1c3132b3eb69fcca043e7f5081aa2fafdb18d5c90a723626fe2c723b038640f3

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
01/07/2024, 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c3132b3eb69fcca043e7f5081aa2fafdb18d5c90a723626fe2c723b038640f3.exe
Size

1.1MB
MD5

0871852791f40a442b0284ea5123f3f4
SHA1

4c694eefc156a7ce9b30d267588265bc5dea3b65
SHA256

1c3132b3eb69fcca043e7f5081aa2fafdb18d5c90a723626fe2c723b038640f3
SHA512

094eef7df3de266768b4b3cb0dcc2b691e66902fe35a60443e105f119d0676ab5cfe94ad622e8fa58e3356a7e4f05a313f4edea8a39a80065c03333b39cac13f
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qo:CcaClSFlG4ZM7QzM/

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2328	svchcst.exe

Executes dropped EXE 24 IoCs

pid	Process
2328	svchcst.exe
3024	svchcst.exe
2028	svchcst.exe
2212	svchcst.exe
2184	svchcst.exe
2476	svchcst.exe
2440	svchcst.exe
2904	svchcst.exe
2760	svchcst.exe
2556	svchcst.exe
2504	svchcst.exe
2032	svchcst.exe
828	svchcst.exe
1844	svchcst.exe
1484	svchcst.exe
1972	svchcst.exe
2060	svchcst.exe
1088	svchcst.exe
2168	svchcst.exe
1516	svchcst.exe
1048	svchcst.exe
2272	svchcst.exe
828	svchcst.exe
1792	svchcst.exe

Loads dropped DLL 39 IoCs

pid	Process
2412	WScript.exe
2412	WScript.exe
2676	WScript.exe
2496	WScript.exe
2208	WScript.exe
1956	WScript.exe
1044	WScript.exe
1696	WScript.exe
1696	WScript.exe
3008	WScript.exe
2856	WScript.exe
2856	WScript.exe
3008	WScript.exe
3008	WScript.exe
2856	WScript.exe
2856	WScript.exe
2240	WScript.exe
2240	WScript.exe
372	WScript.exe
620	WScript.exe
620	WScript.exe
1384	WScript.exe
1384	WScript.exe
900	WScript.exe
900	WScript.exe
1396	WScript.exe
1396	WScript.exe
2412	WScript.exe
2412	WScript.exe
2792	WScript.exe
2792	WScript.exe
2520	WScript.exe
2520	WScript.exe
2236	WScript.exe
2236	WScript.exe
292	WScript.exe
292	WScript.exe
2280	WScript.exe
2280	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2420	1c3132b3eb69fcca043e7f5081aa2fafdb18d5c90a723626fe2c723b038640f3.exe
2328	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2420	1c3132b3eb69fcca043e7f5081aa2fafdb18d5c90a723626fe2c723b038640f3.exe

Suspicious use of SetWindowsHookEx 50 IoCs

pid	Process
2420	1c3132b3eb69fcca043e7f5081aa2fafdb18d5c90a723626fe2c723b038640f3.exe
2420	1c3132b3eb69fcca043e7f5081aa2fafdb18d5c90a723626fe2c723b038640f3.exe
2328	svchcst.exe
2328	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
2028	svchcst.exe
2028	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2184	svchcst.exe
2184	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2760	svchcst.exe
2760	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
828	svchcst.exe
828	svchcst.exe
1844	svchcst.exe
1844	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
2060	svchcst.exe
2060	svchcst.exe
1088	svchcst.exe
1088	svchcst.exe
2168	svchcst.exe
2168	svchcst.exe
1516	svchcst.exe
1516	svchcst.exe
1048	svchcst.exe
1048	svchcst.exe
2272	svchcst.exe
2272	svchcst.exe
828	svchcst.exe
828	svchcst.exe
1792	svchcst.exe
1792	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2412	2420	1c3132b3eb69fcca043e7f5081aa2fafdb18d5c90a723626fe2c723b038640f3.exe	28
PID 2420 wrote to memory of 2412	2420	1c3132b3eb69fcca043e7f5081aa2fafdb18d5c90a723626fe2c723b038640f3.exe	28
PID 2420 wrote to memory of 2412	2420	1c3132b3eb69fcca043e7f5081aa2fafdb18d5c90a723626fe2c723b038640f3.exe	28
PID 2420 wrote to memory of 2412	2420	1c3132b3eb69fcca043e7f5081aa2fafdb18d5c90a723626fe2c723b038640f3.exe	28
PID 2412 wrote to memory of 2328	2412	WScript.exe	30
PID 2412 wrote to memory of 2328	2412	WScript.exe	30
PID 2412 wrote to memory of 2328	2412	WScript.exe	30
PID 2412 wrote to memory of 2328	2412	WScript.exe	30
PID 2328 wrote to memory of 2676	2328	svchcst.exe	31
PID 2328 wrote to memory of 2676	2328	svchcst.exe	31
PID 2328 wrote to memory of 2676	2328	svchcst.exe	31
PID 2328 wrote to memory of 2676	2328	svchcst.exe	31
PID 2676 wrote to memory of 3024	2676	WScript.exe	32
PID 2676 wrote to memory of 3024	2676	WScript.exe	32
PID 2676 wrote to memory of 3024	2676	WScript.exe	32
PID 2676 wrote to memory of 3024	2676	WScript.exe	32
PID 3024 wrote to memory of 2496	3024	svchcst.exe	33
PID 3024 wrote to memory of 2496	3024	svchcst.exe	33
PID 3024 wrote to memory of 2496	3024	svchcst.exe	33
PID 3024 wrote to memory of 2496	3024	svchcst.exe	33
PID 2496 wrote to memory of 2028	2496	WScript.exe	34
PID 2496 wrote to memory of 2028	2496	WScript.exe	34
PID 2496 wrote to memory of 2028	2496	WScript.exe	34
PID 2496 wrote to memory of 2028	2496	WScript.exe	34
PID 2028 wrote to memory of 2208	2028	svchcst.exe	35
PID 2028 wrote to memory of 2208	2028	svchcst.exe	35
PID 2028 wrote to memory of 2208	2028	svchcst.exe	35
PID 2028 wrote to memory of 2208	2028	svchcst.exe	35
PID 2208 wrote to memory of 2212	2208	WScript.exe	36
PID 2208 wrote to memory of 2212	2208	WScript.exe	36
PID 2208 wrote to memory of 2212	2208	WScript.exe	36
PID 2208 wrote to memory of 2212	2208	WScript.exe	36
PID 2212 wrote to memory of 1956	2212	svchcst.exe	37
PID 2212 wrote to memory of 1956	2212	svchcst.exe	37
PID 2212 wrote to memory of 1956	2212	svchcst.exe	37
PID 2212 wrote to memory of 1956	2212	svchcst.exe	37
PID 1956 wrote to memory of 2184	1956	WScript.exe	38
PID 1956 wrote to memory of 2184	1956	WScript.exe	38
PID 1956 wrote to memory of 2184	1956	WScript.exe	38
PID 1956 wrote to memory of 2184	1956	WScript.exe	38
PID 2184 wrote to memory of 1044	2184	svchcst.exe	39
PID 2184 wrote to memory of 1044	2184	svchcst.exe	39
PID 2184 wrote to memory of 1044	2184	svchcst.exe	39
PID 2184 wrote to memory of 1044	2184	svchcst.exe	39
PID 1044 wrote to memory of 2476	1044	WScript.exe	40
PID 1044 wrote to memory of 2476	1044	WScript.exe	40
PID 1044 wrote to memory of 2476	1044	WScript.exe	40
PID 1044 wrote to memory of 2476	1044	WScript.exe	40
PID 2476 wrote to memory of 1696	2476	svchcst.exe	41
PID 2476 wrote to memory of 1696	2476	svchcst.exe	41
PID 2476 wrote to memory of 1696	2476	svchcst.exe	41
PID 2476 wrote to memory of 1696	2476	svchcst.exe	41
PID 1696 wrote to memory of 2440	1696	WScript.exe	42
PID 1696 wrote to memory of 2440	1696	WScript.exe	42
PID 1696 wrote to memory of 2440	1696	WScript.exe	42
PID 1696 wrote to memory of 2440	1696	WScript.exe	42
PID 2440 wrote to memory of 2320	2440	svchcst.exe	43
PID 2440 wrote to memory of 2320	2440	svchcst.exe	43
PID 2440 wrote to memory of 2320	2440	svchcst.exe	43
PID 2440 wrote to memory of 2320	2440	svchcst.exe	43
PID 1696 wrote to memory of 2904	1696	WScript.exe	46
PID 1696 wrote to memory of 2904	1696	WScript.exe	46
PID 1696 wrote to memory of 2904	1696	WScript.exe	46
PID 1696 wrote to memory of 2904	1696	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\1c3132b3eb69fcca043e7f5081aa2fafdb18d5c90a723626fe2c723b038640f3.exe
"C:\Users\Admin\AppData\Local\Temp\1c3132b3eb69fcca043e7f5081aa2fafdb18d5c90a723626fe2c723b038640f3.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2328
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3024
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2904
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:3008
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2760
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2856
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2556
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2032
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2504
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2240
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:828
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:372
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1844
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:620
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1484
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:1384
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1972
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:900
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2060
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:1396
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1088
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:2412
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2168
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:2792
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1516
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:2520
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1048
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:2236
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2272
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:292
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:828
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:2280
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1792
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        
        PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
62dfebf9dc86eba7ccf11986b8d70738

SHA1
23ac9c5ddf77f57a90d0603a0912a846ee09d573

SHA256
97177fe7da0ef1c937e7d47cfa834bda948234c4d43d0df9f6e78e1aa91240c8

SHA512
98c3dd6db9d6bd39860d0c218f60923f2717a93c1a59a06e8ba8e24bf0c46ba98a9c95aa5b0f7c7e1f9e6f2cc62c145ca7d439e2005df7745da82d96c2b48060

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f68761d0622df41d256ee6fc39583d8a

SHA1
2dd40e574a86ff4b4be5e6aca6fda4d7fcc33d56

SHA256
b4bf1092c76497e935596e32fcb9119a44acab11e9b80b660ecea53867655245

SHA512
fd70e0b445bcd24117b449853c98a4996063d49f774a55bc5aca087b44cdb5381974551c4fcd2d3d1c82cd708fcb616009519f3914267ea5c37cdda4d31ea3a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0b07dbb471d7fe60f6b7446050131aa9

SHA1
4e1f1ada445a0bd2f1df1b5fe3ac6fff22c577a1

SHA256
483f571197412d4524e63cd78ae3ccd6a0c934a2178119e6aea3331a7bae6929

SHA512
6ddb5ad7ea76630d076b3e6ff03cf3087f65b035e7de9a4b30c6243641efc9a1c2f2975f05662039e95558aa81e78ecc1694114b22877f1029cb0d551df59ec1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e4e96c55460da5fa5643648177198d56

SHA1
da09b8271cfd09349b8e79bd8856671e6124d6a0

SHA256
6ca56d2034da62f3a82f84935631e9d90430875cfd9b95382fdf1210758ba761

SHA512
23da2c3c87c8e52aab70931c7ca6f0d04f453cff01bda2fe078a060468d9d7b9e544635eb11976541246eaed2e4cac06e0ed7ed86bce775f95ff5d5f40c5d1bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b80e64a84f22d05c1da6e47ce54973aa

SHA1
5cad9390328f2c7439c775fabb7a0456663085d9

SHA256
9dd0f5f176d3fad7c0eb3bdd6f14036a878cbce9fd50fb1a47318da147bfd82e

SHA512
983affb7f9189c1eb80982438c288ee607e7ee91675b6a6e854873c476961b39ddec66801e0a09bedd0f133a0132693a5fed5c8ff0f8c3d3aa4f470fdb8c39b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5f762b3b2477d92959f29d768008d453

SHA1
ceaa2b37d64bcffd7f862a75e1d0fb06edbddb97

SHA256
5827d14409ed9f3361d81904d50e067223457590dda163a680ce4216e495a3d5

SHA512
fd1445d89a0fa5d185ce51442c402d9906fa8bf7c1458a862568ad0649dfa22c5f90ed243b98339ec9706541d244b0217f1cd05e715dc49067e059fe08d80420

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0746413c017663c2889cbadf684741eb

SHA1
6a61f92238e17b83adba719b52d2f3d9cd205b8a

SHA256
5e9eb3cc7e536ea1249b6bdb65b934565018fa760198e2b2c8f5537de84b86bd

SHA512
e222a18584aadd15f5c4706601acc6fa30d6a08325f2679724eba4b2952e56d4d7e1a97c42ae88aefacfa59b87723118d2dd28c1541204715dc1e11b4867b05c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
18daeaff7fc134fc2edabbaea7e7e9f0

SHA1
a6a3002f7828141bac042e08241df957ef348bb4

SHA256
56a26505482cb65715785a972070bd6b72ad56c09ec26f7a97d7b0ac5bf52303

SHA512
6a91ececa4ca5ffbd12c7ca83888a63a7baf2be281610d9b0d83ee9dfcb8f6d04c1466de5ac1b53abe3daaf2998ec40b4b3a1a1d6fc271f35d25523358bd3df0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0667072f0b99c114be29b17a58be850a

SHA1
8ec8d5ba1f5842c2f07a4332fb04ba60b0bc7143

SHA256
002841eff29a50e5cf34cf60cfb5bbbf780c4d2f8809016ab22a0e084fc10d07

SHA512
5e0c61897463fd935f2e0420389e4d7c6b08232e63175ccc96db2b6f3d294e9196bc5efd6445ccc8f460efc0791c13ea040b36ce3130f12e414a3ab7b678dfd9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
68131c1f4506af5c010d5e01f031bfae

SHA1
51cc54917c040091c3a39dd33ec52fc5f4cb4c15

SHA256
d235953ddf5884a014ce05d8a26b9b93bafd580bdeda08e369e2d6e395d34a95

SHA512
69be7da57430dd6d3f1deea9c2a4f78a0ec41a74fc593f033a7944504cd9c4fe6d2f7a0be052e40238a4389b649c36a603b1725959fab050a0114714a6d65c6d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
73dd42e0ba8cff47f0542d7d8aa40f90

SHA1
ffbb1b56415be5abcf4613aed3136768f2edbc38

SHA256
c73b4e554a4ae515ae3aa320a19d752e3d848d00ed0cd8f084081ed530b8fc3d

SHA512
efd0075f9e70dd557271bdbcd782a083ae2cde8cd5674bf7f8cf63064847951adfcbaa9c9cff91c57d19c7308d0b7bf4754bfbe8fce6ec0e41d920bde7f5a67e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1ddf68547078713a6bd04e589e87bc2f

SHA1
cdfb5481f8214590744133c77204eff54e733b90

SHA256
a5954677872e02157f5c6921ef883fbc22a4f7940d17403a9a0658931d4971fc

SHA512
194d12570a7d4e8e9341f56d23fda7ff49e131e818b93633b75c6ef05b6972b8428294bb95529af25cf75cbe2d86756dab000be200466a30a64922e764ebfc2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2c3b5340da071ac89dded61dffd49fb5

SHA1
77a880658d0b70e5455379099427bfdae8cc0ae8

SHA256
d7433fbea40ea3f87e991ce54c73436c110cfbb83748d554aea8d94051a5224e

SHA512
7e69f14c55afec39149491531c2a499b6253aa71ad448e722912f239fde055826b34383bd8d14773af08ef475b5fe53451a0a93e0bcc46fbeba3872198200f3c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1145c4f1e40e6cfe88ac42eb01ca3f74

SHA1
fbddbef68d5559253550ff46ec81e0e00b1bda5c

SHA256
1aa931f389d3d6e87f4facf93e046e1a3001044b6feae89e619b63b68c38cc39

SHA512
3e067b99e66ae8abf3934a4187b17a1eb1fc306ef242586ad8005e70f11f9fb578abaf6de513062fd0ec4de7989041d1e7200e1b04dc713cd99edad95fb0da28

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
311dad7c1fd161da84b99c0c5ba1e3db

SHA1
efbb98a7df6cefe3cfd5500417c87626751db452

SHA256
cbd666fdddadc4432b266b944148bb85d7f0fec16711afa91dc258bb17169119

SHA512
0b80136c89d25f392a56dc5555536436511278b789d0f6bf220bdb663442a79f69f0bdbcf9b07e6952d6dc3c543808ac5ff82fbb3da7459436044f71fce36e8c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b427b5d7ad074502c65cac58ac3d6d79

SHA1
1fb1a26ccc4742472e02bf093b8805e5ebdd4245

SHA256
ceb05b8a508da2e070547bc3f650ecf9bd3a9e51cea9b979e890601c876caeee

SHA512
f22226135c919e005713169ee315a86f39bc5014f1372ba0f248da5f770970c9d737204e2346a9df3db4ea5e8206387395d90bdbd2910e77472deceebc5658d3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9412ec086f292b79a1b769106220c097

SHA1
1e2ad78572c1a22fb633a90fe9f9a797fa9874cc

SHA256
9d8c69f0d6ec0d6937d96ca151ea735aa233d4fe5167cb4e0efbe2fbcd951aa7

SHA512
f52ed6ea640f2052d8d3714085fe8a02424d1751feb7951e3541033deb5b27baef2c1850b49e8c1949a06dffb22dbf0bd78e9c12df0544b2b63aafcb7f1dcb9c

Download Submit
memory/2420-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download