9210bd87b173a66b204f4551852325502797c1999035ffaa23290813ca75d0fb

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
12/07/2024, 21:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9210bd87b173a66b204f4551852325502797c1999035ffaa23290813ca75d0fb.exe
Size

1.1MB
MD5

a9e654362a81b0e4b26e2cfd0a3401db
SHA1

ee8f095ac3b9253a39e1c034191e1c59a658dd0f
SHA256

9210bd87b173a66b204f4551852325502797c1999035ffaa23290813ca75d0fb
SHA512

ba960369bbb535af74f4d3781e8951e15ffbcc453274014d6cc9e0687617b3e90295005301f206c7c56529916835520008e1c3dba45e05725c479ade032678c3
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qk:acallSllG4ZM7QzMT

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2688	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2688	svchcst.exe
2244	svchcst.exe
2908	svchcst.exe
2904	svchcst.exe
348	svchcst.exe
752	svchcst.exe
1856	svchcst.exe
2312	svchcst.exe
2644	svchcst.exe
1508	svchcst.exe
2756	svchcst.exe
2160	svchcst.exe
1292	svchcst.exe
1192	svchcst.exe
3060	svchcst.exe
2600	svchcst.exe
2612	svchcst.exe
2936	svchcst.exe
344	svchcst.exe
1600	svchcst.exe
2932	svchcst.exe
948	svchcst.exe
2216	svchcst.exe

Loads dropped DLL 40 IoCs

pid	Process
980	WScript.exe
980	WScript.exe
2772	WScript.exe
2872	WScript.exe
1800	WScript.exe
3068	WScript.exe
3068	WScript.exe
1672	WScript.exe
1672	WScript.exe
2968	WScript.exe
1548	WScript.exe
1548	WScript.exe
2936	WScript.exe
2636	WScript.exe
2636	WScript.exe
2636	WScript.exe
1144	WScript.exe
1144	WScript.exe
1680	WScript.exe
1680	WScript.exe
348	WScript.exe
348	WScript.exe
2508	WScript.exe
2508	WScript.exe
2968	WScript.exe
2968	WScript.exe
2820	WScript.exe
2820	WScript.exe
2156	WScript.exe
2156	WScript.exe
2396	WScript.exe
2396	WScript.exe
1216	WScript.exe
1216	WScript.exe
1724	WScript.exe
1724	WScript.exe
1900	WScript.exe
1900	WScript.exe
3068	WScript.exe
3068	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2344	9210bd87b173a66b204f4551852325502797c1999035ffaa23290813ca75d0fb.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2344	9210bd87b173a66b204f4551852325502797c1999035ffaa23290813ca75d0fb.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2344	9210bd87b173a66b204f4551852325502797c1999035ffaa23290813ca75d0fb.exe
2344	9210bd87b173a66b204f4551852325502797c1999035ffaa23290813ca75d0fb.exe
2688	svchcst.exe
2688	svchcst.exe
2244	svchcst.exe
2244	svchcst.exe
2908	svchcst.exe
2908	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
348	svchcst.exe
348	svchcst.exe
752	svchcst.exe
752	svchcst.exe
1856	svchcst.exe
1856	svchcst.exe
2312	svchcst.exe
2312	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
1508	svchcst.exe
1508	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2160	svchcst.exe
2160	svchcst.exe
1292	svchcst.exe
1292	svchcst.exe
1192	svchcst.exe
1192	svchcst.exe
3060	svchcst.exe
3060	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
344	svchcst.exe
344	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
2932	svchcst.exe
2932	svchcst.exe
948	svchcst.exe
948	svchcst.exe
2216	svchcst.exe
2216	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 980	2344	9210bd87b173a66b204f4551852325502797c1999035ffaa23290813ca75d0fb.exe	31
PID 2344 wrote to memory of 980	2344	9210bd87b173a66b204f4551852325502797c1999035ffaa23290813ca75d0fb.exe	31
PID 2344 wrote to memory of 980	2344	9210bd87b173a66b204f4551852325502797c1999035ffaa23290813ca75d0fb.exe	31
PID 2344 wrote to memory of 980	2344	9210bd87b173a66b204f4551852325502797c1999035ffaa23290813ca75d0fb.exe	31
PID 980 wrote to memory of 2688	980	WScript.exe	33
PID 980 wrote to memory of 2688	980	WScript.exe	33
PID 980 wrote to memory of 2688	980	WScript.exe	33
PID 980 wrote to memory of 2688	980	WScript.exe	33
PID 2688 wrote to memory of 2772	2688	svchcst.exe	34
PID 2688 wrote to memory of 2772	2688	svchcst.exe	34
PID 2688 wrote to memory of 2772	2688	svchcst.exe	34
PID 2688 wrote to memory of 2772	2688	svchcst.exe	34
PID 2772 wrote to memory of 2244	2772	WScript.exe	35
PID 2772 wrote to memory of 2244	2772	WScript.exe	35
PID 2772 wrote to memory of 2244	2772	WScript.exe	35
PID 2772 wrote to memory of 2244	2772	WScript.exe	35
PID 2244 wrote to memory of 2872	2244	svchcst.exe	36
PID 2244 wrote to memory of 2872	2244	svchcst.exe	36
PID 2244 wrote to memory of 2872	2244	svchcst.exe	36
PID 2244 wrote to memory of 2872	2244	svchcst.exe	36
PID 2872 wrote to memory of 2908	2872	WScript.exe	37
PID 2872 wrote to memory of 2908	2872	WScript.exe	37
PID 2872 wrote to memory of 2908	2872	WScript.exe	37
PID 2872 wrote to memory of 2908	2872	WScript.exe	37
PID 2908 wrote to memory of 1800	2908	svchcst.exe	38
PID 2908 wrote to memory of 1800	2908	svchcst.exe	38
PID 2908 wrote to memory of 1800	2908	svchcst.exe	38
PID 2908 wrote to memory of 1800	2908	svchcst.exe	38
PID 1800 wrote to memory of 2904	1800	WScript.exe	39
PID 1800 wrote to memory of 2904	1800	WScript.exe	39
PID 1800 wrote to memory of 2904	1800	WScript.exe	39
PID 1800 wrote to memory of 2904	1800	WScript.exe	39
PID 2904 wrote to memory of 3068	2904	svchcst.exe	40
PID 2904 wrote to memory of 3068	2904	svchcst.exe	40
PID 2904 wrote to memory of 3068	2904	svchcst.exe	40
PID 2904 wrote to memory of 3068	2904	svchcst.exe	40
PID 3068 wrote to memory of 348	3068	WScript.exe	41
PID 3068 wrote to memory of 348	3068	WScript.exe	41
PID 3068 wrote to memory of 348	3068	WScript.exe	41
PID 3068 wrote to memory of 348	3068	WScript.exe	41
PID 348 wrote to memory of 1672	348	svchcst.exe	42
PID 348 wrote to memory of 1672	348	svchcst.exe	42
PID 348 wrote to memory of 1672	348	svchcst.exe	42
PID 348 wrote to memory of 1672	348	svchcst.exe	42
PID 1672 wrote to memory of 752	1672	WScript.exe	43
PID 1672 wrote to memory of 752	1672	WScript.exe	43
PID 1672 wrote to memory of 752	1672	WScript.exe	43
PID 1672 wrote to memory of 752	1672	WScript.exe	43
PID 752 wrote to memory of 2968	752	svchcst.exe	44
PID 752 wrote to memory of 2968	752	svchcst.exe	44
PID 752 wrote to memory of 2968	752	svchcst.exe	44
PID 752 wrote to memory of 2968	752	svchcst.exe	44
PID 2968 wrote to memory of 1856	2968	WScript.exe	45
PID 2968 wrote to memory of 1856	2968	WScript.exe	45
PID 2968 wrote to memory of 1856	2968	WScript.exe	45
PID 2968 wrote to memory of 1856	2968	WScript.exe	45
PID 1856 wrote to memory of 1548	1856	svchcst.exe	46
PID 1856 wrote to memory of 1548	1856	svchcst.exe	46
PID 1856 wrote to memory of 1548	1856	svchcst.exe	46
PID 1856 wrote to memory of 1548	1856	svchcst.exe	46
PID 1548 wrote to memory of 2312	1548	WScript.exe	47
PID 1548 wrote to memory of 2312	1548	WScript.exe	47
PID 1548 wrote to memory of 2312	1548	WScript.exe	47
PID 1548 wrote to memory of 2312	1548	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\9210bd87b173a66b204f4551852325502797c1999035ffaa23290813ca75d0fb.exe
"C:\Users\Admin\AppData\Local\Temp\9210bd87b173a66b204f4551852325502797c1999035ffaa23290813ca75d0fb.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:980
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2772
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2244
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:348
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2312
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2936
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2644
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2636
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1508
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:1144
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2160
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:1680
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1292
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:348
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1192
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:2508
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3060
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:2968
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2600
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:2820
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2612
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:2156
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2936
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:2396
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:344
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:1216
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1600
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:1724
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2932
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:1900
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:948
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        
        PID:3068
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2216
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2756
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        
        PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
56d67c24af31a315062fdb917d492bce

SHA1
b87507414bf7812a0a7ae925c671c33e5c54f37a

SHA256
591871025a7d50ffa26db69ff47a3fa6afa60240906a7e4c8441fb7bd745c18b

SHA512
2916c6ee396d27d3d7ba3b96619a9c11c6e27ecf4a2ce14ccdbe16230916c9570e60abc8507c4a6ecc2aa5696b6e23eb8ae4117c6e2c2fc1347d4ed66af10688

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3ed43de1cee96aaf1d64189d4482a672

SHA1
a346f6b3eca7b8442021d9878288d91084d00d79

SHA256
b2905e040a668759a3fbdc7f07ff57b3e197bbeec24099b65734e884c1e0bd98

SHA512
8f8536a36603c14a567034f0119212a6b3bf9dd52afcbe213b4e26c737394fe838baf0743440f62cd5d61d8d9c694279679e155920a9af3c2cac1549d43040dc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ebf405e49dade13da94f737cdc03dba1

SHA1
8a0c39e59beed0deb4e726566b235c42c70942bb

SHA256
d15af3885670c4fea9dd97da21025faa5fd2b42bddc310bad2893e23a3ed2bef

SHA512
bbdef781757a387898665650d8f951e7fc495770d34595d9badbe5a39d46ec49a06ec00cbe28ed5e2677e5eeea518241fb638580668baca8d7728c44f2069ea2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
4e9605159361f93230fef3cc5ad4301c

SHA1
64e6d5673487e049cc4e96650b507641062ca1bf

SHA256
2abd0c0ae088f6c911f23add50e985c447f1c62c8a45f848698b08d6e6dd20e7

SHA512
5cf02982826cc6e08ea33c4ce5d186ad4277493480cf08c2df56a7deea87e58a6df3a95097c96409a89317528933e0999d4ccddc2403024bd04b6e1c312f42fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
632419f9e97777f0bcd1af67443cadae

SHA1
52edb2e30a2b1156ff9f77c0fe7435bc1a616ac8

SHA256
50e39163065b39c8cac4f381ff35c00972adde6c6fcd6d9cf555d1b0b8b68554

SHA512
b9b188d33cab5023dd410c0d6c01b5b200c003b432d44fe47da9b6ca1d4a5fa6fd3e869baeac6c8f5d7fae063e6128ee9c96b9258e10e550093e199cccaca2b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7d2c3f227d42fae4a5b7fbcb491b74e3

SHA1
c1271bbd86747cc709b694ba9579a68b5e75a17c

SHA256
9353a2f27a61e571c5bc92ccc1046c1059c5fad8e1e2cafe63a9cc73e1169c33

SHA512
50330ad733975966b32fbedffb99a25cd13004d685e5788ef11f1f0fedfc62658e3e8f5ed0030fe60ecb02ba95ffa7d440c067a1e164cc3bc02ac5008b6a27d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b01deb2dadc8260c4bcb435df78599d9

SHA1
7ac78543d19aefbe54d4e7d12d045cff0e7934f0

SHA256
4f88b370f98b6357f72a7942c293827b72164112e87fbbb6c842d9b206ab53b0

SHA512
319c1925e74af3cace9d3c3fafb7ff3c28ae3240e1d67da7d05ed25b7ec523eec9a974f21ff9914e602334c192e5801a55695ad705dbaa2a32e3b08e7996bb4b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1106df09ec5fdde059876fabb3b189f8

SHA1
ff325b628bb07f43bc277ad1b343ca9b797324f1

SHA256
646d2e16d16c0dc4f95a42ab11dd666e4ecb28752154e1586316faa059fa0829

SHA512
0503a6256c3b327ee4f56644baa5d4237e00877e3502e044d3d698626d32e05f0ec2a71187ce371cf7d68f888e8ceb43a0212b8cce3e74d8f5607c21e574db86

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d32955f30e8aad52247ece470e41d5ad

SHA1
ac6775ee1d2cccafe3baeb722ca57bf16953f173

SHA256
bbd8749995b7f218975a3955fac72a16d1f5a3fd3826f7bb98d0b4fe537d6697

SHA512
1a00595cdfca51c9c95101a1d04a15089aded3fc687de721d882c6ef57697a943c0a99d917167e76d55040c5d8607e01fe5a206054112635a642f6364d3fdcaf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5f762b3b2477d92959f29d768008d453

SHA1
ceaa2b37d64bcffd7f862a75e1d0fb06edbddb97

SHA256
5827d14409ed9f3361d81904d50e067223457590dda163a680ce4216e495a3d5

SHA512
fd1445d89a0fa5d185ce51442c402d9906fa8bf7c1458a862568ad0649dfa22c5f90ed243b98339ec9706541d244b0217f1cd05e715dc49067e059fe08d80420

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
aac0fba8016aa15609aa7abb5db077ae

SHA1
f8afa6ff11a91f46eb961727ec6a5fad360fa1c9

SHA256
76a6ce5f2e579dc37db23bb0e1ef5ebdd8b02e6b22b6f8da1a17964db237a8a0

SHA512
26a4910f08563b7c4b1e1abba82fefdefcb43b7d1149d5e6c7dda36db4aa142c4b74bc64263f23a5177804e2191696795e0de5d5368ea6903b398415d435962e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ee35194fa07bea6145178b37a18edb25

SHA1
7cbe9989cbc0090cc0ab534c7aa77d64d959e489

SHA256
e323603a594cf3a7e03aea20d2ab69a17040a02f256ac1e3fe02f8a36889a483

SHA512
d292e22575da17d694a33d6132cea65ca1c58a16bd2532dd24db161d2a77cf233039ed1b66b48868210f4d0ffff16678db3be341eca044432b8087b520e59f71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
75b8f60cfe6895a93f2d8f1b5568af94

SHA1
b80485bc82864b4e1bf0bcc44579eaa01776b1fb

SHA256
6ff47f7681e8f497470bd11b2cfd8156c5d8f1b01f48bfd89037cc4bfe0f34cc

SHA512
089e237c5309d36058e036f69d78deb4144749e91b3a8a8383f817af051a3452acfdf42227cc721517e93428cfd5d48b42e9750e9548762609e81917a4de29c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
6312d52b02d75794a5b505edf9c587a9

SHA1
286ad89930ec97cfb633416a9dbe3cfc82b8b592

SHA256
da2f04e9b48e46d860b2a2e1a5ba021e6bd41ae303cd5d27eaece9f0865ed2e7

SHA512
3597b80739890664fb39ee975e28f32dd0ff3a143b9e7657d9131387d1645adbe1cbb647bbd156782524e27141282f6aff5b760d50a3e12588697175fd841822

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0033a4a2b4a39a8a8b55d1e1d453979b

SHA1
b0c79f98e33f83725fed06b2d934b9dfeded16b5

SHA256
570123e1c0016b406828004c74b29fdca2fb14684c4cd06eb4947b61e385b782

SHA512
4aaa3f363783a336f0780df827ad5e69abb45b8b3bba6a5208466d6956c4dcad9d1f30ae78434da9122f4b3897e265fd2f8e6643dc7203615b93ef249a77d45a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
16d67c0a68e458fe219ffc2c7214cdb2

SHA1
5c0c53de594757f5c346fea41f56f66581d328f7

SHA256
142118ebe63a4a77e8627a9ad6668703468f532fba5899898ae322f5381842ba

SHA512
eeb263bfdcbd85df294c9a84f8c092df7f77d5677ddda8b25f47a20eb33404aadaeba913f4c04f42f3330a7f470e453807d62c164018a5931304943dd1433dfd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
bce141fbf6794c1ec47e69d0135ec3c9

SHA1
4db02da75d3d03e5749af5b3b383c5e0d515a478

SHA256
4c9f968204b48b5da861aa2a90747080bd5e4b3fd45825a6cf2aa0cdf376fb8d

SHA512
5dfb9a112d5d453bb522776492e421188eb66c4599a9a7a88e1c3ec217be5e6557c1315a24ffc4346c44facd5378810c7df92c0801c1c706db10d71e777cb725

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2fd92e8420460af9978b78a4536fd071

SHA1
e2ce58c24bd822820123ec46fee989e62fc645cf

SHA256
1af8f9d515de664058a6a75111a4ad49aec0ed0ec0061dc22ad9018828a2f971

SHA512
34a71df18ea7a1b8bc24dee6ebf9b0295750af7da10c4c3680bfa5f6201f363be9d260001f5d42b47c363b35213a1eda3edbb467b0e954f93d09d56c28ef7270

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
fc40fc64d68cf23da5b3cf194e4419fc

SHA1
eb5ee7dc46c4f448b323d9ddc4462f151d7af8f0

SHA256
21285a1afdf833a33d3e7b9812ce0fc4b3a93429aae0246da4071bb0a83a06b8

SHA512
deec3f710ee16afbc303df00eeb123ec0d69018f9c3293e79ecfcc92f5cd35e20601bf9a38281a7aaadc17e3573d7f87278025c1686d9d61075c7da8766e62c2

Download Submit
memory/344-222-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/344-219-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/348-67-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/348-75-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/752-90-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/752-82-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/948-243-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/948-246-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1192-178-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1192-171-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1292-170-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1292-163-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1508-130-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1508-138-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1600-230-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1600-223-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1672-81-0x0000000004830000-0x000000000498F000-memory.dmp

Filesize
1.4MB

Download
memory/1680-188-0x0000000004830000-0x000000000498F000-memory.dmp

Filesize
1.4MB

Download
memory/1856-95-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1856-103-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2160-155-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2160-162-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2216-247-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2216-254-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2244-31-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2244-35-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2312-117-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2312-109-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2344-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2344-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2508-179-0x00000000048F0000-0x0000000004A4F000-memory.dmp

Filesize
1.4MB

Download
memory/2600-195-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2600-198-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2612-206-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2612-203-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2644-127-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2644-120-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2688-24-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2688-18-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2756-143-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2756-152-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2772-30-0x0000000005D60000-0x0000000005EBF000-memory.dmp

Filesize
1.4MB

Download
memory/2904-60-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2904-51-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2908-47-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2908-38-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2932-238-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2932-235-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2936-211-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2936-214-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2968-193-0x0000000005C50000-0x0000000005DAF000-memory.dmp

Filesize
1.4MB

Download
memory/2968-194-0x0000000005C50000-0x0000000005DAF000-memory.dmp

Filesize
1.4MB

Download
memory/3060-187-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3060-180-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3068-65-0x00000000047B0000-0x000000000490F000-memory.dmp

Filesize
1.4MB

Download