965fb1fff4f100db9c001a82ef8efd919a480929f9e257c74b57c5733bac09c9

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
10/07/2024, 20:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

965fb1fff4f100db9c001a82ef8efd919a480929f9e257c74b57c5733bac09c9.exe
Size

1.1MB
MD5

c68e7f1ee6e774626fe0ad9f42f4ce22
SHA1

950f4498f54316894d75bd12477da376a2a45c3e
SHA256

965fb1fff4f100db9c001a82ef8efd919a480929f9e257c74b57c5733bac09c9
SHA512

a625b6010b3113e5c7d5e261eb9bd0fd8ede285f74c7ffcd1c5ee0b841adc83f76b4604e6e41e1b158cfbb27c8cd9d35fefac52afa7b43fa6b6242afa7fa49b4
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q0:acallSllG4ZM7QzMD

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2588	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2588	svchcst.exe
2084	svchcst.exe
668	svchcst.exe
2456	svchcst.exe
2184	svchcst.exe
640	svchcst.exe
1572	svchcst.exe
2752	svchcst.exe
2860	svchcst.exe
564	svchcst.exe
1656	svchcst.exe
1644	svchcst.exe
284	svchcst.exe
1728	svchcst.exe
300	svchcst.exe
2264	svchcst.exe
1980	svchcst.exe
2044	svchcst.exe
2464	svchcst.exe
1656	svchcst.exe
1856	svchcst.exe
904	svchcst.exe
2576	svchcst.exe

Loads dropped DLL 42 IoCs

pid	Process
2688	WScript.exe
2688	WScript.exe
1848	WScript.exe
1848	WScript.exe
2868	WScript.exe
2844	WScript.exe
2844	WScript.exe
2844	WScript.exe
2076	WScript.exe
2076	WScript.exe
964	WScript.exe
964	WScript.exe
744	WScript.exe
744	WScript.exe
2636	WScript.exe
1976	WScript.exe
1976	WScript.exe
2240	WScript.exe
2240	WScript.exe
1960	WScript.exe
2460	WScript.exe
2460	WScript.exe
2192	WScript.exe
2192	WScript.exe
2792	WScript.exe
2792	WScript.exe
2704	WScript.exe
2704	WScript.exe
1972	WScript.exe
1972	WScript.exe
976	WScript.exe
976	WScript.exe
1468	WScript.exe
1468	WScript.exe
2204	WScript.exe
2204	WScript.exe
1340	WScript.exe
1340	WScript.exe
1772	WScript.exe
1772	WScript.exe
348	WScript.exe
348	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3028	965fb1fff4f100db9c001a82ef8efd919a480929f9e257c74b57c5733bac09c9.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3028	965fb1fff4f100db9c001a82ef8efd919a480929f9e257c74b57c5733bac09c9.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
3028	965fb1fff4f100db9c001a82ef8efd919a480929f9e257c74b57c5733bac09c9.exe
3028	965fb1fff4f100db9c001a82ef8efd919a480929f9e257c74b57c5733bac09c9.exe
2588	svchcst.exe
2588	svchcst.exe
2084	svchcst.exe
2084	svchcst.exe
668	svchcst.exe
668	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2184	svchcst.exe
2184	svchcst.exe
640	svchcst.exe
640	svchcst.exe
1572	svchcst.exe
1572	svchcst.exe
2752	svchcst.exe
2752	svchcst.exe
2860	svchcst.exe
2860	svchcst.exe
564	svchcst.exe
564	svchcst.exe
1656	svchcst.exe
1656	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
284	svchcst.exe
284	svchcst.exe
1728	svchcst.exe
1728	svchcst.exe
300	svchcst.exe
300	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
1980	svchcst.exe
1980	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
1656	svchcst.exe
1656	svchcst.exe
1856	svchcst.exe
1856	svchcst.exe
904	svchcst.exe
904	svchcst.exe
2576	svchcst.exe
2576	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2688	3028	965fb1fff4f100db9c001a82ef8efd919a480929f9e257c74b57c5733bac09c9.exe	30
PID 3028 wrote to memory of 2688	3028	965fb1fff4f100db9c001a82ef8efd919a480929f9e257c74b57c5733bac09c9.exe	30
PID 3028 wrote to memory of 2688	3028	965fb1fff4f100db9c001a82ef8efd919a480929f9e257c74b57c5733bac09c9.exe	30
PID 3028 wrote to memory of 2688	3028	965fb1fff4f100db9c001a82ef8efd919a480929f9e257c74b57c5733bac09c9.exe	30
PID 2688 wrote to memory of 2588	2688	WScript.exe	32
PID 2688 wrote to memory of 2588	2688	WScript.exe	32
PID 2688 wrote to memory of 2588	2688	WScript.exe	32
PID 2688 wrote to memory of 2588	2688	WScript.exe	32
PID 2588 wrote to memory of 1848	2588	svchcst.exe	33
PID 2588 wrote to memory of 1848	2588	svchcst.exe	33
PID 2588 wrote to memory of 1848	2588	svchcst.exe	33
PID 2588 wrote to memory of 1848	2588	svchcst.exe	33
PID 1848 wrote to memory of 2084	1848	WScript.exe	34
PID 1848 wrote to memory of 2084	1848	WScript.exe	34
PID 1848 wrote to memory of 2084	1848	WScript.exe	34
PID 1848 wrote to memory of 2084	1848	WScript.exe	34
PID 2084 wrote to memory of 2868	2084	svchcst.exe	35
PID 2084 wrote to memory of 2868	2084	svchcst.exe	35
PID 2084 wrote to memory of 2868	2084	svchcst.exe	35
PID 2084 wrote to memory of 2868	2084	svchcst.exe	35
PID 2868 wrote to memory of 668	2868	WScript.exe	36
PID 2868 wrote to memory of 668	2868	WScript.exe	36
PID 2868 wrote to memory of 668	2868	WScript.exe	36
PID 2868 wrote to memory of 668	2868	WScript.exe	36
PID 668 wrote to memory of 2844	668	svchcst.exe	37
PID 668 wrote to memory of 2844	668	svchcst.exe	37
PID 668 wrote to memory of 2844	668	svchcst.exe	37
PID 668 wrote to memory of 2844	668	svchcst.exe	37
PID 2844 wrote to memory of 2456	2844	WScript.exe	39
PID 2844 wrote to memory of 2456	2844	WScript.exe	39
PID 2844 wrote to memory of 2456	2844	WScript.exe	39
PID 2844 wrote to memory of 2456	2844	WScript.exe	39
PID 2456 wrote to memory of 3064	2456	svchcst.exe	40
PID 2456 wrote to memory of 3064	2456	svchcst.exe	40
PID 2456 wrote to memory of 3064	2456	svchcst.exe	40
PID 2456 wrote to memory of 3064	2456	svchcst.exe	40
PID 2844 wrote to memory of 2184	2844	WScript.exe	41
PID 2844 wrote to memory of 2184	2844	WScript.exe	41
PID 2844 wrote to memory of 2184	2844	WScript.exe	41
PID 2844 wrote to memory of 2184	2844	WScript.exe	41
PID 2184 wrote to memory of 2076	2184	svchcst.exe	42
PID 2184 wrote to memory of 2076	2184	svchcst.exe	42
PID 2184 wrote to memory of 2076	2184	svchcst.exe	42
PID 2184 wrote to memory of 2076	2184	svchcst.exe	42
PID 2076 wrote to memory of 640	2076	WScript.exe	43
PID 2076 wrote to memory of 640	2076	WScript.exe	43
PID 2076 wrote to memory of 640	2076	WScript.exe	43
PID 2076 wrote to memory of 640	2076	WScript.exe	43
PID 640 wrote to memory of 964	640	svchcst.exe	44
PID 640 wrote to memory of 964	640	svchcst.exe	44
PID 640 wrote to memory of 964	640	svchcst.exe	44
PID 640 wrote to memory of 964	640	svchcst.exe	44
PID 640 wrote to memory of 300	640	svchcst.exe	45
PID 640 wrote to memory of 300	640	svchcst.exe	45
PID 640 wrote to memory of 300	640	svchcst.exe	45
PID 640 wrote to memory of 300	640	svchcst.exe	45
PID 964 wrote to memory of 1572	964	WScript.exe	46
PID 964 wrote to memory of 1572	964	WScript.exe	46
PID 964 wrote to memory of 1572	964	WScript.exe	46
PID 964 wrote to memory of 1572	964	WScript.exe	46
PID 1572 wrote to memory of 744	1572	svchcst.exe	47
PID 1572 wrote to memory of 744	1572	svchcst.exe	47
PID 1572 wrote to memory of 744	1572	svchcst.exe	47
PID 1572 wrote to memory of 744	1572	svchcst.exe	47

C:\Users\Admin\AppData\Local\Temp\965fb1fff4f100db9c001a82ef8efd919a480929f9e257c74b57c5733bac09c9.exe
"C:\Users\Admin\AppData\Local\Temp\965fb1fff4f100db9c001a82ef8efd919a480929f9e257c74b57c5733bac09c9.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1848
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2084
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:668
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:964
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        
        PID:744
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2752
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:2636
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2860
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:1976
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:564
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2240
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1656
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:1960
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1644
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:2460
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:284
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:2192
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1728
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:2792
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:300
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:2704
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2264
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:1972
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1980
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:976
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2044
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:1468
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2464
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:2204
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1656
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:1340
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1856
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:1772
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:904
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        
        PID:348
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2576
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        
        PID:300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
ac82982e1de1aefb22a50f97eef1c76b

SHA1
a23ce695bd30570d2fa6cc7dd3c94f0040642837

SHA256
ccf27846e3971900522849a2df9bfe7eed59b067064521472854267c7b960a7f

SHA512
9d9aaa2a9eda6f0a23d000dd1759bc911221609df02557523703bfb19ab27404d3eba38871957ebdb320f14950e70f64ae4858883a28208f6da620c1e58565b4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
03088ab16e4136b8d3a3366505b767ed

SHA1
e1d73c9dc7e6009659519b33b3dd80f3011adad8

SHA256
b31956814f1bc7c1e47a025622160df37664a3ee8e6d2016ce8919f1fba63a59

SHA512
0c841cc8236b405951c5bdf0ea7c620ef32ab930077442e5c1f2eca9fe474c113e1377829e8072afdbfd9a0f0b2797cf156b2f861395d14b851abc7b365ec11a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1af246ca0660faf0fa7da4b4c9c61316

SHA1
c050b0bd311f2e5240cd7e9df583e41b133e9521

SHA256
2b84bcefb62d7564e2e7d1be8105a26f798b4c73cca142c054da02262f61ede8

SHA512
3fadf6605620aea1f9c9e94d62193fc416af6d5272bc675d399ea1ea96a070b4de69cab61736cea89c744ce3b203f0790d617789d25811a6ca535fc9f6159793

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1ddf68547078713a6bd04e589e87bc2f

SHA1
cdfb5481f8214590744133c77204eff54e733b90

SHA256
a5954677872e02157f5c6921ef883fbc22a4f7940d17403a9a0658931d4971fc

SHA512
194d12570a7d4e8e9341f56d23fda7ff49e131e818b93633b75c6ef05b6972b8428294bb95529af25cf75cbe2d86756dab000be200466a30a64922e764ebfc2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0746413c017663c2889cbadf684741eb

SHA1
6a61f92238e17b83adba719b52d2f3d9cd205b8a

SHA256
5e9eb3cc7e536ea1249b6bdb65b934565018fa760198e2b2c8f5537de84b86bd

SHA512
e222a18584aadd15f5c4706601acc6fa30d6a08325f2679724eba4b2952e56d4d7e1a97c42ae88aefacfa59b87723118d2dd28c1541204715dc1e11b4867b05c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a3b1a2435db9006df38c9e78df96e2f2

SHA1
a8a6d302d102686610f54547bdf0245b177a752f

SHA256
8ca1784265581709551e81326c9733c10ac943c899070bee9b799f88dad7870e

SHA512
fe8a0d2a67e28fcf1b31e640132a669186ddb33302b135d11c0706a5c9e98548d53d51be0d2ecc9d20c43efbe393d7865c57ca9b6c651deca93f67aff0968210

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
24e4a44b907089d788280d647e33c77e

SHA1
ac5a4e397dea243c0022c55319e7c7035d013905

SHA256
7fcd076a55f0b7c8e9407217aee7e68893461d15cb8d2946ac5250af35137211

SHA512
c4a8dac1c1d5dfa976cc3e8fd299e423ab620463983b8c602be8a83ecc6598eb3f1d60a7370806e1f85a52dd91e4f1337a6dff2e99459f9a1e429a1ffb65a00b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
80ebf5d44551af5680e6faa0b57e8c8b

SHA1
2e17219fbf9ac0ffaf25efb6a11dfe6e9e404798

SHA256
ca82157de4bf3edea1ce728fea480f64259153ea391b2be7b5f59864c0ae7a53

SHA512
a96c9d64087a4b9eccb235e9e1b19da6adfa1adc40ea11eca5cca69cc7b57eb4c3a299eb2103768398d99aee534c3eced7e76099917c52d1499ea9af07ba2ca8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
308b7da7ec377746fab239c88940c7ea

SHA1
62356f1d6078f5587c1e0fa2201b199ebfdd0372

SHA256
3c6e5a89529248f6074cab8ca705d7f399c2808e185a451f2520d767e7aecd77

SHA512
bfd886261d3c9ae90f40968acb30b229e8d6754768bee5430f246594b5f81952de101a572cedb84bd1ab9a39cb607ec981287e9e03ea45b829744c47ee9bc877

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a7abbe21bd06224da6044ceefc079882

SHA1
45948d51fb8d65cd1032448311043927dcfa0d2f

SHA256
5f4905388f1de9cd98bc931f1f041dd2543394219661a271c11fff5b0d8222b2

SHA512
3371b7d36aadb7aa31617ba0d8cb23e2ccd36c8268946e8ec526e98e61d0312622b089331f05a36775fd59174fa8a68595e664a665feeb9afce17c906a8b1bd5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0deab118abcf8e078322ee46edd4cfd3

SHA1
b0f46f2ca33e8ea264812838f6c7a98d0c55a0bf

SHA256
344ce7e23c768177547510b0627c60667804530f220048e11f21e1cda521c502

SHA512
e7e4c041addbecf42ec91877dac6c89a207a3c1eb0247d56c6e4844852a3c7a3a716809d5040d01b03ab332bd155a4f4fb014abc896b9598ac52218c74a1f3c0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
39797ed9fa868474fc760098082af69a

SHA1
4d8d9570e62b6eb0fe3a35337a94c2b6b5c46df9

SHA256
a5c1f18cf3863d95ca87a4d1dd36ecaddbd00e8e10a9bbf2b93f376e9539f788

SHA512
55c6c5242d830a4f048e5237cd55a30188ec6fafe8230d88ee8b133b9f4921e97605b13fe802bf3312003a7524eb377805d2d4f3c5a4040e96fd303200cc4b6a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9d16016b54a9082877df98168e2d86fa

SHA1
0282d76f1e0b284d344f17ddf0d2bdc4e7a9e657

SHA256
3e900222d948700f27f4ea366115bac06080a764f79ffc88b7f2c40afa497e60

SHA512
f49a337a66d81b7f8e610b08f20aa64df0a078c74b6accb730d0ab5e8396a466c4e73501a8e4eec11ae54b58457417444fb547b26eb042e4d1d6d7c130c1d13e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
01a6543ea52eabc2cd6b9775f022bed4

SHA1
259a8e99238762e3db6c0aaa3091ef7f55bcfd78

SHA256
fa58ddf2055c8d667f8d0c5a24f2f042aaf1125c3681bd03c48f6e7ae03f59e0

SHA512
ea23023f9b2308f4c480fbf17d785b46e51b1b06e7b89c4102a0d9f079f59e252ba948e83d63c716eee1c9800e848bda5facc30764e202a5b1a1786c1713ec47

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
472a285b530d985aa2857feff2012068

SHA1
c3c299aff02d94f30c386770162cb29145a22404

SHA256
54cc732ba81b401a57a7ab07a455912a30f7e92314402139556bb816f601c720

SHA512
596062540321b5db4104f7f16e2a1ce7a84cd10a8cc6bec376e04b9389f208ec120fefea607ccf44f0fb7f8e7ce752377cef9d432fd33998de77655141218112

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
923dac75bb1734e5bdc2fbb5b7ff4154

SHA1
9f14479d47331253cf75249f76cb3859c7304d09

SHA256
3b7334e231e370e738570cef3eec0c84e0313b01f2431ca810a94de09b014423

SHA512
c3fb292979432b8b3a09448ff2b967a34d1b76442ad1452197f8eb0629d48976251cbf0943a9e853b17cb522069bb655e6888a57c9049f28e01c14e80cde1747

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a57f7b4a5192ce0c1ff2237d655be9f2

SHA1
afbc1cff76ec7dfe225ee6f7e7d01a56ff75d9d0

SHA256
e2e5cdd3defc7d373ebe6e7cbe6155d63429993ff39aefbbf10ca00998843268

SHA512
627a0dd6dfd6a1e88c8938891bc67a76eda14228ea5c186ef1d30c8cafda37d5488cb04e93dabc2b906c6f52e403bb575e2e4282609ca1cc6b0771490808fdf9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2173538793ed8b57f59f4feb9c4733bf

SHA1
b0cd1e8d153294437847cb82c6e738555c3e06e7

SHA256
353cc267c734a18a4715c282cc90c783f94108ab6d492c6411180814689c942a

SHA512
2eb3643373fa4b5430ee9a24ce80f01e71e9750c854849f4aded1f0aad4064bf72180d3112e5fbbf50ded67fe3d44fbbe39101ca8feca9eceb6b1a74b29961f7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
59209e35dc5cb787c8f0cc26533d7f85

SHA1
d4026a4245f5960ebab3d5da3c5c52a230bbf19b

SHA256
23f26bb0e72ab4d3e55fd3c69dd857908eb1e12561df95bd144c0b8f2b809468

SHA512
dc5d617fad7f6c788f614ff90b3dceb94e5700a9dbdb03562d252a3e6e3bbaf7e47e284022555f5072e7d5b49f6e7d0ed65266fa52f367d006da019f03d2461a

Download Submit
memory/284-177-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/284-170-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/300-192-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/348-250-0x0000000005BA0000-0x0000000005CFF000-memory.dmp

Filesize
1.4MB

Download
memory/564-148-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/640-90-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/668-48-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/668-42-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/744-114-0x00000000045B0000-0x000000000470F000-memory.dmp

Filesize
1.4MB

Download
memory/904-242-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/904-249-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/964-95-0x00000000045D0000-0x000000000472F000-memory.dmp

Filesize
1.4MB

Download
memory/1572-105-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1572-96-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1644-162-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1644-169-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1656-155-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1656-160-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1656-226-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1656-233-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1728-185-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1848-29-0x0000000003E70000-0x0000000003FCF000-memory.dmp

Filesize
1.4MB

Download
memory/1856-241-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1856-234-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1960-161-0x0000000005ED0000-0x000000000602F000-memory.dmp

Filesize
1.4MB

Download
memory/1976-137-0x0000000005970000-0x0000000005ACF000-memory.dmp

Filesize
1.4MB

Download
memory/1976-138-0x0000000005970000-0x0000000005ACF000-memory.dmp

Filesize
1.4MB

Download
memory/1980-202-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1980-209-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2044-217-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2044-210-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2076-78-0x0000000004370000-0x00000000044CF000-memory.dmp

Filesize
1.4MB

Download
memory/2084-37-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2184-73-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2184-65-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2192-178-0x00000000047A0000-0x00000000048FF000-memory.dmp

Filesize
1.4MB

Download
memory/2264-198-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2264-201-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2456-59-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2464-218-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2464-225-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2576-251-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2588-14-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2588-24-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2704-197-0x00000000059E0000-0x0000000005B3F000-memory.dmp

Filesize
1.4MB

Download
memory/2752-120-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2752-115-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2844-64-0x00000000048A0000-0x00000000049FF000-memory.dmp

Filesize
1.4MB

Download
memory/2860-124-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2860-132-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2868-39-0x00000000049A0000-0x0000000004AFF000-memory.dmp

Filesize
1.4MB

Download
memory/3028-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3028-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download