883dc14e2ff979685ac6b1f732ebb4ba52b83a6f0f1660c222acf4ef8a253cce

Analysis

max time kernel
150s
max time network
18s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
08/07/2024, 22:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

883dc14e2ff979685ac6b1f732ebb4ba52b83a6f0f1660c222acf4ef8a253cce.exe
Size

1.1MB
MD5

62d162e54289af2a3740ae90d1f5129c
SHA1

f8704c34cf0de3403ce7710f8cbdf518af55f798
SHA256

883dc14e2ff979685ac6b1f732ebb4ba52b83a6f0f1660c222acf4ef8a253cce
SHA512

c9386e4a22693328da04e10fa4a488216d4f836238f7ec0c8d9e2e828fc5f4cab5a64befddb96070a25e31f0751dc6b6c7989bd47c1ec22f5620d6a18fba98f6
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qq:CcaClSFlG4ZM7QzMZ

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2284	svchcst.exe

Executes dropped EXE 24 IoCs

pid	Process
2284	svchcst.exe
2464	svchcst.exe
2728	svchcst.exe
1260	svchcst.exe
2164	svchcst.exe
2336	svchcst.exe
2036	svchcst.exe
2824	svchcst.exe
2744	svchcst.exe
2972	svchcst.exe
2384	svchcst.exe
2996	svchcst.exe
2596	svchcst.exe
2444	svchcst.exe
1648	svchcst.exe
1596	svchcst.exe
2844	svchcst.exe
2120	svchcst.exe
2956	svchcst.exe
2940	svchcst.exe
2272	svchcst.exe
2220	svchcst.exe
908	svchcst.exe
664	svchcst.exe

Loads dropped DLL 47 IoCs

pid	Process
2928	WScript.exe
2928	WScript.exe
2692	WScript.exe
2692	WScript.exe
2584	WScript.exe
2584	WScript.exe
2996	WScript.exe
2996	WScript.exe
2444	WScript.exe
2444	WScript.exe
2008	WScript.exe
2008	WScript.exe
1944	WScript.exe
2600	WScript.exe
2600	WScript.exe
1748	WScript.exe
1748	WScript.exe
1960	WScript.exe
1960	WScript.exe
2872	WScript.exe
2872	WScript.exe
1068	WScript.exe
1068	WScript.exe
1344	WScript.exe
1344	WScript.exe
548	WScript.exe
548	WScript.exe
804	WScript.exe
804	WScript.exe
992	WScript.exe
992	WScript.exe
2348	WScript.exe
2348	WScript.exe
1724	WScript.exe
1724	WScript.exe
572	WScript.exe
572	WScript.exe
2468	WScript.exe
2468	WScript.exe
2636	WScript.exe
2636	WScript.exe
3028	WScript.exe
3028	WScript.exe
2608	WScript.exe
2608	WScript.exe
2208	WScript.exe
2208	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1748	883dc14e2ff979685ac6b1f732ebb4ba52b83a6f0f1660c222acf4ef8a253cce.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2464	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1748	883dc14e2ff979685ac6b1f732ebb4ba52b83a6f0f1660c222acf4ef8a253cce.exe

Suspicious use of SetWindowsHookEx 50 IoCs

pid	Process
1748	883dc14e2ff979685ac6b1f732ebb4ba52b83a6f0f1660c222acf4ef8a253cce.exe
1748	883dc14e2ff979685ac6b1f732ebb4ba52b83a6f0f1660c222acf4ef8a253cce.exe
2284	svchcst.exe
2284	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
1260	svchcst.exe
1260	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2036	svchcst.exe
2036	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2972	svchcst.exe
2972	svchcst.exe
2384	svchcst.exe
2384	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2444	svchcst.exe
2444	svchcst.exe
1648	svchcst.exe
1648	svchcst.exe
1596	svchcst.exe
1596	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2120	svchcst.exe
2120	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2272	svchcst.exe
2272	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
908	svchcst.exe
908	svchcst.exe
664	svchcst.exe
664	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 2928	1748	883dc14e2ff979685ac6b1f732ebb4ba52b83a6f0f1660c222acf4ef8a253cce.exe	30
PID 1748 wrote to memory of 2928	1748	883dc14e2ff979685ac6b1f732ebb4ba52b83a6f0f1660c222acf4ef8a253cce.exe	30
PID 1748 wrote to memory of 2928	1748	883dc14e2ff979685ac6b1f732ebb4ba52b83a6f0f1660c222acf4ef8a253cce.exe	30
PID 1748 wrote to memory of 2928	1748	883dc14e2ff979685ac6b1f732ebb4ba52b83a6f0f1660c222acf4ef8a253cce.exe	30
PID 2928 wrote to memory of 2284	2928	WScript.exe	32
PID 2928 wrote to memory of 2284	2928	WScript.exe	32
PID 2928 wrote to memory of 2284	2928	WScript.exe	32
PID 2928 wrote to memory of 2284	2928	WScript.exe	32
PID 2284 wrote to memory of 2692	2284	svchcst.exe	33
PID 2284 wrote to memory of 2692	2284	svchcst.exe	33
PID 2284 wrote to memory of 2692	2284	svchcst.exe	33
PID 2284 wrote to memory of 2692	2284	svchcst.exe	33
PID 2692 wrote to memory of 2464	2692	WScript.exe	34
PID 2692 wrote to memory of 2464	2692	WScript.exe	34
PID 2692 wrote to memory of 2464	2692	WScript.exe	34
PID 2692 wrote to memory of 2464	2692	WScript.exe	34
PID 2464 wrote to memory of 2584	2464	svchcst.exe	35
PID 2464 wrote to memory of 2584	2464	svchcst.exe	35
PID 2464 wrote to memory of 2584	2464	svchcst.exe	35
PID 2464 wrote to memory of 2584	2464	svchcst.exe	35
PID 2584 wrote to memory of 2728	2584	WScript.exe	36
PID 2584 wrote to memory of 2728	2584	WScript.exe	36
PID 2584 wrote to memory of 2728	2584	WScript.exe	36
PID 2584 wrote to memory of 2728	2584	WScript.exe	36
PID 2728 wrote to memory of 2996	2728	svchcst.exe	37
PID 2728 wrote to memory of 2996	2728	svchcst.exe	37
PID 2728 wrote to memory of 2996	2728	svchcst.exe	37
PID 2728 wrote to memory of 2996	2728	svchcst.exe	37
PID 2996 wrote to memory of 1260	2996	WScript.exe	38
PID 2996 wrote to memory of 1260	2996	WScript.exe	38
PID 2996 wrote to memory of 1260	2996	WScript.exe	38
PID 2996 wrote to memory of 1260	2996	WScript.exe	38
PID 1260 wrote to memory of 2444	1260	svchcst.exe	39
PID 1260 wrote to memory of 2444	1260	svchcst.exe	39
PID 1260 wrote to memory of 2444	1260	svchcst.exe	39
PID 1260 wrote to memory of 2444	1260	svchcst.exe	39
PID 2444 wrote to memory of 2164	2444	WScript.exe	40
PID 2444 wrote to memory of 2164	2444	WScript.exe	40
PID 2444 wrote to memory of 2164	2444	WScript.exe	40
PID 2444 wrote to memory of 2164	2444	WScript.exe	40
PID 2164 wrote to memory of 2008	2164	svchcst.exe	41
PID 2164 wrote to memory of 2008	2164	svchcst.exe	41
PID 2164 wrote to memory of 2008	2164	svchcst.exe	41
PID 2164 wrote to memory of 2008	2164	svchcst.exe	41
PID 2008 wrote to memory of 2336	2008	WScript.exe	42
PID 2008 wrote to memory of 2336	2008	WScript.exe	42
PID 2008 wrote to memory of 2336	2008	WScript.exe	42
PID 2008 wrote to memory of 2336	2008	WScript.exe	42
PID 2336 wrote to memory of 1944	2336	svchcst.exe	43
PID 2336 wrote to memory of 1944	2336	svchcst.exe	43
PID 2336 wrote to memory of 1944	2336	svchcst.exe	43
PID 2336 wrote to memory of 1944	2336	svchcst.exe	43
PID 1944 wrote to memory of 2036	1944	WScript.exe	44
PID 1944 wrote to memory of 2036	1944	WScript.exe	44
PID 1944 wrote to memory of 2036	1944	WScript.exe	44
PID 1944 wrote to memory of 2036	1944	WScript.exe	44
PID 2036 wrote to memory of 2600	2036	svchcst.exe	45
PID 2036 wrote to memory of 2600	2036	svchcst.exe	45
PID 2036 wrote to memory of 2600	2036	svchcst.exe	45
PID 2036 wrote to memory of 2600	2036	svchcst.exe	45
PID 2600 wrote to memory of 2824	2600	WScript.exe	46
PID 2600 wrote to memory of 2824	2600	WScript.exe	46
PID 2600 wrote to memory of 2824	2600	WScript.exe	46
PID 2600 wrote to memory of 2824	2600	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\883dc14e2ff979685ac6b1f732ebb4ba52b83a6f0f1660c222acf4ef8a253cce.exe
"C:\Users\Admin\AppData\Local\Temp\883dc14e2ff979685ac6b1f732ebb4ba52b83a6f0f1660c222acf4ef8a253cce.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2284
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2464
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2824
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:1748
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2744
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:1960
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2972
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:2872
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2384
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:1068
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2996
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:1344
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2596
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:548
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2444
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:804
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1648
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:992
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1596
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:2348
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2844
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:1724
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2120
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:572
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2956
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:2468
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2940
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:2636
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2272
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:3028
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2220
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        
        PID:2608
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:908
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        
        PID:2208
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:664
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        
        PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
17f2671e8f23f9103d2514242240d0be

SHA1
c9ed936bd29fde1c1f6b45fbb9c5b169e4e693ad

SHA256
8e1a137229e195fdb1dab221deed7c19500390bbd58a0fe47e188079b18ff73f

SHA512
d678f538b098de9b443c0fb5db8d95d3e0d1eb132af5f4cb966362e31c822ddea0223c5e9d3910ebb8e5f16e0addf2146428aa506f5620407c6600bc1edfff44

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
08e59d2d672728796d1d263f61b8e693

SHA1
e2cf49b43ffba5735bf7d9aa4e1da8c5a1a4a243

SHA256
f0504a6142a9709ba8612a4e55816d410dc92778bedea66d34316e77edd2f923

SHA512
328bc5a9404388f3ef192bb0e4da20cc34b9eacd974299461b5cc2f37ce7d7f9bb494e933fe7e8bca0baa037b40778b06965e76ce258b596b60e88bd6b2f4253

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
faa8ef2e758448ccba58a486794e0699

SHA1
85bd05023b75335ca0ff084efcd02e7e9e447e88

SHA256
f4c0222febb3104b66ec8578be36697e28bc8956d3606e711c39b3ad7fcf6b8b

SHA512
8a1074670bbf7942ba1cef24d474aa26b9a66c378cc790a5577bc3d487f7174dad7890d2fdd43eccad42c4da28e282e5909a8f9de120a3ba81ee2847b44a328e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a6723d81dd75369a43431bd61814ac74

SHA1
c3d950a8d9f5738222594d01dcaae3fcb467d548

SHA256
add1a22f571c2dfbfda508d6ad632223ab81690c73a376500e56855afeb1752b

SHA512
d7a42037066b1b1d1dffbc792aef400ca374665b012f02de40a6ff118482acd14555edabd6750defb402a6cf4e273a132c1856103202e47aa090119546718727

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2caa2e102cde23b48c1d5a47d901c3ff

SHA1
715fcb390ad3d9016885ab48ea99b2e204d1989b

SHA256
8e1f14065ac316ee2fcefab057390fe8b1ec88d9c35536f0755204ddf0d84ada

SHA512
9f6b298b5becff9b0af67c3181177876366db57d8d48ad3974dffa4f61fe7512b68d770e518d08d59c58d2707c52bd78930d2e36f00ef06f0a26d208e5372ae3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
bb73f45ba0ab8d0e25bc6dcd5900a0f1

SHA1
18dd20b311cabf033725cb71f00e22449f559963

SHA256
c5b311f8ce95c93ed51768b74c6765874352e5fc61641ab54034281a5206c3b5

SHA512
f2adbb4978b02ce150fc2f4a8f6d7734ca465351c502e5a425a9dc0f751be9a048df54dfff086b4b049a80cdc8127863ea704a3b6e1855f9d4406e5778b82e04

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
321085c6e57a8455a3e915906a6c160b

SHA1
9cd284183cd00b8ed9766cf5ba4433bd041c381e

SHA256
0d5abb9f989e8b184b17b159987cacb4be04d476a85a3c684e797cdbded810cb

SHA512
030c762c6548c28805fb3f9d97ed98ff958a379fb5142b7ba6c4cb2a8dd7a59051135e649abd6c16320361b10c374e4a1003c802560fcc244849089255fb7722

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
41bdc303960afcda8ebae4f3e29f0b52

SHA1
4cbf649fb04c836614138308a06ecd48dcb2882d

SHA256
da674cdbd4dd762cc32ce0bd2ec36929a626e0e87f7ab7a4a1b1e1ce0123d999

SHA512
800b5b01cc41e7633f203579e7f6ec0a9f6408f7af79dcfa74596be9264dbb8baade6b1439dedb5194496aa27b8b0e2680ce65ad91032138ea0ac2c8a0872cf1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e5bba46683440caa1508061b6e638120

SHA1
538ff5b7cb3ca90cee3e60bae0b487f4b78912de

SHA256
9b324dbd185a14c0ebfd2cd2731f6bb32c501dfefa7aef4f65b137357502c65d

SHA512
466f00fee10e323273e5d1151062e9fcc36f5657a404c6dd3c0c9ecb56e5205930087e612b13a9c6d1a56df7e05a2bd9c14e95debd5e5aed96ad2ef867e8de4d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1cd04c63c025f0297f2ae60e978d92a1

SHA1
047246564f4b2ab71494a82cef25f5bcdeb63469

SHA256
c5d481502d8e9429512066a0eb058459e0d7d60fbfc4aed5169b3ea47966c9ed

SHA512
dede45f2ae3b7da526e64e82f5e550d9f29d7ad0409fe97a0067bcd8ad70859a8f05441dcad0f2364710f8d9bf58997ffea6874b4797948b61486570394325a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d0a7594dbfff2934bae6e22de9f233fe

SHA1
b2a276918a0f5fb2da4440d77ec65c3c644dcf74

SHA256
b5ba466f75e4b160d164ce3886c42fe86c339961f2f303cfdba40d2c711bc61d

SHA512
3d0c5b27841efaa0286d2b58d1749c1efe45ce115cbcb2af1473e29ec3791501a278c90f087e995279518b3c3aec687edca8937f77ff2520ed6b8d3dff6c0a63

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1ef0f0b572c2f4293cad723d25d00c42

SHA1
21070aedce103ee5e41ef411b732699f04623804

SHA256
92f0114d24a1bf7f670197c1b6e8cecc445559bbf6b12e1a82538aa9213fe4a3

SHA512
0af8482f8df004ae0534ab1d23addd55149209ab50bfb1ecbfc4d9ee49c7cce91b53fd3ed3b155e020286772eaa8396c89b8f67befe3ca5d9804b7871add0c4c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f080eefd41c0fca1c404d5133fb5c957

SHA1
bef3f9c014eca7cf4dc001f3d85befd3681d4bcc

SHA256
758f74e1aa31de598fbf37f70ffd76f936c0b5dd2227b17c0d8e9ac4506f3aaf

SHA512
e2066e4082f51d4064bfd68eff48c97c481bbb524bb0fa2da0b5ae25bda730811d2933480a72d91a8e5c10ac794f0e793fb8323892332eb9b7c43890ee25c4d7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
88047a6ed232403bf84f05efae339cf0

SHA1
dd765d1b03fafbae08667451ec600d40d8f5e09b

SHA256
df64813d82dc140b61f6af603587a761eac4343f1e0757571cfe3d0ca6d0c2cc

SHA512
11b6476715fad9ec690733c71043b0b536c025b1856c8da0b61afc03379cc4f7adcbf6800a6a52e4f263cf58170cfb4d9b1839bafce72431ffb28ed99a667d18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
6df459ea2141843cd0d6ae421fb18ef3

SHA1
8a3b9ff169bd9da7c30688d0544f85d3521bcb5c

SHA256
d8762535cd97ace525b3cc7908ab3a1367ecd1ff40051f286d4d3f34bdd9835a

SHA512
c380e70c49506822070bf05fe32f68cebaee2f1d6ae948e4a27d0de844ac02b0fece7691869b9a315919387ab43c6a621affb43c12f0a1e80d887718a88f010f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
038c7412513d65638fafb5b48b97e12b

SHA1
5751383fb377268f09bea4463b35c9cb71dd3204

SHA256
56c61aedb5e295c5e5a8ebf88f6a3971631ac35302c42f84bfebbfb35c7baba2

SHA512
747e7e78922c6e3b640086a49b993bd792913df015c2ebd2366d4f9e97955b9d52ddc6ea0fc87b7ebc7afd9a64db1f21ebe1fa4baf854a629ee7e590fc2cb44e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d7b41cc240a7ea3197fdde553289fcc0

SHA1
03321046407ee6cf6945c3ba24e239b239e0b958

SHA256
1f6fecca6e0354101e04353c5fed3e38ac6685e12b734fbb20ccf9347c7a389a

SHA512
23746900e3f534bea8857e1b07face5e061867e1f4c1ed3af6eea2fe58946bd3deff8b02b6aeeff9cd445f1d50343ea631219edf2092cc1332ca249fc689a7ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9c9e9318386fad3d124a343040063af1

SHA1
7442fddd1b32a640c3c5a091e2ba5e1b5e5a4138

SHA256
49763b00fd84f4aff553a177904bccc14f250852c69fd9ea944bf0c2fb228821

SHA512
626deba529760148a1597dfa914c692b727ab3e7a4b87fe057dd1a71d49f0cd3dfbd08169325a93094a25f85ccf9044f3032a38752c955309702697ead7b9f11

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
42faa025fca5e3df2d269a9411073e9a

SHA1
96753fe033319d701bc6f22adf4ca46cfad3a53d

SHA256
4fc5a8191ab7b0d96318ba6b200b1c3f9c7331fa94449245ae3db8d9b452f4cc

SHA512
3b042768acc827186f3196dbcd4e48b681426cbf85739007bae40477ee157f8d633b5cd89d74f895184c6b7c49dc35afc443470f96e5e60880a4633c21d9fe83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d379db692e686b9eed35291489414ff4

SHA1
b0e60ee90e3a72211f7a4e16b16d8a53143977c1

SHA256
9c0c042d7129241b7f87c8c4c138fe7689879222373d5181ac92cf0472ce7ab1

SHA512
83e0c6d29f6d4566671ff3137bc60f715f1e65f1c622d1f9385a9d93936435b2f3274ade3e9a16fe1eef629286b2c8b9a8a0a31bac03c85e247e16bc2ed012b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d7e19f3f38a3cfc41f26cb82a6294818

SHA1
844e3c51eba867a6ff06367e5ff5d47f742be53c

SHA256
a3a6270fc03086976472e26c26c88c03f76beff3199fb07e73ab748f1fe59fbb

SHA512
1e867ab649196425d4200a1d5feb946179e2bbed5f65356298bbe5da3306451f01fdbaae403a9868d9cc787ef2e3219f71d8f07cf7eda962f77c1ce894c7a693

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a60fc992480270d8506d7df235cd455e

SHA1
2c1cce661c91922fc3acad18e15858d933e4af86

SHA256
8f96e173e55ab17be1b8ad37f1d644a9ec8c6d298ba742d7e5c2cffc9de87524

SHA512
c0a9a25a188e8d2cd3bf78345988c94b86aeb42a99179d496a2ea21e8fd7cc6bf42a85d65920ecdbddb83e57818c66da706ebf11d3de8bdc422448d81ea7c96d

Download Submit
memory/1748-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download