72293ce3989634eab4731c0323f6a387f7207c971e2eb418b164b8a99c63c755

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-06-2024 19:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72293ce3989634eab4731c0323f6a387f7207c971e2eb418b164b8a99c63c755.exe
Size

1.1MB
MD5

ec54458396f86ab193496530067c9f4d
SHA1

cde2f1466cb3f5917d2d2e65f6ce29c60e008374
SHA256

72293ce3989634eab4731c0323f6a387f7207c971e2eb418b164b8a99c63c755
SHA512

c2a6264510ff5bf9cbbcf4a8e568227ce0de474a93fa82861c9df07a0904f53e4f4ab44c9cc066d4049b4d676157bdcc8616cf5abee163dd8dbe8d74764af701
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QS:CcaClSFlG4ZM7QzMx

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2504	svchcst.exe

Executes dropped EXE 25 IoCs

pid	Process
2504	svchcst.exe
2976	svchcst.exe
2680	svchcst.exe
1620	svchcst.exe
2788	svchcst.exe
880	svchcst.exe
672	svchcst.exe
2200	svchcst.exe
332	svchcst.exe
2300	svchcst.exe
2948	svchcst.exe
2508	svchcst.exe
2944	svchcst.exe
2220	svchcst.exe
2420	svchcst.exe
1804	svchcst.exe
684	svchcst.exe
660	svchcst.exe
884	svchcst.exe
2456	svchcst.exe
1972	svchcst.exe
1728	svchcst.exe
1824	svchcst.exe
2388	svchcst.exe
2156	svchcst.exe

Loads dropped DLL 44 IoCs

pid	Process
2132	WScript.exe
1648	WScript.exe
2132	WScript.exe
1648	WScript.exe
2132	WScript.exe
2132	WScript.exe
2132	WScript.exe
2016	WScript.exe
2260	WScript.exe
1804	WScript.exe
1804	WScript.exe
1804	WScript.exe
1664	WScript.exe
2180	WScript.exe
2888	WScript.exe
2888	WScript.exe
3016	WScript.exe
3016	WScript.exe
1564	WScript.exe
1564	WScript.exe
2056	WScript.exe
2056	WScript.exe
996	WScript.exe
996	WScript.exe
2160	WScript.exe
2160	WScript.exe
944	WScript.exe
944	WScript.exe
1628	WScript.exe
1628	WScript.exe
3040	WScript.exe
3040	WScript.exe
1648	WScript.exe
1648	WScript.exe
2948	WScript.exe
2948	WScript.exe
2936	WScript.exe
2936	WScript.exe
2132	WScript.exe
2132	WScript.exe
2192	WScript.exe
2192	WScript.exe
904	WScript.exe
904	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
756	72293ce3989634eab4731c0323f6a387f7207c971e2eb418b164b8a99c63c755.exe
756	72293ce3989634eab4731c0323f6a387f7207c971e2eb418b164b8a99c63c755.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2680	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
756	72293ce3989634eab4731c0323f6a387f7207c971e2eb418b164b8a99c63c755.exe

Suspicious use of SetWindowsHookEx 52 IoCs

pid	Process
756	72293ce3989634eab4731c0323f6a387f7207c971e2eb418b164b8a99c63c755.exe
756	72293ce3989634eab4731c0323f6a387f7207c971e2eb418b164b8a99c63c755.exe
2504	svchcst.exe
2504	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
1620	svchcst.exe
1620	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
880	svchcst.exe
880	svchcst.exe
672	svchcst.exe
672	svchcst.exe
2200	svchcst.exe
2200	svchcst.exe
332	svchcst.exe
332	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2508	svchcst.exe
2508	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2420	svchcst.exe
2420	svchcst.exe
1804	svchcst.exe
1804	svchcst.exe
684	svchcst.exe
684	svchcst.exe
660	svchcst.exe
660	svchcst.exe
884	svchcst.exe
884	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1728	svchcst.exe
1728	svchcst.exe
1824	svchcst.exe
1824	svchcst.exe
2388	svchcst.exe
2388	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 756 wrote to memory of 1648	756	72293ce3989634eab4731c0323f6a387f7207c971e2eb418b164b8a99c63c755.exe	28
PID 756 wrote to memory of 1648	756	72293ce3989634eab4731c0323f6a387f7207c971e2eb418b164b8a99c63c755.exe	28
PID 756 wrote to memory of 1648	756	72293ce3989634eab4731c0323f6a387f7207c971e2eb418b164b8a99c63c755.exe	28
PID 756 wrote to memory of 1648	756	72293ce3989634eab4731c0323f6a387f7207c971e2eb418b164b8a99c63c755.exe	28
PID 756 wrote to memory of 2132	756	72293ce3989634eab4731c0323f6a387f7207c971e2eb418b164b8a99c63c755.exe	29
PID 756 wrote to memory of 2132	756	72293ce3989634eab4731c0323f6a387f7207c971e2eb418b164b8a99c63c755.exe	29
PID 756 wrote to memory of 2132	756	72293ce3989634eab4731c0323f6a387f7207c971e2eb418b164b8a99c63c755.exe	29
PID 756 wrote to memory of 2132	756	72293ce3989634eab4731c0323f6a387f7207c971e2eb418b164b8a99c63c755.exe	29
PID 2132 wrote to memory of 2976	2132	WScript.exe	32
PID 2132 wrote to memory of 2976	2132	WScript.exe	32
PID 2132 wrote to memory of 2976	2132	WScript.exe	32
PID 2132 wrote to memory of 2976	2132	WScript.exe	32
PID 1648 wrote to memory of 2504	1648	WScript.exe	31
PID 1648 wrote to memory of 2504	1648	WScript.exe	31
PID 1648 wrote to memory of 2504	1648	WScript.exe	31
PID 1648 wrote to memory of 2504	1648	WScript.exe	31
PID 2132 wrote to memory of 2680	2132	WScript.exe	33
PID 2132 wrote to memory of 2680	2132	WScript.exe	33
PID 2132 wrote to memory of 2680	2132	WScript.exe	33
PID 2132 wrote to memory of 2680	2132	WScript.exe	33
PID 2680 wrote to memory of 2016	2680	svchcst.exe	34
PID 2680 wrote to memory of 2016	2680	svchcst.exe	34
PID 2680 wrote to memory of 2016	2680	svchcst.exe	34
PID 2680 wrote to memory of 2016	2680	svchcst.exe	34
PID 2132 wrote to memory of 1620	2132	WScript.exe	35
PID 2132 wrote to memory of 1620	2132	WScript.exe	35
PID 2132 wrote to memory of 1620	2132	WScript.exe	35
PID 2132 wrote to memory of 1620	2132	WScript.exe	35
PID 2016 wrote to memory of 2788	2016	WScript.exe	36
PID 2016 wrote to memory of 2788	2016	WScript.exe	36
PID 2016 wrote to memory of 2788	2016	WScript.exe	36
PID 2016 wrote to memory of 2788	2016	WScript.exe	36
PID 1620 wrote to memory of 2260	1620	svchcst.exe	37
PID 1620 wrote to memory of 2260	1620	svchcst.exe	37
PID 1620 wrote to memory of 2260	1620	svchcst.exe	37
PID 1620 wrote to memory of 2260	1620	svchcst.exe	37
PID 2260 wrote to memory of 880	2260	WScript.exe	38
PID 2260 wrote to memory of 880	2260	WScript.exe	38
PID 2260 wrote to memory of 880	2260	WScript.exe	38
PID 2260 wrote to memory of 880	2260	WScript.exe	38
PID 880 wrote to memory of 1804	880	svchcst.exe	39
PID 880 wrote to memory of 1804	880	svchcst.exe	39
PID 880 wrote to memory of 1804	880	svchcst.exe	39
PID 880 wrote to memory of 1804	880	svchcst.exe	39
PID 1804 wrote to memory of 672	1804	WScript.exe	40
PID 1804 wrote to memory of 672	1804	WScript.exe	40
PID 1804 wrote to memory of 672	1804	WScript.exe	40
PID 1804 wrote to memory of 672	1804	WScript.exe	40
PID 672 wrote to memory of 2128	672	svchcst.exe	41
PID 672 wrote to memory of 2128	672	svchcst.exe	41
PID 672 wrote to memory of 2128	672	svchcst.exe	41
PID 672 wrote to memory of 2128	672	svchcst.exe	41
PID 1804 wrote to memory of 2200	1804	WScript.exe	42
PID 1804 wrote to memory of 2200	1804	WScript.exe	42
PID 1804 wrote to memory of 2200	1804	WScript.exe	42
PID 1804 wrote to memory of 2200	1804	WScript.exe	42
PID 2200 wrote to memory of 1664	2200	svchcst.exe	43
PID 2200 wrote to memory of 1664	2200	svchcst.exe	43
PID 2200 wrote to memory of 1664	2200	svchcst.exe	43
PID 2200 wrote to memory of 1664	2200	svchcst.exe	43
PID 1664 wrote to memory of 332	1664	WScript.exe	44
PID 1664 wrote to memory of 332	1664	WScript.exe	44
PID 1664 wrote to memory of 332	1664	WScript.exe	44
PID 1664 wrote to memory of 332	1664	WScript.exe	44

C:\Users\Admin\AppData\Local\Temp\72293ce3989634eab4731c0323f6a387f7207c971e2eb418b164b8a99c63c755.exe
"C:\Users\Admin\AppData\Local\Temp\72293ce3989634eab4731c0323f6a387f7207c971e2eb418b164b8a99c63c755.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:756
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2504
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2976
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2016
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2788
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1620
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2260
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:880
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:672
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:332
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        
        PID:2180
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        
        PID:2300
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2436
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        
        PID:2888
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2948
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:3016
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2508
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:1564
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2944
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2056
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2220
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:996
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2420
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:2160
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1804
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:944
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:684
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:1628
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:660
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:3040
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:884
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:1648
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2456
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:2948
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1972
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:2936
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1728
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:2132
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1824
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:2192
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2388
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:904
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2156
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        
        PID:1028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
80ebf5d44551af5680e6faa0b57e8c8b

SHA1
2e17219fbf9ac0ffaf25efb6a11dfe6e9e404798

SHA256
ca82157de4bf3edea1ce728fea480f64259153ea391b2be7b5f59864c0ae7a53

SHA512
a96c9d64087a4b9eccb235e9e1b19da6adfa1adc40ea11eca5cca69cc7b57eb4c3a299eb2103768398d99aee534c3eced7e76099917c52d1499ea9af07ba2ca8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b80e64a84f22d05c1da6e47ce54973aa

SHA1
5cad9390328f2c7439c775fabb7a0456663085d9

SHA256
9dd0f5f176d3fad7c0eb3bdd6f14036a878cbce9fd50fb1a47318da147bfd82e

SHA512
983affb7f9189c1eb80982438c288ee607e7ee91675b6a6e854873c476961b39ddec66801e0a09bedd0f133a0132693a5fed5c8ff0f8c3d3aa4f470fdb8c39b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
02bec440e11bdc76b5de3232abd91f03

SHA1
2118a1f2249848ea084c7d98709f7ba7906e43a3

SHA256
4382e8d6fd98aeb7c574b195019c1687ac6628e8f97485614ad743ae5a0616b0

SHA512
f86e900e6bd38151fad12b160c0489823bd18d15609346172ca1f815593e69f9269cb28a0eaea6a588a29d41343f3b9d4c6489cc3c50e2b24a31720de26e0411

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
bb73f45ba0ab8d0e25bc6dcd5900a0f1

SHA1
18dd20b311cabf033725cb71f00e22449f559963

SHA256
c5b311f8ce95c93ed51768b74c6765874352e5fc61641ab54034281a5206c3b5

SHA512
f2adbb4978b02ce150fc2f4a8f6d7734ca465351c502e5a425a9dc0f751be9a048df54dfff086b4b049a80cdc8127863ea704a3b6e1855f9d4406e5778b82e04

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
25741fab0bc335b1ed971b3134b0edd3

SHA1
9849046efa3f20662f73cefd0d090bef480c9835

SHA256
05963c6d3a7cc5421377a784df6474456fcbd2f95c7190f2ddb4a9ccbfbe7f98

SHA512
6e772baf90739a76c5c477780e2d158502b55d9c898e69402b0a3bfb840949959c6779f9b291c0503a4fcad95369be55b5f3233ded9329d49d5cde3f1a8369e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3be529c48598ce74c5871846d63ca15c

SHA1
93bb8e6882b776b47589ffa48116e17c98071383

SHA256
f9f80c033a3cb1e2e9a8aa108427d6985dd2a08c2bea70e4dda2309f03ab7b2a

SHA512
e848a532aa9acfddfb754e081353660af23f3d0ee7720f6162fc5e8a2104d98b7be8aa461ea274a311634ae3b5b0bd219731da7d6b43c3b381de56d03bb43608

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b42266100fb9f5e0b7be593aac3c37cf

SHA1
7cd55f31fd2871d09de73a6f62e3a7e1a53327b2

SHA256
1a6710caaf3886be368f3205ee8c9905e10f8ed754d80598c80f1455a700d846

SHA512
d3e5a4f7395d6196403e60214239043b2da6e546cbe080f74c3a680a6f4a7fe1374988df0a1aa84dbc0e41199efd8fb11050d1d1295f3b45811935d740a5108b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
251a70f0c55d02e74e34c409c5795274

SHA1
b0eb587b5e8d597ef801848722b790692d804be2

SHA256
f5397f02a6c8c59bc9869c0e5c726c096a69c84ad7f0934608fdbd8bc7e5b9f3

SHA512
023cca65a97265961790183f43605fb3dd47426049f2152e5ed90d2daed98607d1e215cb8cabf54d7d2068f7a86d3b01b1d101823e8ed1acfb09076e69b67c71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a66ca64afe431b7c50358bd05ba54e34

SHA1
f34d905ac06b3c07f936352bff4db70469f5057c

SHA256
3a2a423d9df888fadef3786fdbf7fb0125eb8e1d08b22a707b6efa4bc00b7f43

SHA512
90ea8413b1fce013f8e902e0e3efbbfd1ec30c7f26ca2fb05e390a847d22a1181eeb60dccf6e3f8fec5aeff2568506977ab47018a54d328078ab14407f3eeb09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
b7a8cc6029adc31b956b58b854f4425a

SHA1
9028dce0e668114ed5eb7b62098479b214c891e9

SHA256
f6f9b463d3f6f9ca149e20dbb0ce1615de7223d077f88d20eb65affb5de44121

SHA512
88324577e11ae86b860733fcb0d270f21b01ae1adcf1cff90c7eb47d471def54967a4d9b13d9d91eeb0e6cfa478188180c6cbc84f8a9a91aa208d33e05194ae4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
aa0bb578fa6905fa8ee40049bff7191d

SHA1
2e6c39a68b299062ad713a06bc2077c7024869b8

SHA256
2c607c39db5b1bf1f5bd14715a3c5e30896f92059e9ba3374c6d37be3a0137de

SHA512
0c2a303d17407f688137fe457d55d6ead838b979d44a15120973ae19af4f77beda69bce23bd4c365b3c4bd24d4ce7a7cf2720f3f682b373f94181ee45a402e29

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ca5a58a5d35d5856b65d0c11a9df0a6a

SHA1
03f21a5b356b667759356de132d84691a9cd6824

SHA256
baa85d5edb32d779fb126d82dcf21695258d88d6999c2efc191dc81c2cd0df51

SHA512
697a07076d9ad3e296a151073a9bc7aa21395175809889a981cddb3f2248210ac28b4a7a8b5c6c43ef717f2d94d0c051d53f09213178a4bd567a253652d26b35

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
da05624a08e45a3ec7de108a4bd0bc75

SHA1
acac207f245aceb34a3f730fe4e6f2759fe8a024

SHA256
8a8371658779e0440a36d02fc991c900ad9606c289a302f39818427ee25a78c3

SHA512
bcb36fe7e83ca063c312f8811e734d0c7f4f71f7dcf178e62b5f5b6bb87fa4a34fa5c9cb06c56532d431d6efe70dae8b9706ce27d4e07397b3ef57f272893a2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9e8121c737d570d6d6a079e4d2c780e9

SHA1
2a6c3191fb76301c0b9941fc7345fbb5514aefa9

SHA256
77ce37daeebe69d18c5c0f5750451638e1682e322fc78bbfbfcbcec11d0af084

SHA512
f344385062a6eb3a9cd19491a82513c1d19281fb0bcf83e546fe30e453524ee00ed6a78db73a0daf8959175c721c83626b78594444ffe1612c62eb226e4d1c74

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
8fc6928c1977024c951a9466bf5715d1

SHA1
08b6a3bc3ae8a15db91d30d2ad0fede6f9320730

SHA256
bc640fecde0b816aadf6b11acfa22484040056905fa6fd9c9ea50a2aa986ea13

SHA512
495444975dc77733239630d5ac92eef97872662c5ffc5c65e3f767d08dad02567f5be2d4307cf4e336c947cc5ea813be83506b2b44fc56384b28d15d3a4a27d6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
8d61b148d977b3d6b2e2bfe5b88fefbb

SHA1
794e4521831db3d08feef52496531b0017fe10e5

SHA256
d8ea853e4ae84e1007c972724e44305ac24dadd796e276d27f331fe05d40c3c2

SHA512
6621858a2c00919a8817fc73e9d46130cbafb7de304d108c542f61aa074c733fe12b516f6cdd763372d288a4a2dea879e8da056b5cbbd68b6b947f6f1e01d134

Download Submit
memory/756-10-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download