3ff2420601756044af767f0f874edd59826528feae7065e947bc5935cc931e23

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 20:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ff2420601756044af767f0f874edd59826528feae7065e947bc5935cc931e23.exe
Size

1.1MB
MD5

5712aed5bdd1a99bdea6bbac170dedf2
SHA1

c5fc9906d4d6bc1ed520b28f074847426f43a519
SHA256

3ff2420601756044af767f0f874edd59826528feae7065e947bc5935cc931e23
SHA512

884e89a4b44a0415477e309421fa48e1ea76141cc67a23efcdef394dff2128bf55dd067c82d3d1bdc4d3ad63fc66281b8c47d6d243067c9bc08c5d867513464b
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QP:CcaClSFlG4ZM7QzM4

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2816	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2816	svchcst.exe
1776	svchcst.exe
2876	svchcst.exe
2360	svchcst.exe
2184	svchcst.exe
1688	svchcst.exe
3036	svchcst.exe
2672	svchcst.exe
1472	svchcst.exe
1624	svchcst.exe
2012	svchcst.exe
2608	svchcst.exe
2140	svchcst.exe
1700	svchcst.exe
2508	svchcst.exe
1584	svchcst.exe
3004	svchcst.exe
544	svchcst.exe
2516	svchcst.exe
740	svchcst.exe
2952	svchcst.exe
1940	svchcst.exe
1760	svchcst.exe

Loads dropped DLL 46 IoCs

pid	Process
2060	WScript.exe
2060	WScript.exe
2488	WScript.exe
2488	WScript.exe
1060	WScript.exe
1060	WScript.exe
1888	WScript.exe
1888	WScript.exe
2728	WScript.exe
2728	WScript.exe
1960	WScript.exe
1960	WScript.exe
3068	WScript.exe
3068	WScript.exe
1788	WScript.exe
1788	WScript.exe
2536	WScript.exe
2536	WScript.exe
1152	WScript.exe
1152	WScript.exe
292	WScript.exe
292	WScript.exe
1684	WScript.exe
1684	WScript.exe
2512	WScript.exe
2512	WScript.exe
684	WScript.exe
684	WScript.exe
1960	WScript.exe
1960	WScript.exe
1728	WScript.exe
1728	WScript.exe
916	WScript.exe
916	WScript.exe
1900	WScript.exe
1900	WScript.exe
1672	WScript.exe
1672	WScript.exe
2936	WScript.exe
2936	WScript.exe
1904	WScript.exe
1904	WScript.exe
1132	WScript.exe
1132	WScript.exe
2468	WScript.exe
2468	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2480	3ff2420601756044af767f0f874edd59826528feae7065e947bc5935cc931e23.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2480	3ff2420601756044af767f0f874edd59826528feae7065e947bc5935cc931e23.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2480	3ff2420601756044af767f0f874edd59826528feae7065e947bc5935cc931e23.exe
2480	3ff2420601756044af767f0f874edd59826528feae7065e947bc5935cc931e23.exe
2816	svchcst.exe
2816	svchcst.exe
1776	svchcst.exe
1776	svchcst.exe
2876	svchcst.exe
2876	svchcst.exe
2360	svchcst.exe
2360	svchcst.exe
2184	svchcst.exe
2184	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
3036	svchcst.exe
3036	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
1472	svchcst.exe
1472	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
2012	svchcst.exe
2012	svchcst.exe
2608	svchcst.exe
2608	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
1700	svchcst.exe
1700	svchcst.exe
2508	svchcst.exe
2508	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
544	svchcst.exe
544	svchcst.exe
2516	svchcst.exe
2516	svchcst.exe
740	svchcst.exe
740	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
1940	svchcst.exe
1940	svchcst.exe
1760	svchcst.exe
1760	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 2060	2480	3ff2420601756044af767f0f874edd59826528feae7065e947bc5935cc931e23.exe	30
PID 2480 wrote to memory of 2060	2480	3ff2420601756044af767f0f874edd59826528feae7065e947bc5935cc931e23.exe	30
PID 2480 wrote to memory of 2060	2480	3ff2420601756044af767f0f874edd59826528feae7065e947bc5935cc931e23.exe	30
PID 2480 wrote to memory of 2060	2480	3ff2420601756044af767f0f874edd59826528feae7065e947bc5935cc931e23.exe	30
PID 2060 wrote to memory of 2816	2060	WScript.exe	32
PID 2060 wrote to memory of 2816	2060	WScript.exe	32
PID 2060 wrote to memory of 2816	2060	WScript.exe	32
PID 2060 wrote to memory of 2816	2060	WScript.exe	32
PID 2816 wrote to memory of 2488	2816	svchcst.exe	33
PID 2816 wrote to memory of 2488	2816	svchcst.exe	33
PID 2816 wrote to memory of 2488	2816	svchcst.exe	33
PID 2816 wrote to memory of 2488	2816	svchcst.exe	33
PID 2488 wrote to memory of 1776	2488	WScript.exe	34
PID 2488 wrote to memory of 1776	2488	WScript.exe	34
PID 2488 wrote to memory of 1776	2488	WScript.exe	34
PID 2488 wrote to memory of 1776	2488	WScript.exe	34
PID 1776 wrote to memory of 1060	1776	svchcst.exe	35
PID 1776 wrote to memory of 1060	1776	svchcst.exe	35
PID 1776 wrote to memory of 1060	1776	svchcst.exe	35
PID 1776 wrote to memory of 1060	1776	svchcst.exe	35
PID 1060 wrote to memory of 2876	1060	WScript.exe	36
PID 1060 wrote to memory of 2876	1060	WScript.exe	36
PID 1060 wrote to memory of 2876	1060	WScript.exe	36
PID 1060 wrote to memory of 2876	1060	WScript.exe	36
PID 2876 wrote to memory of 1888	2876	svchcst.exe	37
PID 2876 wrote to memory of 1888	2876	svchcst.exe	37
PID 2876 wrote to memory of 1888	2876	svchcst.exe	37
PID 2876 wrote to memory of 1888	2876	svchcst.exe	37
PID 1888 wrote to memory of 2360	1888	WScript.exe	38
PID 1888 wrote to memory of 2360	1888	WScript.exe	38
PID 1888 wrote to memory of 2360	1888	WScript.exe	38
PID 1888 wrote to memory of 2360	1888	WScript.exe	38
PID 2360 wrote to memory of 2728	2360	svchcst.exe	39
PID 2360 wrote to memory of 2728	2360	svchcst.exe	39
PID 2360 wrote to memory of 2728	2360	svchcst.exe	39
PID 2360 wrote to memory of 2728	2360	svchcst.exe	39
PID 2728 wrote to memory of 2184	2728	WScript.exe	40
PID 2728 wrote to memory of 2184	2728	WScript.exe	40
PID 2728 wrote to memory of 2184	2728	WScript.exe	40
PID 2728 wrote to memory of 2184	2728	WScript.exe	40
PID 2184 wrote to memory of 1960	2184	svchcst.exe	41
PID 2184 wrote to memory of 1960	2184	svchcst.exe	41
PID 2184 wrote to memory of 1960	2184	svchcst.exe	41
PID 2184 wrote to memory of 1960	2184	svchcst.exe	41
PID 1960 wrote to memory of 1688	1960	WScript.exe	42
PID 1960 wrote to memory of 1688	1960	WScript.exe	42
PID 1960 wrote to memory of 1688	1960	WScript.exe	42
PID 1960 wrote to memory of 1688	1960	WScript.exe	42
PID 1688 wrote to memory of 3068	1688	svchcst.exe	43
PID 1688 wrote to memory of 3068	1688	svchcst.exe	43
PID 1688 wrote to memory of 3068	1688	svchcst.exe	43
PID 1688 wrote to memory of 3068	1688	svchcst.exe	43
PID 3068 wrote to memory of 3036	3068	WScript.exe	44
PID 3068 wrote to memory of 3036	3068	WScript.exe	44
PID 3068 wrote to memory of 3036	3068	WScript.exe	44
PID 3068 wrote to memory of 3036	3068	WScript.exe	44
PID 3036 wrote to memory of 1788	3036	svchcst.exe	45
PID 3036 wrote to memory of 1788	3036	svchcst.exe	45
PID 3036 wrote to memory of 1788	3036	svchcst.exe	45
PID 3036 wrote to memory of 1788	3036	svchcst.exe	45
PID 1788 wrote to memory of 2672	1788	WScript.exe	46
PID 1788 wrote to memory of 2672	1788	WScript.exe	46
PID 1788 wrote to memory of 2672	1788	WScript.exe	46
PID 1788 wrote to memory of 2672	1788	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\3ff2420601756044af767f0f874edd59826528feae7065e947bc5935cc931e23.exe
"C:\Users\Admin\AppData\Local\Temp\3ff2420601756044af767f0f874edd59826528feae7065e947bc5935cc931e23.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2488
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1776
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2672
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2536
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1472
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:1152
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1624
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:292
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2012
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:1684
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2608
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:2512
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2140
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:684
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1700
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:1960
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2508
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:1728
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1584
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:916
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3004
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:1900
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:544
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:1672
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2516
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:2936
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:740
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:1904
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2952
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        
        PID:1132
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1940
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        
        PID:2468
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1760
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        
        PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
1df77388dedd28b37b829871366cf5b0

SHA1
46cd5bd05acd3efad281fecec499367cd127f64f

SHA256
35b712d847728199f7af95df7373fadb904c0212ff7c50e4841992ba653e368b

SHA512
e2d89ab681925932dec3e2e2e33f4e61e94e08e8f9efd755ca7bdd4f937f0b7b4e6be2db5b2e177ccb2fcbf09c9ee0cbe71a4b8c7065ccd8fdc9e6d10d93c930

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
df56efc5aa49720056952b653a76a0d1

SHA1
82823a83837e69b031a973238d78e0360d113ac7

SHA256
bd6fdd2db5dd3828baa84352f1c382304ce0481755f000a7445e3977c24d0a35

SHA512
ffd2ffc465dcd33cca7fdf4cce8711ce7a5cb6af0933fbf2885b7b4164ea2c19ec1a776f2422996599e28b05a3ff927dd76221b9b4dec49b942941b48962034c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
08e59d2d672728796d1d263f61b8e693

SHA1
e2cf49b43ffba5735bf7d9aa4e1da8c5a1a4a243

SHA256
f0504a6142a9709ba8612a4e55816d410dc92778bedea66d34316e77edd2f923

SHA512
328bc5a9404388f3ef192bb0e4da20cc34b9eacd974299461b5cc2f37ce7d7f9bb494e933fe7e8bca0baa037b40778b06965e76ce258b596b60e88bd6b2f4253

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7e30bbf5f589f6ae6e5daf322f9f4c63

SHA1
4078c36ab68538c4d3aa3996b3a218fa786e5813

SHA256
9ed68f0cb63b2fca99956af2a550eb26ac99a883afef4ea6dc1236c14593266b

SHA512
63bb07bfbef6c96b50bbcb60d7f805930aaeefd6eadaa39dcb3e591c84636c670257a7f544bb0565174578a517d06de29a6c086812ef5cfb3039aea1917fb4b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
9f87870aabac31b89e8f641cc4796a67

SHA1
0e7c4d9fa14eb4afe07e0ded564229685c3cbe4b

SHA256
c5ccc91ebc3838b354e5ae05c7b3efa01813e004b427f843ba23e78ff272e695

SHA512
28c7fe3049354286831a5c2b52ea96583bef30c4a294d07bfb10c11bb9e3469b944d8029d58f73611daa616a279e280d0c14fa037d390ab34a5daa2f5a25c4f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3ed43de1cee96aaf1d64189d4482a672

SHA1
a346f6b3eca7b8442021d9878288d91084d00d79

SHA256
b2905e040a668759a3fbdc7f07ff57b3e197bbeec24099b65734e884c1e0bd98

SHA512
8f8536a36603c14a567034f0119212a6b3bf9dd52afcbe213b4e26c737394fe838baf0743440f62cd5d61d8d9c694279679e155920a9af3c2cac1549d43040dc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1931659cf1a0b565c26fde26192e60ea

SHA1
290204916cf2bd320dd6af5de4fea33f4b987a23

SHA256
8d4ff60de30d55f81dda162ccf8ad556e3a1c9a9e20260d8a767def90595191a

SHA512
9a90635a350ecaf5d4f9c5787f4079e90d6e2983b87e8dc6db38a2d0121e68422d2fc8c7e322c0b6556cd92870713380edf55950260e9369350e96d4603f390e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f8db619ebe2f315356d8a3c1cb7ce863

SHA1
6a7be253323ec01b077ec2632a10159e39c17b2b

SHA256
99940aede45164365f56d6948655491bf5e5eaf8cc50400fe99620b5d3cd29c8

SHA512
6abc38a731254105c4f336ef9954159d7711889c704002838872473450f9077a940b4817cf36ae7fa04f08439a2acb53c9ab37c85e21c2981eab353379bf431a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f02b234115a56496bcd6642d1de04e5d

SHA1
d383b9d3c82fe145f25a9a6e7e4333151fd4ecc6

SHA256
9eca0120263ab4947d38369d9a4986744e61189382c1d313eb464ad449ea2651

SHA512
c446eccd822729a81d49321c88ecc0fba4e4f7b6f6277d2660c7f3a18a67614915ae24a96353bf93b039eb441f0c260c1961a1363f16524dbeaf2554626c1b4e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c1f667683c1809dc2fa81d863ea10a4e

SHA1
dc9fdbeca32f2afbcfdc5363769ebb594fc93e44

SHA256
a0afd04975f7f5cf26533640020a9533d4dcf1b152143e69196f93bd5b49fa1e

SHA512
e4c894530934444cb97392b0180e5b6040b84ab5c639412c6b9e5355a13152412da8d881403832c2f3c601624465b16242ebd8710f6e6a4666a27e15ce759b2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3fe126921f6537cf36cd507b1649ffbb

SHA1
445c8796d072bb5829f0af8421e3eb7da34add70

SHA256
b4af7c7ab452f12e0ea38532d00cfa19cf99247ef169e5e698acd882e72750a6

SHA512
5d8527210f01cc30bda93521cdbd9828d03f2af3e2810996ad8c60cf62a35e415c0e54a34e00847ae30bf2718e8c431b65ed4f509c11986a8eb54ed6ed64ac94

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d0a7594dbfff2934bae6e22de9f233fe

SHA1
b2a276918a0f5fb2da4440d77ec65c3c644dcf74

SHA256
b5ba466f75e4b160d164ce3886c42fe86c339961f2f303cfdba40d2c711bc61d

SHA512
3d0c5b27841efaa0286d2b58d1749c1efe45ce115cbcb2af1473e29ec3791501a278c90f087e995279518b3c3aec687edca8937f77ff2520ed6b8d3dff6c0a63

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
dd835aebdf2bbfacde26298d2a3ec904

SHA1
b9d221b315318c1e02f09f1ecfbf0992072a1809

SHA256
af27f97dd6d009127e10c84525de5c7e9d7b954f9b13c1a97c43dde74ebb94ba

SHA512
71cdc8ab35cb85b183c5ca4231385cabd7f99d1834e8521187a6de4b8dfa40b9e970c9ba06ef151ae50c060c3daba6cb571a9cec6a8276ba3e587a2d24031204

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
3dca7520834ee6deed0cb73cb50451cd

SHA1
14ce4461c91faa4a2ee0fe474a01a5213c4a742e

SHA256
609c05dd278771d9798167b80cce0eb02abc43bd55a5cb48f3a1698daf801deb

SHA512
43ec9cc84ccd3a4de1237f19e0ca1fea19cb58c22edeaced34345488e787eb7f3e0afa3ba0c201054a3a6c060549c3016e67cb7344c94d75e4474d24c08a1329

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
5fd7e8f5aac3fbc0481788d01312160d

SHA1
7581fe75617d7f2fb39bb45550cd30e394c06ea3

SHA256
ce91c88172c53b0e7369ccdf747d83bd9cd3019fcbbf1e9bb89e615093627503

SHA512
940b00ba7f0bd7ba53e0927764ef4602d67d3ae72f67b98b10ea55a5f85d11dd2ab51638e7430e24e8b84004986eb35647f83b8235110a0e9d750d05355759a9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
190ae8ff1f0b630f0cd0582fe210c5fa

SHA1
0e15525e067af55e81596595aa42aa7af4ab2bd6

SHA256
9d79cc3a9f68e8664a6f0e76dbaa8c196ed0b6c4111c66a1586044052f85aea0

SHA512
dc6a96e16b278f9cc94be31bdb25b809673c542b3a0dfb658ea76676ffe2527c685838d60bcc874a4997a056a8e0cfa985eb66b9e9a85885109fb8ef7b53c56b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c19dd91836609c7a0ce973af5ba7f2ba

SHA1
c03a55f182fdded7765cbc575665a1015bd73b0c

SHA256
bd6a73ed170481e75b772810d4d084508619b8fb18c12f8501b6b9bb36314924

SHA512
3d84e78263d2d77c503c94f6414bae0f4da8d16a4917dcee8384581fa778374700faf9150efa837303f655c77aa41a23f5df57edc44b406b398b7cd97ff7fe5b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
14687f5e5993270507181030875a17ab

SHA1
7a26e795d237ebbd866532fd60556d5920fb33ae

SHA256
0e3a7a074a000e3e92077c4fa44559a3a38e94adf4849a0cb919230eb53e69b4

SHA512
06d1189fa470f0f190a0eccb73ea2c841c1480cb920c26cfbc805113c2b14461d191658f40009fb76d957103f8143cdd0525b519fd7459c8f14fc28a3a78289b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
174c5f5c9fd2c42680181eb15b97168f

SHA1
e0cae9f4bd81749cd2d51faeb3c943c5bbeac28a

SHA256
7df220d3269861233d5524ca852d2ae18944001cafbfdab6c4b3ec09d732e748

SHA512
4b047f188e5c1d84bb105da6f52061b7a2e53643c30665a8ae989c2a9cbf6a2d4643a66e3684a902c08da0c00b34a35025dea40aa3b2333e768badc4d88f886b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
28a4811941e895440dd67d099ec53cbe

SHA1
65af23a0039d2b5749a9f6d1d1cc360b613c2477

SHA256
6a9077909332ac6e8c44bfbc6f2c96bfa9d5de9093068d21797817bcf34984fe

SHA512
ebc29b08d8e5780601d1de79a2baff47537c38904d4e736749abc372d2d86b9c30940951429eec6713917df1c758c72fc24e24aad47eead24faecdfd0c329f82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1ea34019f31fe969cfa4b101dc276ffa

SHA1
395c42183694e5b2b512f3528e57c59a101fee73

SHA256
ed60eac5a70dc1cf0c60c49b9b87d10e88ad16c17c0d6cf668e6b0bff616f25f

SHA512
95c91a34634019b15ae296cd501818628312815c8832c021509e99d3da44d94ab122bb622f7bd089f5f3d35d1029e32f2c9712517aa615c2a9c859ebdfc2bcdf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2618c99dd443f76b712bfd112377715f

SHA1
975a14bca5ec8cb81804cc43d2029fe3d13a188c

SHA256
3c369a50dc0979f1b5f9d12fcd0e372f4df7d42382db06843d56479cf7e59668

SHA512
a9eec837021d0b900642817bfec39924fcd13f9ab2fb367a7d95034f1921b90881e65a1f6ff91c6430ddc27fc1f44c5cbd38ace82a705107e75ad637d0aba5a7

Download Submit
memory/2480-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download