80c1ce64896d6c0af8f195c8481c2e50c53327cf5013a360491be65062f377d3

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
28/06/2024, 21:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80c1ce64896d6c0af8f195c8481c2e50c53327cf5013a360491be65062f377d3.exe
Size

1.1MB
MD5

8c4a409d0560881608cc950799b682f3
SHA1

4c58d036e5d8dd2804a5cc29faf4e5cf812f3f71
SHA256

80c1ce64896d6c0af8f195c8481c2e50c53327cf5013a360491be65062f377d3
SHA512

9c8a505209d6de7e6d1ef8677fe76f853233bef4fee1b473c81fc9df72f81d2c50f50e647a7e636f7bb14c484dab9163a999b1640030364a1ddf52f7738c21e2
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QW:CcaClSFlG4ZM7QzMt

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2524	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2524	svchcst.exe
1944	svchcst.exe
1940	svchcst.exe
1392	svchcst.exe
2004	svchcst.exe
876	svchcst.exe
1344	svchcst.exe
1592	svchcst.exe
2844	svchcst.exe
2784	svchcst.exe
1956	svchcst.exe
1528	svchcst.exe
1748	svchcst.exe
576	svchcst.exe
2304	svchcst.exe
2180	svchcst.exe
860	svchcst.exe
1860	svchcst.exe
1732	svchcst.exe
2972	svchcst.exe
1944	svchcst.exe
1544	svchcst.exe
2592	svchcst.exe

Loads dropped DLL 35 IoCs

pid	Process
2676	WScript.exe
2676	WScript.exe
2512	WScript.exe
2684	WScript.exe
1736	WScript.exe
1736	WScript.exe
2132	WScript.exe
1508	WScript.exe
1772	WScript.exe
2984	WScript.exe
2760	WScript.exe
2824	WScript.exe
2824	WScript.exe
2824	WScript.exe
1972	WScript.exe
1276	WScript.exe
2000	WScript.exe
1380	WScript.exe
1380	WScript.exe
2908	WScript.exe
2908	WScript.exe
1716	WScript.exe
1716	WScript.exe
1244	WScript.exe
1244	WScript.exe
2800	WScript.exe
2800	WScript.exe
2556	WScript.exe
2556	WScript.exe
2468	WScript.exe
2468	WScript.exe
1512	WScript.exe
1512	WScript.exe
2316	WScript.exe
2316	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1768	80c1ce64896d6c0af8f195c8481c2e50c53327cf5013a360491be65062f377d3.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1768	80c1ce64896d6c0af8f195c8481c2e50c53327cf5013a360491be65062f377d3.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
1768	80c1ce64896d6c0af8f195c8481c2e50c53327cf5013a360491be65062f377d3.exe
1768	80c1ce64896d6c0af8f195c8481c2e50c53327cf5013a360491be65062f377d3.exe
2524	svchcst.exe
2524	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1940	svchcst.exe
1940	svchcst.exe
1392	svchcst.exe
1392	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
876	svchcst.exe
876	svchcst.exe
1344	svchcst.exe
1344	svchcst.exe
1592	svchcst.exe
1592	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
1956	svchcst.exe
1956	svchcst.exe
1528	svchcst.exe
1528	svchcst.exe
1748	svchcst.exe
1748	svchcst.exe
576	svchcst.exe
576	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2180	svchcst.exe
2180	svchcst.exe
860	svchcst.exe
860	svchcst.exe
1860	svchcst.exe
1860	svchcst.exe
1732	svchcst.exe
1732	svchcst.exe
2972	svchcst.exe
2972	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
2592	svchcst.exe
2592	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 2676	1768	80c1ce64896d6c0af8f195c8481c2e50c53327cf5013a360491be65062f377d3.exe	28
PID 1768 wrote to memory of 2676	1768	80c1ce64896d6c0af8f195c8481c2e50c53327cf5013a360491be65062f377d3.exe	28
PID 1768 wrote to memory of 2676	1768	80c1ce64896d6c0af8f195c8481c2e50c53327cf5013a360491be65062f377d3.exe	28
PID 1768 wrote to memory of 2676	1768	80c1ce64896d6c0af8f195c8481c2e50c53327cf5013a360491be65062f377d3.exe	28
PID 2676 wrote to memory of 2524	2676	WScript.exe	30
PID 2676 wrote to memory of 2524	2676	WScript.exe	30
PID 2676 wrote to memory of 2524	2676	WScript.exe	30
PID 2676 wrote to memory of 2524	2676	WScript.exe	30
PID 2524 wrote to memory of 2512	2524	svchcst.exe	31
PID 2524 wrote to memory of 2512	2524	svchcst.exe	31
PID 2524 wrote to memory of 2512	2524	svchcst.exe	31
PID 2524 wrote to memory of 2512	2524	svchcst.exe	31
PID 2512 wrote to memory of 1944	2512	WScript.exe	32
PID 2512 wrote to memory of 1944	2512	WScript.exe	32
PID 2512 wrote to memory of 1944	2512	WScript.exe	32
PID 2512 wrote to memory of 1944	2512	WScript.exe	32
PID 1944 wrote to memory of 2684	1944	svchcst.exe	33
PID 1944 wrote to memory of 2684	1944	svchcst.exe	33
PID 1944 wrote to memory of 2684	1944	svchcst.exe	33
PID 1944 wrote to memory of 2684	1944	svchcst.exe	33
PID 2684 wrote to memory of 1940	2684	WScript.exe	34
PID 2684 wrote to memory of 1940	2684	WScript.exe	34
PID 2684 wrote to memory of 1940	2684	WScript.exe	34
PID 2684 wrote to memory of 1940	2684	WScript.exe	34
PID 1940 wrote to memory of 1736	1940	svchcst.exe	35
PID 1940 wrote to memory of 1736	1940	svchcst.exe	35
PID 1940 wrote to memory of 1736	1940	svchcst.exe	35
PID 1940 wrote to memory of 1736	1940	svchcst.exe	35
PID 1736 wrote to memory of 1392	1736	WScript.exe	36
PID 1736 wrote to memory of 1392	1736	WScript.exe	36
PID 1736 wrote to memory of 1392	1736	WScript.exe	36
PID 1736 wrote to memory of 1392	1736	WScript.exe	36
PID 1392 wrote to memory of 2132	1392	svchcst.exe	37
PID 1392 wrote to memory of 2132	1392	svchcst.exe	37
PID 1392 wrote to memory of 2132	1392	svchcst.exe	37
PID 1392 wrote to memory of 2132	1392	svchcst.exe	37
PID 2132 wrote to memory of 2004	2132	WScript.exe	38
PID 2132 wrote to memory of 2004	2132	WScript.exe	38
PID 2132 wrote to memory of 2004	2132	WScript.exe	38
PID 2132 wrote to memory of 2004	2132	WScript.exe	38
PID 2004 wrote to memory of 1508	2004	svchcst.exe	39
PID 2004 wrote to memory of 1508	2004	svchcst.exe	39
PID 2004 wrote to memory of 1508	2004	svchcst.exe	39
PID 2004 wrote to memory of 1508	2004	svchcst.exe	39
PID 1508 wrote to memory of 876	1508	WScript.exe	40
PID 1508 wrote to memory of 876	1508	WScript.exe	40
PID 1508 wrote to memory of 876	1508	WScript.exe	40
PID 1508 wrote to memory of 876	1508	WScript.exe	40
PID 876 wrote to memory of 1772	876	svchcst.exe	41
PID 876 wrote to memory of 1772	876	svchcst.exe	41
PID 876 wrote to memory of 1772	876	svchcst.exe	41
PID 876 wrote to memory of 1772	876	svchcst.exe	41
PID 1772 wrote to memory of 1344	1772	WScript.exe	44
PID 1772 wrote to memory of 1344	1772	WScript.exe	44
PID 1772 wrote to memory of 1344	1772	WScript.exe	44
PID 1772 wrote to memory of 1344	1772	WScript.exe	44
PID 1344 wrote to memory of 2984	1344	svchcst.exe	45
PID 1344 wrote to memory of 2984	1344	svchcst.exe	45
PID 1344 wrote to memory of 2984	1344	svchcst.exe	45
PID 1344 wrote to memory of 2984	1344	svchcst.exe	45
PID 2984 wrote to memory of 1592	2984	WScript.exe	46
PID 2984 wrote to memory of 1592	2984	WScript.exe	46
PID 2984 wrote to memory of 1592	2984	WScript.exe	46
PID 2984 wrote to memory of 1592	2984	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\80c1ce64896d6c0af8f195c8481c2e50c53327cf5013a360491be65062f377d3.exe
"C:\Users\Admin\AppData\Local\Temp\80c1ce64896d6c0af8f195c8481c2e50c53327cf5013a360491be65062f377d3.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2512
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1944
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1592
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2760
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2844
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2824
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2784
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1956
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:1972
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1528
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:1276
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1748
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:2000
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:576
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:1380
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2304
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:2908
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2180
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:1716
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:860
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:1244
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1860
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:2800
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1732
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:2556
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2972
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:2468
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1944
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:1512
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1544
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        
        PID:2316
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2592
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        
        PID:532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1ef0f0b572c2f4293cad723d25d00c42

SHA1
21070aedce103ee5e41ef411b732699f04623804

SHA256
92f0114d24a1bf7f670197c1b6e8cecc445559bbf6b12e1a82538aa9213fe4a3

SHA512
0af8482f8df004ae0534ab1d23addd55149209ab50bfb1ecbfc4d9ee49c7cce91b53fd3ed3b155e020286772eaa8396c89b8f67befe3ca5d9804b7871add0c4c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5200291c61f8a54498d5ea3882597c4f

SHA1
7faf4fa36d25b6e6a25fa637cd4d565bacfc98c9

SHA256
370d3f0009b4f5179e917aaf335aa8267dd7e03688f0fff18f72d7d7af43d55f

SHA512
7fab6730403115fe4a56ca1d5d9056a0796ca40f75c0499cb0a1d7cb77ad696163f960414f3248c7893a1cc99dadcdb73251603bca50a54668b45b79bc62b06e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
6f5714020e0c5c32fe68aba7840edd6a

SHA1
a009d7075feefcf86895c2dc3a7bd46b2b7da66e

SHA256
0aaa45a182ab34ef311ed0067f2b6a0ac73380a50ead10c1fb3819be228fc865

SHA512
ddf63908e91931182eee895428b1c0ab4302b91af6ef20d590508e85fc1c6d5a204edd9198b21e0776644b5d6994bda271019c1573e45b55c6db8e147174157d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
24e4a44b907089d788280d647e33c77e

SHA1
ac5a4e397dea243c0022c55319e7c7035d013905

SHA256
7fcd076a55f0b7c8e9407217aee7e68893461d15cb8d2946ac5250af35137211

SHA512
c4a8dac1c1d5dfa976cc3e8fd299e423ab620463983b8c602be8a83ecc6598eb3f1d60a7370806e1f85a52dd91e4f1337a6dff2e99459f9a1e429a1ffb65a00b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6d7f7c489889b75561316023d3e8b801

SHA1
222906d8a273e49d99b9107d388856ba8e6a5400

SHA256
3c01dd72d85883db4a345c0092b799f8deb31d43fde226e7df011c64d95202a7

SHA512
7238e65f9b93ee3be8828f01b54fbb6acaeaaf31e2b62af398356b02fa80d615acc3f41139fb001b9c1e8855e5cfa467f2883acda663a08194955cadb409a24a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
bf8c66bc238068346f8bc94f6763b894

SHA1
43019b1b9d3d7e90719747856103a1af12d024ef

SHA256
de7fa3ae16d70f789b4d0aa427b017215cdb51f141038688ca5ba2cbb4060b5d

SHA512
a5d2d1662be29ceebb5d9441b537804722646c7ee3974d89d87bb37d1563bdbcac709f29e3251cf9d45845bdedd518bca99e203102b5c7f0e3657eca406277c6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ad7007ed9542468662553e405df66821

SHA1
757c5ee287a113d689f2d370176fcf9c9e1223a3

SHA256
12967e637928b853b708430671e1b72f6ca847a2af2680f8f15da98efb31161e

SHA512
812220b05239ebb0e14f3cd738e58274deb60624eacc360d2b3be6c5010dc418f2587f5f6736a1d80a3a5f52ae9887a492e8934e64af66c89b45a9b47d3069c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
98328aa8ad181fbf0b87edfc21155dce

SHA1
3ca100ca64d5f62a5dceef47f414c0953fd4f559

SHA256
a6928cf27564f6f983d8f62358463a2dee471715b220de03db8b72ebf105f20c

SHA512
75f298c982eeebf184fdd0612436583a863beba740bd55053539dc1b1c20103a1c6f5da46b41621eb00d601cdfc86c1705080a0da08fef7756637805dcb588ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b80e64a84f22d05c1da6e47ce54973aa

SHA1
5cad9390328f2c7439c775fabb7a0456663085d9

SHA256
9dd0f5f176d3fad7c0eb3bdd6f14036a878cbce9fd50fb1a47318da147bfd82e

SHA512
983affb7f9189c1eb80982438c288ee607e7ee91675b6a6e854873c476961b39ddec66801e0a09bedd0f133a0132693a5fed5c8ff0f8c3d3aa4f470fdb8c39b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
dcda7be7bee467e770890045f8b7ae2a

SHA1
c2d1c9669b5115473dd2fcb27bb76aed83afdcd1

SHA256
5818c70269cba768813218e1a65265488b4c36ebee593535af98a52bf1eeed33

SHA512
5a69286101d6a3f52a919910584f2618e2e7adcf8b77806b5e4ecd8b881a86693df968818cec771b93b50d05849e165da0d66c5cfb121297f56cf7bef804a408

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6e11da1c8a05db963ff0dda7c43866e0

SHA1
e1343d4a94a629047631b0c53a0501eace14d2a9

SHA256
2605d23ba5b4a9fc117704a99d9351dfffc81f22681becb9aa59d72a64a6a8f6

SHA512
74be18fd41e091762e317fd4565c13d36832ca7d8fbcb60631c8e818c25f447db2ed4b3bc20e4a97da5efeb3ab66dbe815f34776b3db338a1e7d41abc57c99ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a3b1a2435db9006df38c9e78df96e2f2

SHA1
a8a6d302d102686610f54547bdf0245b177a752f

SHA256
8ca1784265581709551e81326c9733c10ac943c899070bee9b799f88dad7870e

SHA512
fe8a0d2a67e28fcf1b31e640132a669186ddb33302b135d11c0706a5c9e98548d53d51be0d2ecc9d20c43efbe393d7865c57ca9b6c651deca93f67aff0968210

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2af86d83545125b952334759f8554ae3

SHA1
ddfef7be6fbd8d8185c772a9a78eb18617a9637b

SHA256
7dd3660d7e87e64f451b4d1882d07c1733ce38d828770910453cc1b7f457d11d

SHA512
38d2854f941ff77a2fec871ba6513df9862fe4f86778b22053b4c3e25995b192f4ab943051a2c613cc3e78d275bc543b0dff09149cb4620e307809d20beae17b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
bb73f45ba0ab8d0e25bc6dcd5900a0f1

SHA1
18dd20b311cabf033725cb71f00e22449f559963

SHA256
c5b311f8ce95c93ed51768b74c6765874352e5fc61641ab54034281a5206c3b5

SHA512
f2adbb4978b02ce150fc2f4a8f6d7734ca465351c502e5a425a9dc0f751be9a048df54dfff086b4b049a80cdc8127863ea704a3b6e1855f9d4406e5778b82e04

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
62e18a1f08d654a89e96a6b86f72e783

SHA1
f73cdcb2b6598f9438dd6f61ee20b064f5f9f0c1

SHA256
2677eacc8c41207d1af9d1c4ab7dc0c7ceec3332eafacf944b6316460492a7e5

SHA512
7f92a4f9264cfb5a033c628ffb57a50e7133eb3902c4f425409f9d1b37e524489aa91323b309184c62cffa20d8161708c1b128d21fd736c7b54d1cb6b3d55e65

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a4a5c265896807cb0352f9b006686576

SHA1
3e851808dc5580052db690d808734679df404c36

SHA256
4d0e3af4513831326631b6821555944005f7f9d14f1e5af3df7ce9319a538c7a

SHA512
9fab2a0615a1e834e7ce12a3c32a8135b82e4c10bd143fd860e6fb32ac406a258573674ac021865c368f4dd21bdad5a2c4739767193d4255649eeb9bbe03c72e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
955be3d357ea2cdb019eeecf82e60f6c

SHA1
e4f1341d54c30880012b2c2421a00b81cb142402

SHA256
5ccf35c94e62f6e33ddd3999a7b0095251d9c19714de3876a1de59063298402d

SHA512
643a2330df83ff00d28b545fcf1fe6827a9b261f67a93f6acf9ef36f78ff3345215d3db08b1990ca6d33b2a6cd011135da9ef2d17ce0be1f522f21b0ec688ad5

Download Submit
memory/1768-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download