782aa70cec4b05a3efb0306a2b77326907fd735e6793edf50a47be75bb360d5d

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
27/06/2024, 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

782aa70cec4b05a3efb0306a2b77326907fd735e6793edf50a47be75bb360d5d.exe
Size

1.1MB
MD5

887f4714f65f3c4ca5d84fda752feb45
SHA1

998406c28f4988628c2bd3f6ee2eb20dfc506518
SHA256

782aa70cec4b05a3efb0306a2b77326907fd735e6793edf50a47be75bb360d5d
SHA512

b505059b898d5d14dcc4b123dbfc97c47d121af3d53965e09ce41d478192f9756cc4ed3d23144266a6a9cef70ec6da4d82169b8df5144c0d31ae8654ab2de050
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Q+:CcaClSFlG4ZM7QzMV

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2716	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2716	svchcst.exe
2940	svchcst.exe
1668	svchcst.exe
2544	svchcst.exe
592	svchcst.exe
2628	svchcst.exe
1708	svchcst.exe
2656	svchcst.exe
1468	svchcst.exe
2524	svchcst.exe
1588	svchcst.exe
2912	svchcst.exe
2544	svchcst.exe
1964	svchcst.exe
1552	svchcst.exe
2188	svchcst.exe
2612	svchcst.exe
2448	svchcst.exe
2572	svchcst.exe
1184	svchcst.exe
2548	svchcst.exe
2152	svchcst.exe
1968	svchcst.exe

Loads dropped DLL 46 IoCs

pid	Process
3040	WScript.exe
3040	WScript.exe
2444	WScript.exe
2444	WScript.exe
2692	WScript.exe
2692	WScript.exe
2036	WScript.exe
2036	WScript.exe
2312	WScript.exe
2312	WScript.exe
2316	WScript.exe
2316	WScript.exe
988	WScript.exe
988	WScript.exe
1220	WScript.exe
1220	WScript.exe
3008	WScript.exe
3008	WScript.exe
2504	WScript.exe
2504	WScript.exe
2040	WScript.exe
2040	WScript.exe
1200	WScript.exe
1200	WScript.exe
1888	WScript.exe
1888	WScript.exe
884	WScript.exe
884	WScript.exe
1372	WScript.exe
1372	WScript.exe
1136	WScript.exe
1136	WScript.exe
1760	WScript.exe
1760	WScript.exe
2184	WScript.exe
2184	WScript.exe
2928	WScript.exe
2928	WScript.exe
2916	WScript.exe
2916	WScript.exe
1580	WScript.exe
1580	WScript.exe
808	WScript.exe
808	WScript.exe
324	WScript.exe
324	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1108	782aa70cec4b05a3efb0306a2b77326907fd735e6793edf50a47be75bb360d5d.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1108	782aa70cec4b05a3efb0306a2b77326907fd735e6793edf50a47be75bb360d5d.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
1108	782aa70cec4b05a3efb0306a2b77326907fd735e6793edf50a47be75bb360d5d.exe
1108	782aa70cec4b05a3efb0306a2b77326907fd735e6793edf50a47be75bb360d5d.exe
2716	svchcst.exe
2716	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
1668	svchcst.exe
1668	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
592	svchcst.exe
592	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
1708	svchcst.exe
1708	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
1468	svchcst.exe
1468	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
1588	svchcst.exe
1588	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
1964	svchcst.exe
1964	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
2188	svchcst.exe
2188	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
1184	svchcst.exe
1184	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2152	svchcst.exe
2152	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 3040	1108	782aa70cec4b05a3efb0306a2b77326907fd735e6793edf50a47be75bb360d5d.exe	28
PID 1108 wrote to memory of 3040	1108	782aa70cec4b05a3efb0306a2b77326907fd735e6793edf50a47be75bb360d5d.exe	28
PID 1108 wrote to memory of 3040	1108	782aa70cec4b05a3efb0306a2b77326907fd735e6793edf50a47be75bb360d5d.exe	28
PID 1108 wrote to memory of 3040	1108	782aa70cec4b05a3efb0306a2b77326907fd735e6793edf50a47be75bb360d5d.exe	28
PID 3040 wrote to memory of 2716	3040	WScript.exe	30
PID 3040 wrote to memory of 2716	3040	WScript.exe	30
PID 3040 wrote to memory of 2716	3040	WScript.exe	30
PID 3040 wrote to memory of 2716	3040	WScript.exe	30
PID 2716 wrote to memory of 2444	2716	svchcst.exe	31
PID 2716 wrote to memory of 2444	2716	svchcst.exe	31
PID 2716 wrote to memory of 2444	2716	svchcst.exe	31
PID 2716 wrote to memory of 2444	2716	svchcst.exe	31
PID 2444 wrote to memory of 2940	2444	WScript.exe	32
PID 2444 wrote to memory of 2940	2444	WScript.exe	32
PID 2444 wrote to memory of 2940	2444	WScript.exe	32
PID 2444 wrote to memory of 2940	2444	WScript.exe	32
PID 2940 wrote to memory of 2692	2940	svchcst.exe	33
PID 2940 wrote to memory of 2692	2940	svchcst.exe	33
PID 2940 wrote to memory of 2692	2940	svchcst.exe	33
PID 2940 wrote to memory of 2692	2940	svchcst.exe	33
PID 2692 wrote to memory of 1668	2692	WScript.exe	34
PID 2692 wrote to memory of 1668	2692	WScript.exe	34
PID 2692 wrote to memory of 1668	2692	WScript.exe	34
PID 2692 wrote to memory of 1668	2692	WScript.exe	34
PID 1668 wrote to memory of 2036	1668	svchcst.exe	35
PID 1668 wrote to memory of 2036	1668	svchcst.exe	35
PID 1668 wrote to memory of 2036	1668	svchcst.exe	35
PID 1668 wrote to memory of 2036	1668	svchcst.exe	35
PID 2036 wrote to memory of 2544	2036	WScript.exe	36
PID 2036 wrote to memory of 2544	2036	WScript.exe	36
PID 2036 wrote to memory of 2544	2036	WScript.exe	36
PID 2036 wrote to memory of 2544	2036	WScript.exe	36
PID 2544 wrote to memory of 2312	2544	svchcst.exe	37
PID 2544 wrote to memory of 2312	2544	svchcst.exe	37
PID 2544 wrote to memory of 2312	2544	svchcst.exe	37
PID 2544 wrote to memory of 2312	2544	svchcst.exe	37
PID 2312 wrote to memory of 592	2312	WScript.exe	38
PID 2312 wrote to memory of 592	2312	WScript.exe	38
PID 2312 wrote to memory of 592	2312	WScript.exe	38
PID 2312 wrote to memory of 592	2312	WScript.exe	38
PID 592 wrote to memory of 2316	592	svchcst.exe	39
PID 592 wrote to memory of 2316	592	svchcst.exe	39
PID 592 wrote to memory of 2316	592	svchcst.exe	39
PID 592 wrote to memory of 2316	592	svchcst.exe	39
PID 2316 wrote to memory of 2628	2316	WScript.exe	40
PID 2316 wrote to memory of 2628	2316	WScript.exe	40
PID 2316 wrote to memory of 2628	2316	WScript.exe	40
PID 2316 wrote to memory of 2628	2316	WScript.exe	40
PID 2628 wrote to memory of 988	2628	svchcst.exe	41
PID 2628 wrote to memory of 988	2628	svchcst.exe	41
PID 2628 wrote to memory of 988	2628	svchcst.exe	41
PID 2628 wrote to memory of 988	2628	svchcst.exe	41
PID 988 wrote to memory of 1708	988	WScript.exe	42
PID 988 wrote to memory of 1708	988	WScript.exe	42
PID 988 wrote to memory of 1708	988	WScript.exe	42
PID 988 wrote to memory of 1708	988	WScript.exe	42
PID 1708 wrote to memory of 1220	1708	svchcst.exe	43
PID 1708 wrote to memory of 1220	1708	svchcst.exe	43
PID 1708 wrote to memory of 1220	1708	svchcst.exe	43
PID 1708 wrote to memory of 1220	1708	svchcst.exe	43
PID 1220 wrote to memory of 2656	1220	WScript.exe	46
PID 1220 wrote to memory of 2656	1220	WScript.exe	46
PID 1220 wrote to memory of 2656	1220	WScript.exe	46
PID 1220 wrote to memory of 2656	1220	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\782aa70cec4b05a3efb0306a2b77326907fd735e6793edf50a47be75bb360d5d.exe
"C:\Users\Admin\AppData\Local\Temp\782aa70cec4b05a3efb0306a2b77326907fd735e6793edf50a47be75bb360d5d.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2444
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2940
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:592
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:988
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2656
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:3008
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1468
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2504
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2524
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:2040
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1588
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:1200
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2912
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:1888
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2544
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:884
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1964
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:1372
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1552
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:1136
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2188
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:1760
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2612
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:2184
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2448
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:2928
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2572
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:2916
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1184
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:1580
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2548
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        
        PID:808
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2152
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        
        PID:324
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1968
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        
        PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
840853c0aa5a4d702a8110a0cb763b4b

SHA1
58d028e09818c3fd2a9d521c26772cf4d1a9072a

SHA256
4438df44bf53668a332407b1c60d745bd1293a3f1acab9953b1d77e5131d2728

SHA512
f2b044e4710dadb03164bc78519207bd8d39d2cf9d4568fc11c38271eabc3e57410083b1cf29e40b1f6119ffa33ed4784ef652f112e50b554c2983755a606b6a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
5e541136eea63d25031679f7a8819fad

SHA1
7a35b606412dbb5e346bee570b4e20b37a065254

SHA256
bc3fb08b9ecb25007093a7160561991a10883e4a7db942936b99846f8053dcd8

SHA512
99b596e6201fbdac27d49fb22779a5f5f740a2a8f01e0ff8ccfbb9b898738cf43ef32eab20358e5313db516b9649ff1db9e87c559fdcd1fb0b2218b07491f8cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
463784728a0ab2b8cc52ee1ed0e5258e

SHA1
620a618c31439d36e8539e50359713befcc28e92

SHA256
a34e1ed304dca4f58275bdd5daaf071d1767db7bb7ccc6bf2aea2df5e2be023b

SHA512
52f9736297fbaf65179d35e01c7a15d516d2ff8b5c949a45046bc668bbe94b5da63aea4d5920ebfc1a884721f16fdcae75ea08ca9a6aa78297a44051ed979c7f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d32955f30e8aad52247ece470e41d5ad

SHA1
ac6775ee1d2cccafe3baeb722ca57bf16953f173

SHA256
bbd8749995b7f218975a3955fac72a16d1f5a3fd3826f7bb98d0b4fe537d6697

SHA512
1a00595cdfca51c9c95101a1d04a15089aded3fc687de721d882c6ef57697a943c0a99d917167e76d55040c5d8607e01fe5a206054112635a642f6364d3fdcaf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
234d3bd7d4c79c9f8515c4e3812a1c9b

SHA1
f0add1f9e02bad7016d7b183f6d64d4800df4e12

SHA256
c9ba84b70031261f15918f7e74bd45b7b889b8e8427efa4ff19537e3d27633d0

SHA512
3d42cb367d8ba46cff006692c69f88ab165b9b326000c0bf187e682ce181413dd6f8eb083972765f332dc4309996b3621018ce3cf22d4d944c2b3c0e51f4aea0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7a01dad1af2b3e0327e1d352436bbcd7

SHA1
10612930777b11e8edeb9bd33c74a6a2404c9d6b

SHA256
185fe22d4d1af7aee3fd8cf94dcfe20c5daf320764d2c96c2ad5f2cff4cd1655

SHA512
1fee128690213b1ffd6c1f95d9894f52c2b0374ca99b16795028fab6b364298c1d678c3f92775c410c0fe7a1a71a33d3db5635e5bb6c71449feb60c9f5316616

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
66dec81d7f7dc4e36f9d8151fe38056a

SHA1
fc169994b2239eb407778d28d35025f7c9a1658e

SHA256
a09a3c722b494400011829c5645415020d39c8e6ec90f466fc3109a1ba49db2a

SHA512
3e8af1d301ba9228d5afcfaa1e1d3e6f931c5f0ba5e19c74f73b88ddf7c4baa7b24f13533679096f6c94871985de9e47d0f91362ec2ee9132b1e1b772d56fbcc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
308b7da7ec377746fab239c88940c7ea

SHA1
62356f1d6078f5587c1e0fa2201b199ebfdd0372

SHA256
3c6e5a89529248f6074cab8ca705d7f399c2808e185a451f2520d767e7aecd77

SHA512
bfd886261d3c9ae90f40968acb30b229e8d6754768bee5430f246594b5f81952de101a572cedb84bd1ab9a39cb607ec981287e9e03ea45b829744c47ee9bc877

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
49586bddf88b5db5b4106eee55d7e03b

SHA1
3001fb71136b5c8d307695de4f651ccd9b4dcebc

SHA256
bf9c7a65973ae0ee9e2da4bae47ba378234e45820598034a3672edfb233e002d

SHA512
6933b416d4af6997e31e7277ddbf5820f421f01763ee6560e50a0dfb8323e8c66312511b4093d16540c17521f338b239e79d67c70fcda4ff793363e1366d4011

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5ef4272f4d6f345fc8cc1b2f059c81b4

SHA1
78bcb559f775d70e10396e1d6d7b95c28d2645d1

SHA256
19f8d5209b4a5789cdfd5b67cb0b9f6c3546c62912bcb1ef1c69a15602beb652

SHA512
002693255c600456d965b5a7e36f780deec4d80cd9fe56f7f974b8762e2b140002a1dabf4b059d6163c9cc00a0e1e9da71899e13347fb4bb2985bbc7058469cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7254409df69885c70a9b3464fad674c1

SHA1
80d6049bd7e6e796fc4060a4ea02981f76f8e144

SHA256
3651df6316c395877770b0dca7850b1b9b3f1358b297edb7de2ef9270304fc01

SHA512
700fc92505217e826fbf281d12f053a5147daeba795ed3081f5cab6df28d203fdee3508de2fde8ec9dcfea46e301fd0d89c52af3ad9fc73a0d8f60f64c42a3a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
978e3efc6d93198d501b26bb6fc6dc00

SHA1
87cd6b6cb429f10ece0c23556522af063ebd061b

SHA256
b05171abe9b0c5cde9faa40d6180a9209bdcd9b1581c823e1cf9febf85fd3385

SHA512
989ddf94a926f0debe1437ea0966e04f4cb577b0945e6b01ae8e69df10343b048c8fadf7842274f1cc79be5ea602cba14e41c8a46f1b0019fc80e63bec71214d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2f90c379989abc165f254492d036385c

SHA1
7baeeea3860ed45699cad4e792a707f1ff06d578

SHA256
ab37d8a377b36adba303f5872a881a1b69dcae8749810b61ff7a4363d252c27e

SHA512
ebb33dcfb0bf27aec54242ede57db4e22006d16be2c39c4fc31acfdcf4f09e4dc93a3bd8e4edb7de51df24ab2b900fc98a11c925dd820dd4b188cf493b0f6390

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
aee3fc76b82f296ac07b7fea3dab7128

SHA1
1ea373050cfd9a65c5fc3b74cdaa69dc82079301

SHA256
602e7b2e7ed3b7f63f7e4caec036bf141ede3167ba79afa1ee75d2b1cab46d56

SHA512
7ee01afec58014d622eb808ce5b1b0de08da38fc4931f412bb9cfeaff27a88daf6e518db62304238e6ad0280655ae0bb4a9830807c26c90e15ac1f88c46a43d6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d5183efd255ddc953761b9dd8494f55a

SHA1
de913045dd376d938fe0f122ea96e081c058afa5

SHA256
7e19cf2eeb643467eca14a6649def6351308562567fad17a56997cec580f7ff5

SHA512
341f31135284aded5b36fcabc553580b276293948429f0b4fd185eaa889d255b69eeea855ea2b26e32f451ee5069517b9bb43b0895c39ae24df9080afaa4c842

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
cf9f0fdc01fa5d046b77b417f9602048

SHA1
ffae8e25fe4ca8fa18eea77230c5afe594bac765

SHA256
5bb39c185b810762831884787830447c0e6acb4a959f075f1230934d4a6727a3

SHA512
69d8058112075665777259cbc66b17d446a91c442030d56589cd3039b1dc1151f3d221e84a642e8b00809636862cd05fac20ccf405f9d658cf8c30decc3e59f7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
fc6709e572ecb0e12982d24b4d7cd980

SHA1
92f5e7b1f8690f8f0943f4fcb7a1058453b30cd7

SHA256
fbcd6e4ab4684df5d9ec912add749491d094a2f5a0270f987b9c090847a8fcca

SHA512
34b98bc27eb78b508c70899a396622640683b35970b81bac9c79cee0db4a1da1df8fa592702e1a523af818d5f12425dbfa578975a2541cf2291eb513aadb41ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
8a346bfd7f7c07cc2f89767bc71277a5

SHA1
6cb01dafc23695d3d1ba6d1f1f6249a74ea457a6

SHA256
60dc7a9e2f1b587a8d88277b15d84dca84967f7b39c21211078a81868d5fe01c

SHA512
24892c074ef69e009c1f5d8929220e8df2cda37ab3c3960279e7d485b367e10e1839b2cf275b840d0457a68a7736e917cc958fa241b53d8a0e9574c8c401dcda

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
fd9e9699149cc0dbc7c57aa82d6a2472

SHA1
0ea7d3ad4c895bec93514099b33f225e126b9534

SHA256
2b5373f044c8a8c8c7929de7d363490610a2555a6fcf5f5f23c9edd9112c9e62

SHA512
ede899f5c32cd79904f25b64d62d706eedb84ad295676153bae1f1cd62ce21ab9760394f10cac980cc27c567eae12f41a71cbed7a4670d256c4f6b3a19b68dac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0a8e69986fcde4cab1ceb85353fad5c1

SHA1
653d9e8a3bdebf98b70ef3bcad515e5d807da1a3

SHA256
164a77b380c4c5848d39afa17c4a3d3c529e26c0295080c254376e29dad748d2

SHA512
403e9abd1c7e323b76b8b051774dfdc8dd9a208b3d32287ec31ec80fe90bbc60d4ec36cfc47d0fb1a5fe1e1fa90adab441b10fc0006bf20e1a7e3a1de0fe028a

Download Submit
memory/1108-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download