7f2f59a770a329a19c2f553da5b552c6a522ce4058934d3aa8c2f6f903c82ca7

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
30/06/2024, 21:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7f2f59a770a329a19c2f553da5b552c6a522ce4058934d3aa8c2f6f903c82ca7.exe
Size

1.1MB
MD5

a9eac697c9ae3b58760706ee5d2d53e1
SHA1

0c556069ef02c87ded5d51b5127580e6bed14115
SHA256

7f2f59a770a329a19c2f553da5b552c6a522ce4058934d3aa8c2f6f903c82ca7
SHA512

16f5ea218c2a61fb91ecd730c2fd4fa3fde5bf2e40a864ef6805ed7a385e1188846efe1aaa07be465e209614a6eb9ecb60817af971d30c5a50609d9c79b2ebfb
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qm:acallSllG4ZM7QzMt

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2520	svchcst.exe

Executes dropped EXE 24 IoCs

pid	Process
2520	svchcst.exe
2964	svchcst.exe
756	svchcst.exe
1616	svchcst.exe
760	svchcst.exe
2380	svchcst.exe
604	svchcst.exe
1976	svchcst.exe
2296	svchcst.exe
3064	svchcst.exe
2968	svchcst.exe
2556	svchcst.exe
1608	svchcst.exe
968	svchcst.exe
2236	svchcst.exe
3004	svchcst.exe
1800	svchcst.exe
2664	svchcst.exe
2980	svchcst.exe
2000	svchcst.exe
2988	svchcst.exe
1464	svchcst.exe
1124	svchcst.exe
2436	svchcst.exe

Loads dropped DLL 35 IoCs

pid	Process
2680	WScript.exe
2680	WScript.exe
2572	WScript.exe
1240	WScript.exe
1240	WScript.exe
1764	WScript.exe
1764	WScript.exe
944	WScript.exe
2396	WScript.exe
2036	WScript.exe
2036	WScript.exe
2668	WScript.exe
2156	WScript.exe
2156	WScript.exe
1312	WScript.exe
2916	WScript.exe
2916	WScript.exe
1764	WScript.exe
1764	WScript.exe
2648	WScript.exe
2648	WScript.exe
1420	WScript.exe
1420	WScript.exe
2852	WScript.exe
2852	WScript.exe
916	WScript.exe
916	WScript.exe
2868	WScript.exe
2868	WScript.exe
1636	WScript.exe
1636	WScript.exe
2816	WScript.exe
2816	WScript.exe
408	WScript.exe
408	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2580	7f2f59a770a329a19c2f553da5b552c6a522ce4058934d3aa8c2f6f903c82ca7.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2964	svchcst.exe
2964	svchcst.exe
2964	svchcst.exe
2964	svchcst.exe
2964	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2580	7f2f59a770a329a19c2f553da5b552c6a522ce4058934d3aa8c2f6f903c82ca7.exe

Suspicious use of SetWindowsHookEx 50 IoCs

pid	Process
2580	7f2f59a770a329a19c2f553da5b552c6a522ce4058934d3aa8c2f6f903c82ca7.exe
2580	7f2f59a770a329a19c2f553da5b552c6a522ce4058934d3aa8c2f6f903c82ca7.exe
2520	svchcst.exe
2520	svchcst.exe
2964	svchcst.exe
2964	svchcst.exe
756	svchcst.exe
756	svchcst.exe
1616	svchcst.exe
1616	svchcst.exe
760	svchcst.exe
760	svchcst.exe
2380	svchcst.exe
2380	svchcst.exe
604	svchcst.exe
604	svchcst.exe
1976	svchcst.exe
1976	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
3064	svchcst.exe
3064	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
1608	svchcst.exe
1608	svchcst.exe
968	svchcst.exe
968	svchcst.exe
2236	svchcst.exe
2236	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
1800	svchcst.exe
1800	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2000	svchcst.exe
2000	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
1464	svchcst.exe
1464	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 2680	2580	7f2f59a770a329a19c2f553da5b552c6a522ce4058934d3aa8c2f6f903c82ca7.exe	28
PID 2580 wrote to memory of 2680	2580	7f2f59a770a329a19c2f553da5b552c6a522ce4058934d3aa8c2f6f903c82ca7.exe	28
PID 2580 wrote to memory of 2680	2580	7f2f59a770a329a19c2f553da5b552c6a522ce4058934d3aa8c2f6f903c82ca7.exe	28
PID 2580 wrote to memory of 2680	2580	7f2f59a770a329a19c2f553da5b552c6a522ce4058934d3aa8c2f6f903c82ca7.exe	28
PID 2680 wrote to memory of 2520	2680	WScript.exe	30
PID 2680 wrote to memory of 2520	2680	WScript.exe	30
PID 2680 wrote to memory of 2520	2680	WScript.exe	30
PID 2680 wrote to memory of 2520	2680	WScript.exe	30
PID 2520 wrote to memory of 2572	2520	svchcst.exe	31
PID 2520 wrote to memory of 2572	2520	svchcst.exe	31
PID 2520 wrote to memory of 2572	2520	svchcst.exe	31
PID 2520 wrote to memory of 2572	2520	svchcst.exe	31
PID 2572 wrote to memory of 2964	2572	WScript.exe	32
PID 2572 wrote to memory of 2964	2572	WScript.exe	32
PID 2572 wrote to memory of 2964	2572	WScript.exe	32
PID 2572 wrote to memory of 2964	2572	WScript.exe	32
PID 2964 wrote to memory of 1240	2964	svchcst.exe	33
PID 2964 wrote to memory of 1240	2964	svchcst.exe	33
PID 2964 wrote to memory of 1240	2964	svchcst.exe	33
PID 2964 wrote to memory of 1240	2964	svchcst.exe	33
PID 1240 wrote to memory of 756	1240	WScript.exe	34
PID 1240 wrote to memory of 756	1240	WScript.exe	34
PID 1240 wrote to memory of 756	1240	WScript.exe	34
PID 1240 wrote to memory of 756	1240	WScript.exe	34
PID 756 wrote to memory of 2832	756	svchcst.exe	35
PID 756 wrote to memory of 2832	756	svchcst.exe	35
PID 756 wrote to memory of 2832	756	svchcst.exe	35
PID 756 wrote to memory of 2832	756	svchcst.exe	35
PID 1240 wrote to memory of 1616	1240	WScript.exe	36
PID 1240 wrote to memory of 1616	1240	WScript.exe	36
PID 1240 wrote to memory of 1616	1240	WScript.exe	36
PID 1240 wrote to memory of 1616	1240	WScript.exe	36
PID 1616 wrote to memory of 1764	1616	svchcst.exe	37
PID 1616 wrote to memory of 1764	1616	svchcst.exe	37
PID 1616 wrote to memory of 1764	1616	svchcst.exe	37
PID 1616 wrote to memory of 1764	1616	svchcst.exe	37
PID 1764 wrote to memory of 760	1764	WScript.exe	38
PID 1764 wrote to memory of 760	1764	WScript.exe	38
PID 1764 wrote to memory of 760	1764	WScript.exe	38
PID 1764 wrote to memory of 760	1764	WScript.exe	38
PID 760 wrote to memory of 2088	760	svchcst.exe	39
PID 760 wrote to memory of 2088	760	svchcst.exe	39
PID 760 wrote to memory of 2088	760	svchcst.exe	39
PID 760 wrote to memory of 2088	760	svchcst.exe	39
PID 1764 wrote to memory of 2380	1764	WScript.exe	40
PID 1764 wrote to memory of 2380	1764	WScript.exe	40
PID 1764 wrote to memory of 2380	1764	WScript.exe	40
PID 1764 wrote to memory of 2380	1764	WScript.exe	40
PID 2380 wrote to memory of 944	2380	svchcst.exe	41
PID 2380 wrote to memory of 944	2380	svchcst.exe	41
PID 2380 wrote to memory of 944	2380	svchcst.exe	41
PID 2380 wrote to memory of 944	2380	svchcst.exe	41
PID 944 wrote to memory of 604	944	WScript.exe	42
PID 944 wrote to memory of 604	944	WScript.exe	42
PID 944 wrote to memory of 604	944	WScript.exe	42
PID 944 wrote to memory of 604	944	WScript.exe	42
PID 604 wrote to memory of 2396	604	svchcst.exe	43
PID 604 wrote to memory of 2396	604	svchcst.exe	43
PID 604 wrote to memory of 2396	604	svchcst.exe	43
PID 604 wrote to memory of 2396	604	svchcst.exe	43
PID 2396 wrote to memory of 1976	2396	WScript.exe	46
PID 2396 wrote to memory of 1976	2396	WScript.exe	46
PID 2396 wrote to memory of 1976	2396	WScript.exe	46
PID 2396 wrote to memory of 1976	2396	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\7f2f59a770a329a19c2f553da5b552c6a522ce4058934d3aa8c2f6f903c82ca7.exe
"C:\Users\Admin\AppData\Local\Temp\7f2f59a770a329a19c2f553da5b552c6a522ce4058934d3aa8c2f6f903c82ca7.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2964
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:944
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:604
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1976
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        
        PID:2036
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2296
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:2668
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2968
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3064
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:2156
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2556
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1608
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:1312
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:968
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2916
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2236
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:1764
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3004
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:2648
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1800
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:1420
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2664
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:2852
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2980
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:916
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2000
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:2868
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2988
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:1636
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1464
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:2816
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1124
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:408
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2436
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        
        PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3fe126921f6537cf36cd507b1649ffbb

SHA1
445c8796d072bb5829f0af8421e3eb7da34add70

SHA256
b4af7c7ab452f12e0ea38532d00cfa19cf99247ef169e5e698acd882e72750a6

SHA512
5d8527210f01cc30bda93521cdbd9828d03f2af3e2810996ad8c60cf62a35e415c0e54a34e00847ae30bf2718e8c431b65ed4f509c11986a8eb54ed6ed64ac94

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
742f03fbb45f83e024b30c192c3179cd

SHA1
76da251572f6d5b0c7fd8751af69f4fc41c7245d

SHA256
e495e8e585b309277ba1480d29f74d7064bfacd8fd3da2555666b6b66a14d95f

SHA512
54192fb558b23ec434b0806e3512c872a89d0dd2a7ed9b8ba7081376c2f81eb31e99dbae6aeb159538f82a256dff72cb4ff40108ad0c4baceb6d394e624b8a8d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f8db619ebe2f315356d8a3c1cb7ce863

SHA1
6a7be253323ec01b077ec2632a10159e39c17b2b

SHA256
99940aede45164365f56d6948655491bf5e5eaf8cc50400fe99620b5d3cd29c8

SHA512
6abc38a731254105c4f336ef9954159d7711889c704002838872473450f9077a940b4817cf36ae7fa04f08439a2acb53c9ab37c85e21c2981eab353379bf431a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
423a0fabd3a9fd2cbedc3aba67c69650

SHA1
880097557ac6718e93822ac7efc9a3e2986c51de

SHA256
d77f549afde3b88ac747c3d0dee3069f914fac77b572ae08737ffc05f696491b

SHA512
c65d3db8250c7885b05075ebc3485db4506dde6c435247ad6a86e9085d59b039f4629583b327662a2eb40c79bc135d5d17b5bfb01f63ee02726aa57ecd7ed139

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ab52ce62f84a24d48d9cebec5331b1c6

SHA1
6fcb810a46e83020e55af419752f5583f9dcb9ba

SHA256
908bec6021a78b90a02c6123db4ac62b590ea738e97fa35aac7c4dce624f3244

SHA512
8823f3f60863692a8fd2be8610670b06077ea7c948b7c46f9a1ab712276b27e48c19d0a394e7f51c0fbdf753f989af4cac5dab078e4f04ee5ee6a50427368cd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7c7211c6ab078878929bb3683f705560

SHA1
5a52049f54692294392837b5922d865e9c407022

SHA256
bb9e2a89c0fc9574eac35f2b2c4bc696f3642fc96ff2fd1f6a2d3467784fbeff

SHA512
4d9b5d0053b0f57651c08084c87416d2ae8613b9ea74651e51f251e5d806f36c194735e4f6f3152d7c72592f60f2a7e971ee82c60410762472942823b1956c38

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d5a26bd3b4366107ffbb4663050f6576

SHA1
09a5b81e452620340fcc2343a146ac5469576d44

SHA256
6e6abc76efb5447d4e9b20d07396db93d0368e6f81f558217f81a4dedc437eef

SHA512
527fe34594e983df77843639208f832c63f24a23e6e72fabc3e27eb1cce2e08e4306f3a5ebd288142f9684c6730431fe09f2c60f699a0825dc8270e961abbb10

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6d7f7c489889b75561316023d3e8b801

SHA1
222906d8a273e49d99b9107d388856ba8e6a5400

SHA256
3c01dd72d85883db4a345c0092b799f8deb31d43fde226e7df011c64d95202a7

SHA512
7238e65f9b93ee3be8828f01b54fbb6acaeaaf31e2b62af398356b02fa80d615acc3f41139fb001b9c1e8855e5cfa467f2883acda663a08194955cadb409a24a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
dabf4e9d32908d961aaffdd1c77d4879

SHA1
e41572d98b7452016fb004c843236377364ab1d3

SHA256
3488c64a6d2da3c00e50e954c495ac354ee504e54f3ed6dda6a991c5b9d33e19

SHA512
911d46aca8005857c86eddbb3cbbc4301ee5e173b2358a717053cf12727c06cc3b2d757ddf513f969dafe61c6b88d03b1478d8c483495f153e30bf64585195aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ad7007ed9542468662553e405df66821

SHA1
757c5ee287a113d689f2d370176fcf9c9e1223a3

SHA256
12967e637928b853b708430671e1b72f6ca847a2af2680f8f15da98efb31161e

SHA512
812220b05239ebb0e14f3cd738e58274deb60624eacc360d2b3be6c5010dc418f2587f5f6736a1d80a3a5f52ae9887a492e8934e64af66c89b45a9b47d3069c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5c256ba320c7487a2c3cdb62bea97bb5

SHA1
2a28e5d7bd4483a40fb6035f1ec6fcf1d66cb2fc

SHA256
854aeaf6ba44537fc01088f8c336552a1aab4c6df84938d241c8616b6f0802e4

SHA512
bb55f293471dda9b074664d4cf2dad094f8f0c2479c1fd754dd85199d1d1b1012cfa3b050711ac0b59368d6bf1756cfcadcaff1e47d4f103a093a0b77782fdc0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
22ee4efbc67fc70b9f9d483cf169e846

SHA1
5e0a01490f92c7a77457c1df61c009cdc5c641dd

SHA256
abd4fb5ee308e65770cced9ea111c1dcfc48e0571cfcb79284f4fbbab293e161

SHA512
7638f6551734a6256e6d7666a9811368ee2894afeb442f65c6da0680fe8134059c52f552e36b2539774c4e3e5fc0cc1ae027e3ef872b5bb5d4b8e0f6687ce238

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c91530bbaec9815f2db19bd6645b8729

SHA1
ea901a28f06bfbfc1dc9c3391910a87bfaf07020

SHA256
7924a95b4fb309a069dcb92b65632f01f9db2560b224d4812ebb84130994ab8d

SHA512
7ebce2d0627561189c27073f3e43e84e6164c3c4a63fe4172d2c1214fe799795393573038fb3dd75359327e7cca4eec17889749411e289480580f568b02e6588

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
28c432197eb922b94a59bac4b1046dc4

SHA1
589d7b3fabf45a4c6d13e36105d6b006c80b9967

SHA256
b6d09ee7241e0902b385975ccdfa7e8bbc349266b3b889cee584f1758bf4ddb6

SHA512
1b7cf4f50b8369086a67bc24034ccc27f806b4f87d6dd42d67eacfa95facb9f114f63bb7f313977adb253421e7e76e53c9ed8a319d49dd35af622864e66702c5

Download Submit
memory/408-242-0x0000000005B20000-0x0000000005C7F000-memory.dmp

Filesize
1.4MB

Download
memory/604-92-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/604-88-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/756-38-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/756-47-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/760-69-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/760-61-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/916-207-0x0000000004530000-0x000000000468F000-memory.dmp

Filesize
1.4MB

Download
memory/944-83-0x0000000004360000-0x00000000044BF000-memory.dmp

Filesize
1.4MB

Download
memory/968-153-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/968-160-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1124-234-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1124-241-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1420-189-0x0000000005B50000-0x0000000005CAF000-memory.dmp

Filesize
1.4MB

Download
memory/1464-225-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1464-232-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1608-152-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1608-145-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1616-57-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1636-224-0x0000000005E90000-0x0000000005FEF000-memory.dmp

Filesize
1.4MB

Download
memory/1764-72-0x0000000004700000-0x000000000485F000-memory.dmp

Filesize
1.4MB

Download
memory/1764-171-0x0000000005B30000-0x0000000005C8F000-memory.dmp

Filesize
1.4MB

Download
memory/1764-60-0x0000000004700000-0x000000000485F000-memory.dmp

Filesize
1.4MB

Download
memory/1800-188-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1800-181-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1976-103-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1976-96-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2000-214-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2036-118-0x0000000004770000-0x00000000048CF000-memory.dmp

Filesize
1.4MB

Download
memory/2156-131-0x0000000005C80000-0x0000000005DDF000-memory.dmp

Filesize
1.4MB

Download
memory/2156-144-0x0000000005C80000-0x0000000005DDF000-memory.dmp

Filesize
1.4MB

Download
memory/2236-170-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2236-163-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2296-115-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2380-80-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2380-73-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2396-95-0x00000000040E0000-0x000000000423F000-memory.dmp

Filesize
1.4MB

Download
memory/2436-243-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2520-25-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2556-132-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2556-141-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2580-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2580-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2648-180-0x0000000004370000-0x00000000044CF000-memory.dmp

Filesize
1.4MB

Download
memory/2664-190-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2664-197-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2680-14-0x0000000004730000-0x000000000488F000-memory.dmp

Filesize
1.4MB

Download
memory/2680-15-0x0000000004730000-0x000000000488F000-memory.dmp

Filesize
1.4MB

Download
memory/2816-233-0x00000000046B0000-0x000000000480F000-memory.dmp

Filesize
1.4MB

Download
memory/2852-198-0x0000000004130000-0x000000000428F000-memory.dmp

Filesize
1.4MB

Download
memory/2868-215-0x0000000005BC0000-0x0000000005D1F000-memory.dmp

Filesize
1.4MB

Download
memory/2916-162-0x0000000005CC0000-0x0000000005E1F000-memory.dmp

Filesize
1.4MB

Download
memory/2916-161-0x0000000005CC0000-0x0000000005E1F000-memory.dmp

Filesize
1.4MB

Download
memory/2964-28-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2964-35-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2968-124-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2980-206-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2980-199-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2988-216-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2988-223-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3004-179-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3004-172-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3064-128-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download