db5cac8b5183788ef7a2bff46c8a6944a279c57493815db08991a10f23e30ade

Analysis

max time kernel
149s
max time network
126s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11-07-2024 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db5cac8b5183788ef7a2bff46c8a6944a279c57493815db08991a10f23e30ade.exe
Size

1.1MB
MD5

f998f7d326ec4cd553f8fdb36467848d
SHA1

739647976e0d44a04695a92053c7a786a3b0d5d2
SHA256

db5cac8b5183788ef7a2bff46c8a6944a279c57493815db08991a10f23e30ade
SHA512

640fd8a33902f581e83317b8fe75b320e9fe27e423acc11cf3399957f2bd2f4ecae29fb83e5387a86c3550d4dd648dae7f0ec54e1eb6098fa620b4ffc375bcba
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qf:CcaClSFlG4ZM7QzMI

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2912	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2912	svchcst.exe
1604	svchcst.exe
356	svchcst.exe
2708	svchcst.exe
1624	svchcst.exe
1180	svchcst.exe
1216	svchcst.exe
592	svchcst.exe
2096	svchcst.exe
1520	svchcst.exe
1280	svchcst.exe
2156	svchcst.exe
2976	svchcst.exe
380	svchcst.exe
3008	svchcst.exe
1216	svchcst.exe
2716	svchcst.exe
2192	svchcst.exe
2748	svchcst.exe
1076	svchcst.exe
1280	svchcst.exe
2952	svchcst.exe
2020	svchcst.exe

Loads dropped DLL 40 IoCs

pid	Process
2056	WScript.exe
2056	WScript.exe
2720	WScript.exe
564	WScript.exe
276	WScript.exe
276	WScript.exe
2184	WScript.exe
2184	WScript.exe
1824	WScript.exe
1824	WScript.exe
2068	WScript.exe
2068	WScript.exe
2356	WScript.exe
2824	WScript.exe
2824	WScript.exe
2824	WScript.exe
2640	WScript.exe
1204	WScript.exe
444	WScript.exe
444	WScript.exe
2948	WScript.exe
2948	WScript.exe
2336	WScript.exe
2336	WScript.exe
1756	WScript.exe
1756	WScript.exe
3012	WScript.exe
3012	WScript.exe
2684	WScript.exe
2684	WScript.exe
1604	WScript.exe
1604	WScript.exe
1520	WScript.exe
1520	WScript.exe
1992	WScript.exe
1992	WScript.exe
2936	WScript.exe
2936	WScript.exe
564	WScript.exe
564	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1564	db5cac8b5183788ef7a2bff46c8a6944a279c57493815db08991a10f23e30ade.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1564	db5cac8b5183788ef7a2bff46c8a6944a279c57493815db08991a10f23e30ade.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
1564	db5cac8b5183788ef7a2bff46c8a6944a279c57493815db08991a10f23e30ade.exe
1564	db5cac8b5183788ef7a2bff46c8a6944a279c57493815db08991a10f23e30ade.exe
2912	svchcst.exe
2912	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
356	svchcst.exe
356	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1180	svchcst.exe
1180	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
592	svchcst.exe
592	svchcst.exe
2096	svchcst.exe
2096	svchcst.exe
1520	svchcst.exe
1520	svchcst.exe
1280	svchcst.exe
1280	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
380	svchcst.exe
380	svchcst.exe
3008	svchcst.exe
3008	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
1076	svchcst.exe
1076	svchcst.exe
1280	svchcst.exe
1280	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2020	svchcst.exe
2020	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1564 wrote to memory of 2056	1564	db5cac8b5183788ef7a2bff46c8a6944a279c57493815db08991a10f23e30ade.exe	30
PID 1564 wrote to memory of 2056	1564	db5cac8b5183788ef7a2bff46c8a6944a279c57493815db08991a10f23e30ade.exe	30
PID 1564 wrote to memory of 2056	1564	db5cac8b5183788ef7a2bff46c8a6944a279c57493815db08991a10f23e30ade.exe	30
PID 1564 wrote to memory of 2056	1564	db5cac8b5183788ef7a2bff46c8a6944a279c57493815db08991a10f23e30ade.exe	30
PID 2056 wrote to memory of 2912	2056	WScript.exe	33
PID 2056 wrote to memory of 2912	2056	WScript.exe	33
PID 2056 wrote to memory of 2912	2056	WScript.exe	33
PID 2056 wrote to memory of 2912	2056	WScript.exe	33
PID 2912 wrote to memory of 2720	2912	svchcst.exe	34
PID 2912 wrote to memory of 2720	2912	svchcst.exe	34
PID 2912 wrote to memory of 2720	2912	svchcst.exe	34
PID 2912 wrote to memory of 2720	2912	svchcst.exe	34
PID 2720 wrote to memory of 1604	2720	WScript.exe	35
PID 2720 wrote to memory of 1604	2720	WScript.exe	35
PID 2720 wrote to memory of 1604	2720	WScript.exe	35
PID 2720 wrote to memory of 1604	2720	WScript.exe	35
PID 1604 wrote to memory of 564	1604	svchcst.exe	36
PID 1604 wrote to memory of 564	1604	svchcst.exe	36
PID 1604 wrote to memory of 564	1604	svchcst.exe	36
PID 1604 wrote to memory of 564	1604	svchcst.exe	36
PID 564 wrote to memory of 356	564	WScript.exe	37
PID 564 wrote to memory of 356	564	WScript.exe	37
PID 564 wrote to memory of 356	564	WScript.exe	37
PID 564 wrote to memory of 356	564	WScript.exe	37
PID 356 wrote to memory of 276	356	svchcst.exe	38
PID 356 wrote to memory of 276	356	svchcst.exe	38
PID 356 wrote to memory of 276	356	svchcst.exe	38
PID 356 wrote to memory of 276	356	svchcst.exe	38
PID 276 wrote to memory of 2708	276	WScript.exe	39
PID 276 wrote to memory of 2708	276	WScript.exe	39
PID 276 wrote to memory of 2708	276	WScript.exe	39
PID 276 wrote to memory of 2708	276	WScript.exe	39
PID 2708 wrote to memory of 2184	2708	svchcst.exe	40
PID 2708 wrote to memory of 2184	2708	svchcst.exe	40
PID 2708 wrote to memory of 2184	2708	svchcst.exe	40
PID 2708 wrote to memory of 2184	2708	svchcst.exe	40
PID 2184 wrote to memory of 1624	2184	WScript.exe	41
PID 2184 wrote to memory of 1624	2184	WScript.exe	41
PID 2184 wrote to memory of 1624	2184	WScript.exe	41
PID 2184 wrote to memory of 1624	2184	WScript.exe	41
PID 1624 wrote to memory of 1824	1624	svchcst.exe	42
PID 1624 wrote to memory of 1824	1624	svchcst.exe	42
PID 1624 wrote to memory of 1824	1624	svchcst.exe	42
PID 1624 wrote to memory of 1824	1624	svchcst.exe	42
PID 1824 wrote to memory of 1180	1824	WScript.exe	43
PID 1824 wrote to memory of 1180	1824	WScript.exe	43
PID 1824 wrote to memory of 1180	1824	WScript.exe	43
PID 1824 wrote to memory of 1180	1824	WScript.exe	43
PID 1180 wrote to memory of 2068	1180	svchcst.exe	44
PID 1180 wrote to memory of 2068	1180	svchcst.exe	44
PID 1180 wrote to memory of 2068	1180	svchcst.exe	44
PID 1180 wrote to memory of 2068	1180	svchcst.exe	44
PID 2068 wrote to memory of 1216	2068	WScript.exe	45
PID 2068 wrote to memory of 1216	2068	WScript.exe	45
PID 2068 wrote to memory of 1216	2068	WScript.exe	45
PID 2068 wrote to memory of 1216	2068	WScript.exe	45
PID 1216 wrote to memory of 2356	1216	svchcst.exe	46
PID 1216 wrote to memory of 2356	1216	svchcst.exe	46
PID 1216 wrote to memory of 2356	1216	svchcst.exe	46
PID 1216 wrote to memory of 2356	1216	svchcst.exe	46
PID 2356 wrote to memory of 592	2356	WScript.exe	47
PID 2356 wrote to memory of 592	2356	WScript.exe	47
PID 2356 wrote to memory of 592	2356	WScript.exe	47
PID 2356 wrote to memory of 592	2356	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\db5cac8b5183788ef7a2bff46c8a6944a279c57493815db08991a10f23e30ade.exe
"C:\Users\Admin\AppData\Local\Temp\db5cac8b5183788ef7a2bff46c8a6944a279c57493815db08991a10f23e30ade.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1604
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:564
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:356
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:276
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:592
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2824
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2096
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2640
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1280
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:1204
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2156
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:444
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2976
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:2948
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:380
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:2336
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3008
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:1756
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1216
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:3012
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2716
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:2684
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2192
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:1604
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2748
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:1520
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1076
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:1992
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1280
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:2936
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2952
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        
        PID:564
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2020
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        
        PID:904
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1520
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        
        PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
a68072d023e03368f001e2ac4ff8d603

SHA1
074274c29cdc2019347d699b07d6371f703ae2f4

SHA256
d3dd8862220e34b0c1093cfefeea153caea42e916eba2154309be602538df751

SHA512
d388c10ec62b0d04e7aa4864e5891f6b4fc541b5190df9f703d0041efedacbabdb2c77c55669094d2af3fc7e49f2e2b5f2ed6546c99bf2a007a811f872004420

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c0b5050d31a3c3086d56cf03dbf39e65

SHA1
2f16721133b7efffc3b7c495803a409b47223c1f

SHA256
4eed6a5c4f010b8604f822c91683ba0cf9c2c1f7fd803bcd9c05bfd36d84f37a

SHA512
be8a9ade498e5b54e7ca07bb3f9f114962847942d282e46e2b4f3e53704b27b47853c7bc60e5fdfc777b6e1fa2f8d34aa0d3321354c8a6b81d1640ce7780d9d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f8db619ebe2f315356d8a3c1cb7ce863

SHA1
6a7be253323ec01b077ec2632a10159e39c17b2b

SHA256
99940aede45164365f56d6948655491bf5e5eaf8cc50400fe99620b5d3cd29c8

SHA512
6abc38a731254105c4f336ef9954159d7711889c704002838872473450f9077a940b4817cf36ae7fa04f08439a2acb53c9ab37c85e21c2981eab353379bf431a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ad7007ed9542468662553e405df66821

SHA1
757c5ee287a113d689f2d370176fcf9c9e1223a3

SHA256
12967e637928b853b708430671e1b72f6ca847a2af2680f8f15da98efb31161e

SHA512
812220b05239ebb0e14f3cd738e58274deb60624eacc360d2b3be6c5010dc418f2587f5f6736a1d80a3a5f52ae9887a492e8934e64af66c89b45a9b47d3069c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d6998fa6acf02bf81ca3b787bf2aac86

SHA1
c3c08503b40c243120c2815bec43823d1457c93f

SHA256
5f2a7d05a52819de3a4caa28c4b355ca484eea50de6ed9ce8078d244de25e365

SHA512
068536d1ae495d6610534c4536f6024b33bac2e935cb37f99668affefcb8d1fcd8c420e150b6e5807a58157eec83b24cc9017e7cb7b597a7523decdfbaf2a8e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
bb73f45ba0ab8d0e25bc6dcd5900a0f1

SHA1
18dd20b311cabf033725cb71f00e22449f559963

SHA256
c5b311f8ce95c93ed51768b74c6765874352e5fc61641ab54034281a5206c3b5

SHA512
f2adbb4978b02ce150fc2f4a8f6d7734ca465351c502e5a425a9dc0f751be9a048df54dfff086b4b049a80cdc8127863ea704a3b6e1855f9d4406e5778b82e04

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f988db0382571319f9b0af53097c2376

SHA1
fd83936b61f5d4256a899610d5c13c5a9b24e625

SHA256
8557443470cff4b30c533603a8e73dd9b9c55af2bae1ed0a7ce86d860fe4953c

SHA512
8f0df896cf7432ac5248f1149a79cc721e40e80dc1ced770f830725c00e64bb96944bbdd375aa25587e0574dba32375934cbf99bf99f33267296c1e605ac8703

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
25874246c29e6249372a62c1ffb8a1ae

SHA1
8b271268ba9ae539e8c5ca3233e5f85772899926

SHA256
3d9e506a169afe13ea22a91f88363de0837fc11723beb0425f564262d104bb59

SHA512
bb48d383a7aa5bc14fbe010fd778e40512b1079fa7c66757041b6e79c51bf6a719b058434d6c603db81d8d5bd269f354d153ca899aaae789e25061f005afcdaa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5f762b3b2477d92959f29d768008d453

SHA1
ceaa2b37d64bcffd7f862a75e1d0fb06edbddb97

SHA256
5827d14409ed9f3361d81904d50e067223457590dda163a680ce4216e495a3d5

SHA512
fd1445d89a0fa5d185ce51442c402d9906fa8bf7c1458a862568ad0649dfa22c5f90ed243b98339ec9706541d244b0217f1cd05e715dc49067e059fe08d80420

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
55765ba68da8820ee35d2d4d1dedeac0

SHA1
19f5f147056f3d837a11d6b08a7fc9544f9927f6

SHA256
1eb237d283717ac45bdfef217d3d09fb4ef73db3838859057c94e488b329c522

SHA512
61b6361b8dfef2067016c50e830db1fc768d0654a3f643cf4b4cb1193de722f74401e73f719d8cff5a443058adfa7e3cd0dfc502f25dd249cdc36a7056c81c18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
28167c064311357a30cc6de51b34120d

SHA1
cd6e8343bf5fa014ded5905fd8c6037eda277818

SHA256
e1a76a59c230fb740b85443e95d9db97f660e6d57f8f79060c51d3fb21f7af2a

SHA512
a8ca9a0804c9cb2c87148d82b2ffb169d766b6ea91b4106363b24d555c9a58594915364b6cb61a1757723e96f7095f06859ab83a6e1055d43c8e78e9b52c8b57

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7d2c3f227d42fae4a5b7fbcb491b74e3

SHA1
c1271bbd86747cc709b694ba9579a68b5e75a17c

SHA256
9353a2f27a61e571c5bc92ccc1046c1059c5fad8e1e2cafe63a9cc73e1169c33

SHA512
50330ad733975966b32fbedffb99a25cd13004d685e5788ef11f1f0fedfc62658e3e8f5ed0030fe60ecb02ba95ffa7d440c067a1e164cc3bc02ac5008b6a27d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0aaec62d816b370cc1fa4b695682d7df

SHA1
73e70bd2873e491965da813a288d8c1e24d4abe2

SHA256
b7592ef9c69282ae62dc743b291ab561cdc026ed736fe80b11bd5bc820196738

SHA512
412390a61c657dcae316926cd585445da30303b1125718bef8b01a99aaa9daf075e67dbfdc01c3131bf94699add7658d9a9ee262eecb4fd8ca171714b635578f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
5a43e7266e0ebcec9ce50c1867b157f1

SHA1
191fbb3fc0501571343a39ff732d72f3c691f8f2

SHA256
09712ef80424000553c69446561a02ae41a65ba08e2e91218d5216981415d652

SHA512
892d67000978c048c101f42a1094cf7b26b267ca2652e794ae776ed312d25710554e3b6da23cabc028b4ac03acb3a4e5ee8680752cebf50879962c5ef1455d18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
131c3a68c839a2ccca74224211412365

SHA1
0fb0672e7f6fad5e7b038a2f1806457493f4d432

SHA256
8a45af7330306c96dcb3d1eeec2e62a7d5a43b4ab8339718ff8b3f262987346d

SHA512
755aaa00a22ff4d87e0080be4984701bb6d4961f6e719bb6965a9f1fe1a39a9d60369787b3a092e429f5f20c626b12275c91909a9e0f88b25980156da413e02b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
15a3329ffd1f9ad4543c342590086ce8

SHA1
0d657269e6fee371311651918ca16d3cb3a9c27e

SHA256
6255347c5c52e4e82a05cb069c6c730c0bf65c21d20813c78ceaee38e0e4afba

SHA512
7d46f44dcbc1fa6f3429b5319dcc271c8d092fb27e2ee4742953a9c9a3ef1833dc2de0578d68ff4d8ca0935f6faa4de49ac5703baa8a408ec8c29f5673db7785

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
69af8e96288fa8765411fb0aa7ba8f1f

SHA1
786fbe87ab1aac6fc48f4f310f6af452a0fe94d9

SHA256
345a03a8ee99fe59db330c5e88c4ef4d74846b3128cb445390d83220e0d67b8c

SHA512
89665f9f555e806da8118703410cbcb5ccc65a8e38a96021ccba569b8ed40ee89a19b7989ddce18801c37051f969cba00baae0498613c79a16433380f2db54b1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
dfdef75ebc73d2219d25c794216adee0

SHA1
287545e96044ecb10d6629d8290215d36981b348

SHA256
9995e5aeed4467b22caec6e9699ccb4b221dd3f4cd3007d01f0e3a1d2737ea57

SHA512
8b5e15212eb0576f08dc998ff59dcbbc5512efb086f534886d0e40d80f735d5c67038bf7641f2355da336b4d3dd9fd0d2fe6f6583f107de52b4321e23c9ebf78

Download Submit
memory/1564-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download