569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
27-06-2024 04:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe
Size

1.1MB
MD5

9b3224ee2c2c7bad4a58a92a8ed91d9f
SHA1

b2542cd1a89839fd2943e9e2d30fa809bf8936b6
SHA256

569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35
SHA512

eee65996303d778dc961e3a57b939ba944c97acc7b028f6c83390f4e45ffc78a6b2445bce35b63773f84a5ed15bcc0e7dcd5a0dc839f5f5fa2eda661534c7f40
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QI:CcaClSFlG4ZM7QzM/

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2572	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2572	svchcst.exe
3028	svchcst.exe
2856	svchcst.exe
1516	svchcst.exe
2636	svchcst.exe
1772	svchcst.exe
1864	svchcst.exe
1600	svchcst.exe
2536	svchcst.exe
2724	svchcst.exe
2832	svchcst.exe
1780	svchcst.exe
2892	svchcst.exe
1224	svchcst.exe
616	svchcst.exe
332	svchcst.exe
2988	svchcst.exe
2276	svchcst.exe
2592	svchcst.exe
2672	svchcst.exe
2348	svchcst.exe
1300	svchcst.exe
856	svchcst.exe

Loads dropped DLL 46 IoCs

pid	Process
3068	WScript.exe
3068	WScript.exe
2568	WScript.exe
2568	WScript.exe
2876	WScript.exe
2876	WScript.exe
2892	WScript.exe
2892	WScript.exe
2300	WScript.exe
2300	WScript.exe
2308	WScript.exe
2308	WScript.exe
1552	WScript.exe
1552	WScript.exe
2044	WScript.exe
2044	WScript.exe
956	WScript.exe
956	WScript.exe
2508	WScript.exe
2508	WScript.exe
2500	WScript.exe
2500	WScript.exe
1764	WScript.exe
1764	WScript.exe
2916	WScript.exe
2916	WScript.exe
1860	WScript.exe
1860	WScript.exe
448	WScript.exe
448	WScript.exe
2216	WScript.exe
2216	WScript.exe
1232	WScript.exe
1232	WScript.exe
2564	WScript.exe
2564	WScript.exe
1964	WScript.exe
1964	WScript.exe
2680	WScript.exe
2680	WScript.exe
1688	WScript.exe
1688	WScript.exe
2772	WScript.exe
2772	WScript.exe
2316	WScript.exe
2316	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2360	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
3028	svchcst.exe
3028	svchcst.exe
3028	svchcst.exe
3028	svchcst.exe
3028	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2360	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2360	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe
2360	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe
2572	svchcst.exe
2572	svchcst.exe
3028	svchcst.exe
3028	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
1516	svchcst.exe
1516	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
1772	svchcst.exe
1772	svchcst.exe
1864	svchcst.exe
1864	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
2536	svchcst.exe
2536	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
1780	svchcst.exe
1780	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
1224	svchcst.exe
1224	svchcst.exe
616	svchcst.exe
616	svchcst.exe
332	svchcst.exe
332	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2276	svchcst.exe
2276	svchcst.exe
2592	svchcst.exe
2592	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2348	svchcst.exe
2348	svchcst.exe
1300	svchcst.exe
1300	svchcst.exe
856	svchcst.exe
856	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 3068	2360	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	28
PID 2360 wrote to memory of 3068	2360	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	28
PID 2360 wrote to memory of 3068	2360	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	28
PID 2360 wrote to memory of 3068	2360	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	28
PID 3068 wrote to memory of 2572	3068	WScript.exe	30
PID 3068 wrote to memory of 2572	3068	WScript.exe	30
PID 3068 wrote to memory of 2572	3068	WScript.exe	30
PID 3068 wrote to memory of 2572	3068	WScript.exe	30
PID 2572 wrote to memory of 2568	2572	svchcst.exe	31
PID 2572 wrote to memory of 2568	2572	svchcst.exe	31
PID 2572 wrote to memory of 2568	2572	svchcst.exe	31
PID 2572 wrote to memory of 2568	2572	svchcst.exe	31
PID 2568 wrote to memory of 3028	2568	WScript.exe	32
PID 2568 wrote to memory of 3028	2568	WScript.exe	32
PID 2568 wrote to memory of 3028	2568	WScript.exe	32
PID 2568 wrote to memory of 3028	2568	WScript.exe	32
PID 3028 wrote to memory of 2876	3028	svchcst.exe	33
PID 3028 wrote to memory of 2876	3028	svchcst.exe	33
PID 3028 wrote to memory of 2876	3028	svchcst.exe	33
PID 3028 wrote to memory of 2876	3028	svchcst.exe	33
PID 2876 wrote to memory of 2856	2876	WScript.exe	34
PID 2876 wrote to memory of 2856	2876	WScript.exe	34
PID 2876 wrote to memory of 2856	2876	WScript.exe	34
PID 2876 wrote to memory of 2856	2876	WScript.exe	34
PID 2856 wrote to memory of 2892	2856	svchcst.exe	35
PID 2856 wrote to memory of 2892	2856	svchcst.exe	35
PID 2856 wrote to memory of 2892	2856	svchcst.exe	35
PID 2856 wrote to memory of 2892	2856	svchcst.exe	35
PID 2892 wrote to memory of 1516	2892	WScript.exe	36
PID 2892 wrote to memory of 1516	2892	WScript.exe	36
PID 2892 wrote to memory of 1516	2892	WScript.exe	36
PID 2892 wrote to memory of 1516	2892	WScript.exe	36
PID 1516 wrote to memory of 2300	1516	svchcst.exe	37
PID 1516 wrote to memory of 2300	1516	svchcst.exe	37
PID 1516 wrote to memory of 2300	1516	svchcst.exe	37
PID 1516 wrote to memory of 2300	1516	svchcst.exe	37
PID 2300 wrote to memory of 2636	2300	WScript.exe	38
PID 2300 wrote to memory of 2636	2300	WScript.exe	38
PID 2300 wrote to memory of 2636	2300	WScript.exe	38
PID 2300 wrote to memory of 2636	2300	WScript.exe	38
PID 2636 wrote to memory of 2308	2636	svchcst.exe	39
PID 2636 wrote to memory of 2308	2636	svchcst.exe	39
PID 2636 wrote to memory of 2308	2636	svchcst.exe	39
PID 2636 wrote to memory of 2308	2636	svchcst.exe	39
PID 2308 wrote to memory of 1772	2308	WScript.exe	40
PID 2308 wrote to memory of 1772	2308	WScript.exe	40
PID 2308 wrote to memory of 1772	2308	WScript.exe	40
PID 2308 wrote to memory of 1772	2308	WScript.exe	40
PID 1772 wrote to memory of 1552	1772	svchcst.exe	41
PID 1772 wrote to memory of 1552	1772	svchcst.exe	41
PID 1772 wrote to memory of 1552	1772	svchcst.exe	41
PID 1772 wrote to memory of 1552	1772	svchcst.exe	41
PID 1552 wrote to memory of 1864	1552	WScript.exe	42
PID 1552 wrote to memory of 1864	1552	WScript.exe	42
PID 1552 wrote to memory of 1864	1552	WScript.exe	42
PID 1552 wrote to memory of 1864	1552	WScript.exe	42
PID 1864 wrote to memory of 2044	1864	svchcst.exe	43
PID 1864 wrote to memory of 2044	1864	svchcst.exe	43
PID 1864 wrote to memory of 2044	1864	svchcst.exe	43
PID 1864 wrote to memory of 2044	1864	svchcst.exe	43
PID 2044 wrote to memory of 1600	2044	WScript.exe	46
PID 2044 wrote to memory of 1600	2044	WScript.exe	46
PID 2044 wrote to memory of 1600	2044	WScript.exe	46
PID 2044 wrote to memory of 1600	2044	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe
"C:\Users\Admin\AppData\Local\Temp\569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2568
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3028
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1600
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:956
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2536
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2508
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2724
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:2500
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2832
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:1764
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1780
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:2916
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2892
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:1860
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1224
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:448
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:616
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:2216
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:332
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:1232
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2988
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:2564
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2276
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:1964
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2592
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:2680
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2672
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:1688
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2348
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        
        PID:2772
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1300
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        
        PID:2316
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:856
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        
        PID:1004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
834d3bd5afd317beab4d55686135bdd5

SHA1
943058e7fca846d32c625d4173498b32defa607f

SHA256
8e9f87bc774940b28c5e2d9f62112fbc0b664a95e5109b8b06d19566c79f8748

SHA512
7928ad1ab00172fbb5ae8a52b897304a9d0b05cbacbd550d12f9f9b0d2e5f4cbb52db3456b6edea72d4230e33af0c99b1fb84beb44fd26d21d39d1c2670d2b9f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c1f667683c1809dc2fa81d863ea10a4e

SHA1
dc9fdbeca32f2afbcfdc5363769ebb594fc93e44

SHA256
a0afd04975f7f5cf26533640020a9533d4dcf1b152143e69196f93bd5b49fa1e

SHA512
e4c894530934444cb97392b0180e5b6040b84ab5c639412c6b9e5355a13152412da8d881403832c2f3c601624465b16242ebd8710f6e6a4666a27e15ce759b2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
251a70f0c55d02e74e34c409c5795274

SHA1
b0eb587b5e8d597ef801848722b790692d804be2

SHA256
f5397f02a6c8c59bc9869c0e5c726c096a69c84ad7f0934608fdbd8bc7e5b9f3

SHA512
023cca65a97265961790183f43605fb3dd47426049f2152e5ed90d2daed98607d1e215cb8cabf54d7d2068f7a86d3b01b1d101823e8ed1acfb09076e69b67c71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d0a7594dbfff2934bae6e22de9f233fe

SHA1
b2a276918a0f5fb2da4440d77ec65c3c644dcf74

SHA256
b5ba466f75e4b160d164ce3886c42fe86c339961f2f303cfdba40d2c711bc61d

SHA512
3d0c5b27841efaa0286d2b58d1749c1efe45ce115cbcb2af1473e29ec3791501a278c90f087e995279518b3c3aec687edca8937f77ff2520ed6b8d3dff6c0a63

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8ff9269f0a87aaf29e707ac354505e61

SHA1
68c900e567a236096ac8c812cb14dec97e3e088c

SHA256
ed84c3ff01194f8f55c30fb4f5685d4f74c186732e01e20d9909fb7a63ebb7d1

SHA512
5980c8ca52c3c047380b9aabced91699a68228bf8e5d545ff3105bdc5c469f30f7e490f459e2e8bc57f088d904ae0fb3e3167dfa0cd84b83b3d8e78402e8ae9d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
10ffe941ac3b45a1b27eaab090d03e3b

SHA1
4f72abac858bc7659692930176f0cd4f18e354f1

SHA256
b2a27182b84ccf59736264c5fc788f96d92a2d3a14fe7c964e0976af00956144

SHA512
638a48fe06a5e0c47e50ac67e0df2d6952e5e39620a585e5fb086d40ff61cff9bee6a6cfda6582c54e216f052dc6ba4ce5d742ae5174a987701701e67dc65544

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7d2c3f227d42fae4a5b7fbcb491b74e3

SHA1
c1271bbd86747cc709b694ba9579a68b5e75a17c

SHA256
9353a2f27a61e571c5bc92ccc1046c1059c5fad8e1e2cafe63a9cc73e1169c33

SHA512
50330ad733975966b32fbedffb99a25cd13004d685e5788ef11f1f0fedfc62658e3e8f5ed0030fe60ecb02ba95ffa7d440c067a1e164cc3bc02ac5008b6a27d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b43cc190210c9c6b2742cc52bd8296bc

SHA1
5476b0b4ca6b80be460b3e183f51d50599750324

SHA256
0081c1fe196153e4e7651f0c4a3888bda7623ba8f76218b8df10dc5147d778c0

SHA512
dee2b38b2222020a8fdf2bb241461b3e58978761cfa4c2099184badfc7a98d4acdd0f75d9417a94928a62da7f7c10e9cc04546636e88004897dd3c73cabeed27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
16b9011648a577741b7fb4a55f1eeaac

SHA1
b0d86d1cf62b882bf28f0897ddb610e41cc6814c

SHA256
7bf3fbb9962c054e651caf4e49fa468d5892cb0bf88f4bbf3fd85b372a7d173c

SHA512
1d8631904aa2df5a90aef858d4369ed53d0075f97b42361a8e05c9a64f8e6a786897b625b1230d20415f3923db8aa5d8f5f619b7b9084202fecf4e7cead4366d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a7abbe21bd06224da6044ceefc079882

SHA1
45948d51fb8d65cd1032448311043927dcfa0d2f

SHA256
5f4905388f1de9cd98bc931f1f041dd2543394219661a271c11fff5b0d8222b2

SHA512
3371b7d36aadb7aa31617ba0d8cb23e2ccd36c8268946e8ec526e98e61d0312622b089331f05a36775fd59174fa8a68595e664a665feeb9afce17c906a8b1bd5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
6ae77601fb39c775b5ebbc810b041ce7

SHA1
83875f009bcf617c27a90a16ca0b80f99832bc57

SHA256
4a090d8d5bb97375565ebe6da5ede00f6dc4fc6c83b2b2df0576fb2be653b025

SHA512
ae9b473a53671b20a08f2957b3db487dfe22293f81c57d16d8cf5f18fe094d0401e846c772526fb4ef8335037153e1f3df91604b7b7585b4f18237a95171699a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
00d419664b221c4fec7d09705f95a7b2

SHA1
5d72e75fc4a3f41c101fc4f5418967d7c4c7e0a8

SHA256
1cb455555b0260b32dd74624be1444df7e0c6a27489676dcc7dc4da3b37eba82

SHA512
a880280cc932d788a9cfcfe4a8eab1dd507526a7e4396798a6de24029437f8648ad7400f59c877c07528e5592f49e18012e6a42dd0c5f976ec6c13aef83abeff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1183688b1f29486257ac492095687616

SHA1
0fc5cf6db14d5bcd52d3f9e2963c6f716f2bbd36

SHA256
fd9c3bfeede9cdc47a39cd4408ca337de3b0744bda2b1737cda80ac0b4ac7e69

SHA512
84604c9d428a87a02cfc3e3345fcd25da5938605358bb43051cc8547a3d53babe7d53cf191f00fbc298511845fb7059ba33d45d20979a31637770c50dbcf1bf5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e6991dd64fa2740d19c494ca6e5a4e42

SHA1
a9d6feda1f29f7d091b001dee4a52cd8f0144540

SHA256
d9ead7d58c98c42cf9c138a64638a4267ff90fe6169bbc65a1bed92eb5f82ee5

SHA512
b9bf64fc52704a7e6a8244636bf4582467e8e760b2cb6ef96242c2a13edaafa192dd6623ced22cc8ad3abbc017a591e1b7993632b1d068eaecaa322847564664

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
4998289bdd41b2b6c8581d428798ffee

SHA1
d848cf0d53d2db42c356d1890aa61c57315d6494

SHA256
51822ba609a473ad331f9f6f5aa600febceba5d64f7c62a177ba3a74279db0f9

SHA512
a8ffad276cc073be16bc1b8f05b3ade9292d3dfc42b0e6fdfb139c93cbec0b363e72dba70626273ed54334d9553ce52aff7bc86a9a9b2d457718881e468ed70b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
07d5b6eca92d83e45ddfb666cc6d4435

SHA1
ea9288767d46e79ee06e53ed7ffd29fc2ab1f04c

SHA256
7695b764e32187a34fd402ac077ab07e2f9518478a51cdd69aad991c1d4f44fb

SHA512
4e0dd090fd1e5ded8da844ac4243de4ed336df0b4b56a6fd46ec4e2ef43276c91779239fbf66fabae7504f5eaaa0ec01b9d686817471e6551241400a669a90a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b0442f10f9759f9d75a35a378522a594

SHA1
d2a0ad188852687e0369874f6f0904fb8c327cf1

SHA256
bf1f4bb2632452c2b4175d32020652e16e078e1920da40578d551d080aa16ed5

SHA512
e9cb03b40910fe5c32e8daf9f30a3cade78db7d8da40a9d8323a9571fab3995f809407ac42b6cf701be4b0034743e4a0bb3d05a7564fbe9696181cbbfaa70778

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
5daa367420b3696755911ce82bb8b0cd

SHA1
af735c3b7ad9ed77650cef59e8b51f765db142dc

SHA256
e20f8565c3a56e90e0d86f5512d9c3f52672c0fce54433352250195a292c26bc

SHA512
f1660d813e94065db35984531c597c1e1f535a08737128d41107806f7f7086597839c05c3785e38343d015bc83b879c4b34153449df8ffa2e730a7981c29c617

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
39bac87e09b9e90d0224ee40f766b8c3

SHA1
182025ac485f1843d34dd29d35757313fa337494

SHA256
c1b340fc594fb7b1cdd08e11f405fb705db12795990fe36d9b6eaf288921e9c3

SHA512
4361089644fc96b694ff9f277b51fb0d3f34c08944d7a72ccfb75df0d7c4f70cb765637cdac4ac123617090855f07e40be2b9b2a1110feb23c057e9015ce7fa5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c993d524f141409809b4aa810bfb2c76

SHA1
1e7ae57c373209e55d4c2e921daf1666deb3cb05

SHA256
a5cd764374efea0d85b8b93d925cc95eba3ddf1fdd4ac09d8cacedf7d1a6c89e

SHA512
c0eda15096cc41da56eaa9a8dbee1c79a2867ad8a86777913c9dfb51f2d6838784a43925afbe9c165ebea51067c6a5673d0b405befbb1e1e7e9bd88bb106d802

Download Submit
memory/2360-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download