fbb7860a594eacc25f150a4e2f288eca17bf97258687d033b3170116cd296679423af1aa8ff58fd374e9fff3a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
790cd577dab4d99449f2af1d6111779a

SHA1
3348737daf891c1fd5c1d5d84523a30c19b5a8b5

SHA256
12fa6dd0ae5ecc37e52d5f9d20d46ffcbe58424a885c077a315540179d96daca

SHA512
607c341161b232ea36b1c9969d1953b8727a369628590c6ac53d28fed5ad0154a3f8289b2f317d79f9c89abc0d34aef5227ba9f03385bad5b8cc5c00563457d9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
86c2babbba027bc62c55318fc8e52f6e

SHA1
6e99914a1db66fceff9ffede4532e17594e58d48

SHA256
6e778f248c059acf172ee6df3f03238bd44545dfadc896df4377b905b7bfb10b

SHA512
2ba4c7884873ff04bf5e03af1d0aad1fd0f2c286ec19382890b4074910f1286a308a6a0ce9349efb54b6c761e155b5bd5cefb83c99c1e6a3c7c6cb8ed1bd9320

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
adec1bde2dff1da387e7102ae32f5df1

SHA1
1621e41e4f027b132370f54bc2320bc8130c845f

SHA256
83039c7cbd1e335bdb92ad61776c2bec410d5cca5d120c70948ffad04a41f998

SHA512
ba85b696a2967eaa1f9fc69c41c15d8e01304c3aac60810fb30ab74c216ae4289c9ebfe1885c3320afe927fe3f4cd5f39c646a160fd9dc2f41385c9d295041a8

Download Submit
memory/352-217-0x0000000005B10000-0x0000000005C6F000-memory.dmp

Filesize
1.4MB

Download
memory/552-140-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/552-131-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/568-163-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/568-170-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/584-226-0x0000000004A70000-0x0000000004BCF000-memory.dmp

Filesize
1.4MB

Download
memory/828-80-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/828-72-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/864-70-0x00000000045F0000-0x000000000474F000-memory.dmp

Filesize
1.4MB

Download
memory/864-71-0x00000000045F0000-0x000000000474F000-memory.dmp

Filesize
1.4MB

Download
memory/1052-117-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1052-108-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1508-227-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1508-234-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1596-120-0x0000000005C40000-0x0000000005D9F000-memory.dmp

Filesize
1.4MB

Download
memory/1684-57-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1684-65-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1796-86-0x0000000005B50000-0x0000000005CAF000-memory.dmp

Filesize
1.4MB

Download
memory/1932-145-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1932-153-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2068-236-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2068-243-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2080-235-0x0000000004840000-0x000000000499F000-memory.dmp

Filesize
1.4MB

Download
memory/2116-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2116-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2200-121-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2200-128-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2220-28-0x0000000005D00000-0x0000000005E5F000-memory.dmp

Filesize
1.4MB

Download
memory/2288-216-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2292-155-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2292-162-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2328-178-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2328-171-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2404-51-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2404-43-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2452-186-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2452-179-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2456-187-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2456-194-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2496-95-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2496-87-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2504-225-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2504-218-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2684-23-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2684-14-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2748-154-0x0000000004800000-0x000000000495F000-memory.dmp

Filesize
1.4MB

Download
memory/2760-29-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2760-37-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2992-209-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3020-105-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3044-202-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3044-195-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download