3596a4bb7a3819ac199e45b3b1b3728d00c5da6463e8f382055adca51d02b625

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
29-06-2024 22:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3596a4bb7a3819ac199e45b3b1b3728d00c5da6463e8f382055adca51d02b625.exe
Size

1.1MB
MD5

0c00d7f84c24174e8aba641c3c12d6e1
SHA1

ef4b05024a87e37613344a23798763a0c9283b03
SHA256

3596a4bb7a3819ac199e45b3b1b3728d00c5da6463e8f382055adca51d02b625
SHA512

73bd6014f86682502f4e22bc32c839d579c7057b18ccc19af03aad0f36605b11ce6e96e2fb90fcfed588e143f56a5b2f538ab07a96ad0ed70f09008696a33d5c
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QJ:acallSllG4ZM7QzM6

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2736	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2736	svchcst.exe
2044	svchcst.exe
1320	svchcst.exe
2052	svchcst.exe
2252	svchcst.exe
1804	svchcst.exe
308	svchcst.exe
2028	svchcst.exe
2644	svchcst.exe
3056	svchcst.exe
1776	svchcst.exe
688	svchcst.exe
348	svchcst.exe
2856	svchcst.exe
952	svchcst.exe
3028	svchcst.exe
2140	svchcst.exe
2644	svchcst.exe
2836	svchcst.exe
320	svchcst.exe
1508	svchcst.exe
3048	svchcst.exe
1144	svchcst.exe

Loads dropped DLL 40 IoCs

pid	Process
3012	WScript.exe
3012	WScript.exe
2484	WScript.exe
1068	WScript.exe
1068	WScript.exe
932	WScript.exe
932	WScript.exe
784	WScript.exe
444	WScript.exe
444	WScript.exe
2556	WScript.exe
2508	WScript.exe
2508	WScript.exe
2524	WScript.exe
1112	WScript.exe
1112	WScript.exe
1320	WScript.exe
1320	WScript.exe
2128	WScript.exe
2128	WScript.exe
1808	WScript.exe
1808	WScript.exe
2444	WScript.exe
2444	WScript.exe
1564	WScript.exe
1564	WScript.exe
2476	WScript.exe
2476	WScript.exe
2396	WScript.exe
2396	WScript.exe
1844	WScript.exe
1844	WScript.exe
2564	WScript.exe
2564	WScript.exe
2188	WScript.exe
2188	WScript.exe
1320	WScript.exe
1320	WScript.exe
400	WScript.exe
400	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2880	3596a4bb7a3819ac199e45b3b1b3728d00c5da6463e8f382055adca51d02b625.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2880	3596a4bb7a3819ac199e45b3b1b3728d00c5da6463e8f382055adca51d02b625.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2880	3596a4bb7a3819ac199e45b3b1b3728d00c5da6463e8f382055adca51d02b625.exe
2880	3596a4bb7a3819ac199e45b3b1b3728d00c5da6463e8f382055adca51d02b625.exe
2736	svchcst.exe
2736	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
2052	svchcst.exe
2052	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
1804	svchcst.exe
1804	svchcst.exe
308	svchcst.exe
308	svchcst.exe
2028	svchcst.exe
2028	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
1776	svchcst.exe
1776	svchcst.exe
688	svchcst.exe
688	svchcst.exe
348	svchcst.exe
348	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
952	svchcst.exe
952	svchcst.exe
3028	svchcst.exe
3028	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
320	svchcst.exe
320	svchcst.exe
1508	svchcst.exe
1508	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
1144	svchcst.exe
1144	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 3012	2880	3596a4bb7a3819ac199e45b3b1b3728d00c5da6463e8f382055adca51d02b625.exe	28
PID 2880 wrote to memory of 3012	2880	3596a4bb7a3819ac199e45b3b1b3728d00c5da6463e8f382055adca51d02b625.exe	28
PID 2880 wrote to memory of 3012	2880	3596a4bb7a3819ac199e45b3b1b3728d00c5da6463e8f382055adca51d02b625.exe	28
PID 2880 wrote to memory of 3012	2880	3596a4bb7a3819ac199e45b3b1b3728d00c5da6463e8f382055adca51d02b625.exe	28
PID 3012 wrote to memory of 2736	3012	WScript.exe	30
PID 3012 wrote to memory of 2736	3012	WScript.exe	30
PID 3012 wrote to memory of 2736	3012	WScript.exe	30
PID 3012 wrote to memory of 2736	3012	WScript.exe	30
PID 2736 wrote to memory of 2484	2736	svchcst.exe	31
PID 2736 wrote to memory of 2484	2736	svchcst.exe	31
PID 2736 wrote to memory of 2484	2736	svchcst.exe	31
PID 2736 wrote to memory of 2484	2736	svchcst.exe	31
PID 2484 wrote to memory of 2044	2484	WScript.exe	32
PID 2484 wrote to memory of 2044	2484	WScript.exe	32
PID 2484 wrote to memory of 2044	2484	WScript.exe	32
PID 2484 wrote to memory of 2044	2484	WScript.exe	32
PID 2044 wrote to memory of 1068	2044	svchcst.exe	33
PID 2044 wrote to memory of 1068	2044	svchcst.exe	33
PID 2044 wrote to memory of 1068	2044	svchcst.exe	33
PID 2044 wrote to memory of 1068	2044	svchcst.exe	33
PID 1068 wrote to memory of 1320	1068	WScript.exe	34
PID 1068 wrote to memory of 1320	1068	WScript.exe	34
PID 1068 wrote to memory of 1320	1068	WScript.exe	34
PID 1068 wrote to memory of 1320	1068	WScript.exe	34
PID 1320 wrote to memory of 932	1320	svchcst.exe	35
PID 1320 wrote to memory of 932	1320	svchcst.exe	35
PID 1320 wrote to memory of 932	1320	svchcst.exe	35
PID 1320 wrote to memory of 932	1320	svchcst.exe	35
PID 932 wrote to memory of 2052	932	WScript.exe	36
PID 932 wrote to memory of 2052	932	WScript.exe	36
PID 932 wrote to memory of 2052	932	WScript.exe	36
PID 932 wrote to memory of 2052	932	WScript.exe	36
PID 2052 wrote to memory of 784	2052	svchcst.exe	37
PID 2052 wrote to memory of 784	2052	svchcst.exe	37
PID 2052 wrote to memory of 784	2052	svchcst.exe	37
PID 2052 wrote to memory of 784	2052	svchcst.exe	37
PID 784 wrote to memory of 2252	784	WScript.exe	38
PID 784 wrote to memory of 2252	784	WScript.exe	38
PID 784 wrote to memory of 2252	784	WScript.exe	38
PID 784 wrote to memory of 2252	784	WScript.exe	38
PID 2252 wrote to memory of 444	2252	svchcst.exe	39
PID 2252 wrote to memory of 444	2252	svchcst.exe	39
PID 2252 wrote to memory of 444	2252	svchcst.exe	39
PID 2252 wrote to memory of 444	2252	svchcst.exe	39
PID 444 wrote to memory of 1804	444	WScript.exe	40
PID 444 wrote to memory of 1804	444	WScript.exe	40
PID 444 wrote to memory of 1804	444	WScript.exe	40
PID 444 wrote to memory of 1804	444	WScript.exe	40
PID 1804 wrote to memory of 1892	1804	svchcst.exe	41
PID 1804 wrote to memory of 1892	1804	svchcst.exe	41
PID 1804 wrote to memory of 1892	1804	svchcst.exe	41
PID 1804 wrote to memory of 1892	1804	svchcst.exe	41
PID 444 wrote to memory of 308	444	WScript.exe	42
PID 444 wrote to memory of 308	444	WScript.exe	42
PID 444 wrote to memory of 308	444	WScript.exe	42
PID 444 wrote to memory of 308	444	WScript.exe	42
PID 308 wrote to memory of 2556	308	svchcst.exe	43
PID 308 wrote to memory of 2556	308	svchcst.exe	43
PID 308 wrote to memory of 2556	308	svchcst.exe	43
PID 308 wrote to memory of 2556	308	svchcst.exe	43
PID 2556 wrote to memory of 2028	2556	WScript.exe	46
PID 2556 wrote to memory of 2028	2556	WScript.exe	46
PID 2556 wrote to memory of 2028	2556	WScript.exe	46
PID 2556 wrote to memory of 2028	2556	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\3596a4bb7a3819ac199e45b3b1b3728d00c5da6463e8f382055adca51d02b625.exe
"C:\Users\Admin\AppData\Local\Temp\3596a4bb7a3819ac199e45b3b1b3728d00c5da6463e8f382055adca51d02b625.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2484
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2044
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:932
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:784
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:444
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:308
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2028
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:2508
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2644
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2524
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3056
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:1112
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1776
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:1320
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:688
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:2128
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:348
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:1808
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2856
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:2444
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:952
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:1564
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3028
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:2476
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2140
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:2396
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2644
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:1844
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2836
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:2564
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:320
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:2188
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1508
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:1320
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3048
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        
        PID:400
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1144
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        
        PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
297aff64991480fd92a4ce9fb4d40807

SHA1
c586f7003f854f442db26448516e59826dfe41e9

SHA256
5137a62e031c71093a7d6c2684519614bb5eed80fd8daa92912f085a6ab82b8a

SHA512
f7a2fae80f26e6fb846ec9675c5a03932c8bd842d75f68cdb05c2f18e9397ed32774ce0a1f495e5618a5ce1b37e088c8991a69fb999559d1e2b0dd360cc96b4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
18daeaff7fc134fc2edabbaea7e7e9f0

SHA1
a6a3002f7828141bac042e08241df957ef348bb4

SHA256
56a26505482cb65715785a972070bd6b72ad56c09ec26f7a97d7b0ac5bf52303

SHA512
6a91ececa4ca5ffbd12c7ca83888a63a7baf2be281610d9b0d83ee9dfcb8f6d04c1466de5ac1b53abe3daaf2998ec40b4b3a1a1d6fc271f35d25523358bd3df0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
3e842960591baa508c742abd6b986678

SHA1
97a352ca0f4603abd720cca4808f83eb91612c65

SHA256
4bfd0cb37d9140bf1b234fdf9fa0b372716d5be56af6f0fb8ff2d3d0d3eb45ec

SHA512
4e8142e7b1296b8602bbb9dd9b56e4a8d297af75da44d1666f1e7e33f1e5127d3f7c93747123d79d83641169839ac70600bdc1df81628a3d8fe6d27f4cdd703b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ee35194fa07bea6145178b37a18edb25

SHA1
7cbe9989cbc0090cc0ab534c7aa77d64d959e489

SHA256
e323603a594cf3a7e03aea20d2ab69a17040a02f256ac1e3fe02f8a36889a483

SHA512
d292e22575da17d694a33d6132cea65ca1c58a16bd2532dd24db161d2a77cf233039ed1b66b48868210f4d0ffff16678db3be341eca044432b8087b520e59f71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
48e04b8c794b661550560f9e02af5bb4

SHA1
973d939e48bc7713c0338e95966219616bd415d0

SHA256
f3bfe9c6c363e0ef4e22d9990175cb4c1c5d7d087aa5a2cff9f912d5ac6676da

SHA512
23ca46c09e1c2c320c7c79e71056dc6cb78d1dbaa75f4cee92e63626fe1eef268d91c519a8a0219f816049d2babd0276d27471ccc57a05825ce339ea88eea778

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6cefcde7a292edfc29b3882cdeb23dba

SHA1
3588db649319258acc78049555e0c587aae5dcf1

SHA256
4fc01d17db5185ecf506bb8ad2665dc04fbc85d9b55282b364687c5c82689251

SHA512
14f7f31813f271f8ab4c58ad06504769900ae075915db76882bce80dfaa82bb76bc6c40fa76f6eae4f3c65d2311a702d5581510ea5ade452ea8b6f957da1684c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
067a3458406fce1e0caec803b21a2c58

SHA1
1277d2a3236100a0758d4f4f279cd02d537e626b

SHA256
35c0d5d7757b50c61a708107c8e2ab5df872fdc25516f8003d9d58d3ae5ec9e3

SHA512
99918a35f93140231d63a17c97bb9ef66a5744dc044c7e48034c3d2fcc49c3b97fe0d37a32ae6307a7b7e772b8016a6727672d2844b5ed7dcf20c31dd01724e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5c256ba320c7487a2c3cdb62bea97bb5

SHA1
2a28e5d7bd4483a40fb6035f1ec6fcf1d66cb2fc

SHA256
854aeaf6ba44537fc01088f8c336552a1aab4c6df84938d241c8616b6f0802e4

SHA512
bb55f293471dda9b074664d4cf2dad094f8f0c2479c1fd754dd85199d1d1b1012cfa3b050711ac0b59368d6bf1756cfcadcaff1e47d4f103a093a0b77782fdc0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3ed43de1cee96aaf1d64189d4482a672

SHA1
a346f6b3eca7b8442021d9878288d91084d00d79

SHA256
b2905e040a668759a3fbdc7f07ff57b3e197bbeec24099b65734e884c1e0bd98

SHA512
8f8536a36603c14a567034f0119212a6b3bf9dd52afcbe213b4e26c737394fe838baf0743440f62cd5d61d8d9c694279679e155920a9af3c2cac1549d43040dc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
03088ab16e4136b8d3a3366505b767ed

SHA1
e1d73c9dc7e6009659519b33b3dd80f3011adad8

SHA256
b31956814f1bc7c1e47a025622160df37664a3ee8e6d2016ce8919f1fba63a59

SHA512
0c841cc8236b405951c5bdf0ea7c620ef32ab930077442e5c1f2eca9fe474c113e1377829e8072afdbfd9a0f0b2797cf156b2f861395d14b851abc7b365ec11a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
30eafc82ac9962314c98d54ef2588957

SHA1
3bf1e1f24264448ba2688366b10b083c808e1e7a

SHA256
fc93c94af2daa9c8b70b9f6104f613a1cf0ac39bf1856542a3dbb6f828d2bee6

SHA512
5cd90109e61e06fda91874fd3cd28d83b42b6e586446ce99cf69a611f0015f56010937fadca4accef57ab47b5bca54b4171479a9a989ab5b1a015d491f985fb5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3be529c48598ce74c5871846d63ca15c

SHA1
93bb8e6882b776b47589ffa48116e17c98071383

SHA256
f9f80c033a3cb1e2e9a8aa108427d6985dd2a08c2bea70e4dda2309f03ab7b2a

SHA512
e848a532aa9acfddfb754e081353660af23f3d0ee7720f6162fc5e8a2104d98b7be8aa461ea274a311634ae3b5b0bd219731da7d6b43c3b381de56d03bb43608

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
65e99dc654df73952c73a77b0d5b0601

SHA1
900643b3c3bcdd8a5b4976b2150744f26e9161d8

SHA256
b34bb2b1c22f9c0e4fe7fb1c0babde7a9c175f2430700065332a4cbfb95915ec

SHA512
e5c90e2b8891ad406aa420b44212e08663809dcac08706fbeaa94bcfdbbd533a523d2795039c9f4d6fe5969003bb475db8e11c0bb9eb859c865fa8051c8c84df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
5ca0214a24638d47d3b0bead2b02e05f

SHA1
eec2caa6635f1718332484e27490650d2bb6e485

SHA256
7a4627c827e8d2fe475826128ead9f7b5089aecba6e2451a1fd96a2c68b587ee

SHA512
48676b23f48af31aa084bf2c6148c3400cda2fbd81809114459ca240354bc31ea648426fbe3e987d26c2ad815461c90a3fc876df147d41015e05c5bbee8bbf88

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b88b763447e76a544c87686151844ee3

SHA1
969e2130ebfda0a8a5923a03ab832ec7188400cf

SHA256
54fb7ddc76b97eeb02c9dc246760ce5fc8581cda8d50b641c2ae5d96790d22c5

SHA512
96b15a82a40aaac65bf83e0574b711a26e7a0b55dc638f48f12c8c6bc5c3d0cd9f15f4e831cbd16d57622674f4d646b00c3fae630e1f43765e2899493da207fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b7fc1ed8a53b05bac88b4094f6421769

SHA1
b76f0f4585f4db0516f6d99d72322d78524ed706

SHA256
07d82d82aed64ea3986bfb9b7560ee27babadd1c48302f283a646aa0570a1aab

SHA512
d1ad4d333296fa62c7bc4b336006462723dcc75a70219f9e7616a95f0a1d840795a66dca2b568734139342d03c56bc49cd72ef41f5a2140b0c484facbf940f6d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a4e73766af280550763ad94d7c898fc5

SHA1
3610c942c2fe9238e044acc0b44528e17029315c

SHA256
ca18ac92540221415ff641ea070a55d33880bbd9055637ad9d267f2407c4b917

SHA512
18357c951b43d159fc9a06669d290881a89e5a6826b84caff2a31777eec07757869def15787987f3c1000ea8ea2e2614f1f3cac36e4a5a9fb50d6628bdecc86c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
87eaf74e59af8c3b31e17363301e3d3e

SHA1
5b862f8576c91d761cfb564b7e6f978662e39566

SHA256
10048864d63d729d6c8a3a9bc4c7d7425808190ec45c12710f93fa4841eae08d

SHA512
d1e39a208a002eb8685a0649ed66da4d353ef4e3bc909151021e3cb5ea9734ccdd1f9210857a9fe869c42bb3523df05714cefad17d21e3985690912222165960

Download Submit
memory/308-96-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/308-100-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/320-221-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/320-228-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/348-163-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/348-170-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/400-245-0x0000000004760000-0x00000000048BF000-memory.dmp

Filesize
1.4MB

Download
memory/444-79-0x0000000004610000-0x000000000476F000-memory.dmp

Filesize
1.4MB

Download
memory/444-92-0x0000000004870000-0x00000000049CF000-memory.dmp

Filesize
1.4MB

Download
memory/688-162-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/688-155-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/932-55-0x00000000059D0000-0x0000000005B2F000-memory.dmp

Filesize
1.4MB

Download
memory/952-187-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/952-180-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1068-42-0x00000000043B0000-0x000000000450F000-memory.dmp

Filesize
1.4MB

Download
memory/1144-253-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1144-246-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1320-154-0x0000000005B10000-0x0000000005C6F000-memory.dmp

Filesize
1.4MB

Download
memory/1320-41-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1320-50-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1508-236-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1508-229-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1564-188-0x0000000005C10000-0x0000000005D6F000-memory.dmp

Filesize
1.4MB

Download
memory/1776-144-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1776-152-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1804-80-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1804-89-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1808-171-0x0000000004900000-0x0000000004A5F000-memory.dmp

Filesize
1.4MB

Download
memory/2028-103-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2028-112-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2044-27-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2044-36-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2052-65-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2052-57-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2140-197-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2140-204-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2252-76-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2252-68-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2444-179-0x0000000005E80000-0x0000000005FDF000-memory.dmp

Filesize
1.4MB

Download
memory/2644-205-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2644-212-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2644-117-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2644-125-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2736-14-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2736-23-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2836-213-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2836-220-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2856-178-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2880-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2880-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3028-196-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3028-189-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3048-237-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3048-244-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3056-139-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3056-129-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download