6921f25c7fc434c26e3f72254279cc093926dfc76729ff93effdf0575f5e261e

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
06-07-2024 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6921f25c7fc434c26e3f72254279cc093926dfc76729ff93effdf0575f5e261e.exe
Size

1.1MB
MD5

46dc83238b43db8b1e3c494fd107bcde
SHA1

2828ba3109f07f711987b7686499577152e0a53b
SHA256

6921f25c7fc434c26e3f72254279cc093926dfc76729ff93effdf0575f5e261e
SHA512

f4e14c48acca27f7d3eae2cb45f85a8287e2d6ea25e75f2c3d35f1aedb2063ae6066f4aa1feb95e60063a99a87a48008c7f8738923d9e3571142d8e193e0457f
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qp:CcaClSFlG4ZM7QzM6

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1128	svchcst.exe

Executes dropped EXE 25 IoCs

pid	Process
1128	svchcst.exe
2640	svchcst.exe
1784	svchcst.exe
2532	svchcst.exe
1788	svchcst.exe
2364	svchcst.exe
1268	svchcst.exe
1776	svchcst.exe
2768	svchcst.exe
1108	svchcst.exe
2888	svchcst.exe
3032	svchcst.exe
2912	svchcst.exe
1740	svchcst.exe
1876	svchcst.exe
1464	svchcst.exe
2752	svchcst.exe
2780	svchcst.exe
1036	svchcst.exe
2256	svchcst.exe
1992	svchcst.exe
2188	svchcst.exe
380	svchcst.exe
892	svchcst.exe
1876	svchcst.exe

Loads dropped DLL 48 IoCs

pid	Process
2872	WScript.exe
2872	WScript.exe
2260	WScript.exe
2260	WScript.exe
3052	WScript.exe
3052	WScript.exe
380	WScript.exe
380	WScript.exe
1044	WScript.exe
1044	WScript.exe
1584	WScript.exe
1584	WScript.exe
1584	WScript.exe
1584	WScript.exe
2176	WScript.exe
2176	WScript.exe
820	WScript.exe
820	WScript.exe
2936	WScript.exe
2936	WScript.exe
3012	WScript.exe
3012	WScript.exe
1000	WScript.exe
1000	WScript.exe
2012	WScript.exe
2012	WScript.exe
2556	WScript.exe
2556	WScript.exe
1528	WScript.exe
1528	WScript.exe
2280	WScript.exe
2280	WScript.exe
2248	WScript.exe
2248	WScript.exe
3016	WScript.exe
3016	WScript.exe
2932	WScript.exe
2932	WScript.exe
2696	WScript.exe
2696	WScript.exe
2820	WScript.exe
2820	WScript.exe
860	WScript.exe
860	WScript.exe
1284	WScript.exe
1284	WScript.exe
2760	WScript.exe
2760	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
884	6921f25c7fc434c26e3f72254279cc093926dfc76729ff93effdf0575f5e261e.exe
884	6921f25c7fc434c26e3f72254279cc093926dfc76729ff93effdf0575f5e261e.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe
1128	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
884	6921f25c7fc434c26e3f72254279cc093926dfc76729ff93effdf0575f5e261e.exe

Suspicious use of SetWindowsHookEx 52 IoCs

pid	Process
884	6921f25c7fc434c26e3f72254279cc093926dfc76729ff93effdf0575f5e261e.exe
884	6921f25c7fc434c26e3f72254279cc093926dfc76729ff93effdf0575f5e261e.exe
1128	svchcst.exe
1128	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
1784	svchcst.exe
1784	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
1788	svchcst.exe
1788	svchcst.exe
2364	svchcst.exe
2364	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
1776	svchcst.exe
1776	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
1108	svchcst.exe
1108	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
1740	svchcst.exe
1740	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
1464	svchcst.exe
1464	svchcst.exe
2752	svchcst.exe
2752	svchcst.exe
2780	svchcst.exe
2780	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
1992	svchcst.exe
1992	svchcst.exe
2188	svchcst.exe
2188	svchcst.exe
380	svchcst.exe
380	svchcst.exe
892	svchcst.exe
892	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 884 wrote to memory of 2872	884	6921f25c7fc434c26e3f72254279cc093926dfc76729ff93effdf0575f5e261e.exe	30
PID 884 wrote to memory of 2872	884	6921f25c7fc434c26e3f72254279cc093926dfc76729ff93effdf0575f5e261e.exe	30
PID 884 wrote to memory of 2872	884	6921f25c7fc434c26e3f72254279cc093926dfc76729ff93effdf0575f5e261e.exe	30
PID 884 wrote to memory of 2872	884	6921f25c7fc434c26e3f72254279cc093926dfc76729ff93effdf0575f5e261e.exe	30
PID 884 wrote to memory of 2880	884	6921f25c7fc434c26e3f72254279cc093926dfc76729ff93effdf0575f5e261e.exe	31
PID 884 wrote to memory of 2880	884	6921f25c7fc434c26e3f72254279cc093926dfc76729ff93effdf0575f5e261e.exe	31
PID 884 wrote to memory of 2880	884	6921f25c7fc434c26e3f72254279cc093926dfc76729ff93effdf0575f5e261e.exe	31
PID 884 wrote to memory of 2880	884	6921f25c7fc434c26e3f72254279cc093926dfc76729ff93effdf0575f5e261e.exe	31
PID 2872 wrote to memory of 1128	2872	WScript.exe	33
PID 2872 wrote to memory of 1128	2872	WScript.exe	33
PID 2872 wrote to memory of 1128	2872	WScript.exe	33
PID 2872 wrote to memory of 1128	2872	WScript.exe	33
PID 1128 wrote to memory of 2260	1128	svchcst.exe	34
PID 1128 wrote to memory of 2260	1128	svchcst.exe	34
PID 1128 wrote to memory of 2260	1128	svchcst.exe	34
PID 1128 wrote to memory of 2260	1128	svchcst.exe	34
PID 2260 wrote to memory of 2640	2260	WScript.exe	35
PID 2260 wrote to memory of 2640	2260	WScript.exe	35
PID 2260 wrote to memory of 2640	2260	WScript.exe	35
PID 2260 wrote to memory of 2640	2260	WScript.exe	35
PID 2640 wrote to memory of 3052	2640	svchcst.exe	36
PID 2640 wrote to memory of 3052	2640	svchcst.exe	36
PID 2640 wrote to memory of 3052	2640	svchcst.exe	36
PID 2640 wrote to memory of 3052	2640	svchcst.exe	36
PID 3052 wrote to memory of 1784	3052	WScript.exe	37
PID 3052 wrote to memory of 1784	3052	WScript.exe	37
PID 3052 wrote to memory of 1784	3052	WScript.exe	37
PID 3052 wrote to memory of 1784	3052	WScript.exe	37
PID 1784 wrote to memory of 380	1784	svchcst.exe	38
PID 1784 wrote to memory of 380	1784	svchcst.exe	38
PID 1784 wrote to memory of 380	1784	svchcst.exe	38
PID 1784 wrote to memory of 380	1784	svchcst.exe	38
PID 380 wrote to memory of 2532	380	WScript.exe	39
PID 380 wrote to memory of 2532	380	WScript.exe	39
PID 380 wrote to memory of 2532	380	WScript.exe	39
PID 380 wrote to memory of 2532	380	WScript.exe	39
PID 2532 wrote to memory of 1044	2532	svchcst.exe	41
PID 2532 wrote to memory of 1044	2532	svchcst.exe	41
PID 2532 wrote to memory of 1044	2532	svchcst.exe	41
PID 2532 wrote to memory of 1044	2532	svchcst.exe	41
PID 2532 wrote to memory of 1584	2532	svchcst.exe	40
PID 2532 wrote to memory of 1584	2532	svchcst.exe	40
PID 2532 wrote to memory of 1584	2532	svchcst.exe	40
PID 2532 wrote to memory of 1584	2532	svchcst.exe	40
PID 1044 wrote to memory of 1788	1044	WScript.exe	42
PID 1044 wrote to memory of 1788	1044	WScript.exe	42
PID 1044 wrote to memory of 1788	1044	WScript.exe	42
PID 1044 wrote to memory of 1788	1044	WScript.exe	42
PID 1584 wrote to memory of 2364	1584	WScript.exe	43
PID 1584 wrote to memory of 2364	1584	WScript.exe	43
PID 1584 wrote to memory of 2364	1584	WScript.exe	43
PID 1584 wrote to memory of 2364	1584	WScript.exe	43
PID 1584 wrote to memory of 1268	1584	WScript.exe	44
PID 1584 wrote to memory of 1268	1584	WScript.exe	44
PID 1584 wrote to memory of 1268	1584	WScript.exe	44
PID 1584 wrote to memory of 1268	1584	WScript.exe	44
PID 1268 wrote to memory of 1896	1268	svchcst.exe	45
PID 1268 wrote to memory of 1896	1268	svchcst.exe	45
PID 1268 wrote to memory of 1896	1268	svchcst.exe	45
PID 1268 wrote to memory of 1896	1268	svchcst.exe	45
PID 1584 wrote to memory of 1776	1584	WScript.exe	46
PID 1584 wrote to memory of 1776	1584	WScript.exe	46
PID 1584 wrote to memory of 1776	1584	WScript.exe	46
PID 1584 wrote to memory of 1776	1584	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\6921f25c7fc434c26e3f72254279cc093926dfc76729ff93effdf0575f5e261e.exe
"C:\Users\Admin\AppData\Local\Temp\6921f25c7fc434c26e3f72254279cc093926dfc76729ff93effdf0575f5e261e.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:884
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1128
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2260
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2640
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:380
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2364
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1776
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        
        PID:2176
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2768
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        
        PID:820
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1108
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:2936
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2888
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:3012
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3032
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:1000
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2912
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:2012
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1740
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:2556
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1876
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:1528
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1464
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:2280
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2752
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:2248
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2780
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:3016
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1036
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:2932
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2256
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:2696
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1992
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:2820
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2188
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:860
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:380
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:1284
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:892
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        
        PID:2760
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1876
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        
        PID:2844
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        
        PID:668
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1788
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
86d19ce5aadee25f714fba14c344487c

SHA1
1c6a6ea725b089790130f632918c8d62067745ae

SHA256
b0e49ec91275483b583ebb333ad5c7c8b3d3ad53d8cb90c145a9576b073d4667

SHA512
d62e2b518e5ad3821e7342057be06200a83fb0c38f55eec907c364b50fcbff3d6adb59b0410cbd86e58895a314a104f15567625a947d52adf43d71a222294487

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
25741fab0bc335b1ed971b3134b0edd3

SHA1
9849046efa3f20662f73cefd0d090bef480c9835

SHA256
05963c6d3a7cc5421377a784df6474456fcbd2f95c7190f2ddb4a9ccbfbe7f98

SHA512
6e772baf90739a76c5c477780e2d158502b55d9c898e69402b0a3bfb840949959c6779f9b291c0503a4fcad95369be55b5f3233ded9329d49d5cde3f1a8369e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ebf405e49dade13da94f737cdc03dba1

SHA1
8a0c39e59beed0deb4e726566b235c42c70942bb

SHA256
d15af3885670c4fea9dd97da21025faa5fd2b42bddc310bad2893e23a3ed2bef

SHA512
bbdef781757a387898665650d8f951e7fc495770d34595d9badbe5a39d46ec49a06ec00cbe28ed5e2677e5eeea518241fb638580668baca8d7728c44f2069ea2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8ff9269f0a87aaf29e707ac354505e61

SHA1
68c900e567a236096ac8c812cb14dec97e3e088c

SHA256
ed84c3ff01194f8f55c30fb4f5685d4f74c186732e01e20d9909fb7a63ebb7d1

SHA512
5980c8ca52c3c047380b9aabced91699a68228bf8e5d545ff3105bdc5c469f30f7e490f459e2e8bc57f088d904ae0fb3e3167dfa0cd84b83b3d8e78402e8ae9d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
379619305716718fbeeab2f364946c39

SHA1
b663cf106c4673549692fa39d25e9e8f4561cd64

SHA256
c844bc25686320e65c1b5259a6d0d6d47f61709f46e2c8eb2ad3f9c3b9333d84

SHA512
b2c91d0f1cbc9e253bb3bb339acbab0e31eef31188cc00132c423fee2a85c7a91132c9259b99b23a149f6ba1172b8522e2d8350f88dbb735ad8d7a32f71e2ed8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
774844b08b364b32d1209ef0d962d2fd

SHA1
967a30d076aa269a5cef321d36ac1f5c1eb180cb

SHA256
c9beda5ae7965cd968f1e6b1e11f17b1b443b8fc6dddb9ad0fe830aafe35ae3a

SHA512
2bab1d82f2cf484029722e64dd75516645e3f2dc6028153b65479757a3d33bbe883a1ac97771f1a9dfff1927cbfc58b5460f0c21a3ce01a4eae32b205772c4ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
423a0fabd3a9fd2cbedc3aba67c69650

SHA1
880097557ac6718e93822ac7efc9a3e2986c51de

SHA256
d77f549afde3b88ac747c3d0dee3069f914fac77b572ae08737ffc05f696491b

SHA512
c65d3db8250c7885b05075ebc3485db4506dde6c435247ad6a86e9085d59b039f4629583b327662a2eb40c79bc135d5d17b5bfb01f63ee02726aa57ecd7ed139

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
dabf4e9d32908d961aaffdd1c77d4879

SHA1
e41572d98b7452016fb004c843236377364ab1d3

SHA256
3488c64a6d2da3c00e50e954c495ac354ee504e54f3ed6dda6a991c5b9d33e19

SHA512
911d46aca8005857c86eddbb3cbbc4301ee5e173b2358a717053cf12727c06cc3b2d757ddf513f969dafe61c6b88d03b1478d8c483495f153e30bf64585195aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5200291c61f8a54498d5ea3882597c4f

SHA1
7faf4fa36d25b6e6a25fa637cd4d565bacfc98c9

SHA256
370d3f0009b4f5179e917aaf335aa8267dd7e03688f0fff18f72d7d7af43d55f

SHA512
7fab6730403115fe4a56ca1d5d9056a0796ca40f75c0499cb0a1d7cb77ad696163f960414f3248c7893a1cc99dadcdb73251603bca50a54668b45b79bc62b06e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
4e9605159361f93230fef3cc5ad4301c

SHA1
64e6d5673487e049cc4e96650b507641062ca1bf

SHA256
2abd0c0ae088f6c911f23add50e985c447f1c62c8a45f848698b08d6e6dd20e7

SHA512
5cf02982826cc6e08ea33c4ce5d186ad4277493480cf08c2df56a7deea87e58a6df3a95097c96409a89317528933e0999d4ccddc2403024bd04b6e1c312f42fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
39910ed32746a39cece07b645b225ce5

SHA1
c5ae9e654240740981629cd46a021320e43b8b7f

SHA256
38f1122b39c98c1a3eb1c766d5476ef2018fc0ddfe0b4fa4b435b20aed7ceacc

SHA512
f5fd3d5bd105b9ad41c7610fe4b4deb37ab8a2867f079a40196f93437978542895b07a1d3bfc0bf50a45dbe136da8b29863e6d068edd78bd1dff80b3ead9778d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
57c9969bae7edf90258e1c67ba406ffc

SHA1
5374e6025eb618de43ae9c5b0202f3c198f991f6

SHA256
1120a2f63e93403d1a0deee6ddba2980551042e1f01b0ca409a133d923204f5d

SHA512
8f2120749f268985c3c8ff9294c8a79c29c0281bba42300a809b94de30b3d3df942d6075dd6cdc8c99a2368019439f4cbf1b6542ba4b6b105094657413aab70e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2ce26fb20c6f053e5b5eafd85eb5938c

SHA1
87e309b63b97bebd69e9f1da0007800933755175

SHA256
0837e1fec4bac82c2a56a80c9a902ba69eab4b19602bd0a11c08388de1b560bf

SHA512
a70fb14b4607a5f9865fe489f88b4a6866d9f44f2f7e8f1d585e8d01a2eec52be64351afa80a74c713266832d9540b6cdfa6b59ecd14e06fab6a7a76720a0471

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d63f3751fda6866d9728a5d10a9cc6dd

SHA1
0d6cd6d7c3352ca4d4f270350b4204c672a3fd2d

SHA256
1649c201d9fa3d0107cef1775d4f3c4dfc3fb22e9e2cb827d3c38ebb9ee2791b

SHA512
1e5d10a65dda6fac58a669b2253a5446b1d6c53f39d3095c7eb8512a0b367a1c119fe5882b005e30d4d7ca09753174368e8de027e64f93c614a821235e88e912

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
40ac23b0d75b91082faaa0e166ca58f8

SHA1
f762090ce2e2733a1654c5d1b2b1d5d8835fbf28

SHA256
ecd6da4404312b04bdcf1287b0616a8ffaa9a489b6325c1c832405c0d832ba63

SHA512
86969b8fff2718973f8a51479e03fc94272eaf1df13e39507615c6fc45c38a5c3b6ccdf19ee7727d88e40379dc0a332de9aedc1eaf2a2e6b9f8d6e8e23ad1e7b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
937e910651d2a3168b313537e3e9eeb2

SHA1
fffb688ee80481e0551c280e17375e82f553f27a

SHA256
f3cf314b0fecacf2410807a0756f066d938077ef610e42850830a030cf6f984a

SHA512
b7d57a7395fbade9097fddc02ae08bff37e179ad217fa1895a3804efe3ea18f4f5f36419f653a9a67883a5c989c90cddc72f2f16627e7f150798053f9fd25957

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
02c5a58fd858081e2f591e4d19193e34

SHA1
45981e39db1f5fd14dae74784aa5f3964ea510d5

SHA256
9697c28d952838c87ea3d48b954d42063b098b45e5f37c7c97ef76a07020d213

SHA512
1f459322e688e044bba7b36a30bf0ba2c12bef7737556388e9a59070e1fbcc0a7d69bb037e163092fe00a441d93f5988aaf52c7d7991e18e60760640e0e2d47b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2cb950314020cd6d0ad7a60de10bef00

SHA1
508e3e4dec043f95794b3d5626328e4eacd25e41

SHA256
2a91eb5db0844f0f197884f2efad46715e8f64f6302e215b912154613c478ee3

SHA512
f990db84edece9ca173ac2b19932622c623e4708d133265d491dd9c7bcbe2c1c852df8261414408a392890bf3c31f9a883b615e2c536d75f2fade0af8a7239ff

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
8a61b74e9b43d139e62a0773b2811531

SHA1
fb25c8554f3cfb9a77f9cbf7248ce801c5a32e1e

SHA256
c28dadf006deb06fa1de9ec9730563ed19dce1b02e76ad06f31a167d1f8d1005

SHA512
d9f660e371b2b5e059d4b77d0d3c2feedc3f6c598115cc4e5479529d7e36ade6e839bca2f8058ecc5455e582598b03ca54abf102911e3979735f2fe1f4d96a31

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
6e92af24d96ad32e1070267978c2715c

SHA1
0737dc91a38f9ad4cd1c49221cdffcd96017a274

SHA256
7d82469ccbc0827ce552e6c1ee86bf76c2151d83b3e32a9f9821bd6613674de1

SHA512
57fbb596147ace3fe1281ea723536ebba370f6bb0c474a589f5872012e135dd95665ee0fec03b6abc9b7d71577054d7dfde9b3f270ae5bfe84e8e444eb845f56

Download Submit
memory/884-10-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download