2bfe663182d19fb2a224d40ffe026b46cae1afd3ef2abd77bf2671acc8008a2c

Analysis

max time kernel
149s
max time network
24s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 20:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2bfe663182d19fb2a224d40ffe026b46cae1afd3ef2abd77bf2671acc8008a2c.exe
Size

1.1MB
MD5

d211cd8df3e10621a5951f9059f469a3
SHA1

42da17aedf134c5793d308c8f0cfabb292c61bde
SHA256

2bfe663182d19fb2a224d40ffe026b46cae1afd3ef2abd77bf2671acc8008a2c
SHA512

b9b3d6bd541f71e9e5426c168803faef8ab6f118e2c1f983372acfd8965bc93c3ff60db0e01b64c15229a41b6a50230bad7964ffc0b0f9e01bb04a711fc570c2
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qt:acallSllG4ZM7QzMG

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3048	svchcst.exe

Executes dropped EXE 24 IoCs

pid	Process
3048	svchcst.exe
2868	svchcst.exe
1852	svchcst.exe
1696	svchcst.exe
2356	svchcst.exe
1800	svchcst.exe
2440	svchcst.exe
2928	svchcst.exe
2704	svchcst.exe
2172	svchcst.exe
680	svchcst.exe
1112	svchcst.exe
872	svchcst.exe
1516	svchcst.exe
1280	svchcst.exe
2596	svchcst.exe
2940	svchcst.exe
2056	svchcst.exe
2748	svchcst.exe
1248	svchcst.exe
1924	svchcst.exe
1092	svchcst.exe
352	svchcst.exe
776	svchcst.exe

Loads dropped DLL 47 IoCs

pid	Process
3056	WScript.exe
3056	WScript.exe
1780	WScript.exe
1780	WScript.exe
2032	WScript.exe
2728	WScript.exe
2728	WScript.exe
1916	WScript.exe
1916	WScript.exe
564	WScript.exe
564	WScript.exe
1652	WScript.exe
1652	WScript.exe
2620	WScript.exe
2620	WScript.exe
2108	WScript.exe
2108	WScript.exe
2832	WScript.exe
2832	WScript.exe
2988	WScript.exe
2988	WScript.exe
2312	WScript.exe
2312	WScript.exe
1528	WScript.exe
1528	WScript.exe
784	WScript.exe
784	WScript.exe
2436	WScript.exe
2436	WScript.exe
1652	WScript.exe
1652	WScript.exe
2828	WScript.exe
2828	WScript.exe
2188	WScript.exe
2188	WScript.exe
1680	WScript.exe
1680	WScript.exe
2284	WScript.exe
2284	WScript.exe
1612	WScript.exe
1612	WScript.exe
2176	WScript.exe
2176	WScript.exe
2500	WScript.exe
2500	WScript.exe
2196	WScript.exe
2196	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1328	2bfe663182d19fb2a224d40ffe026b46cae1afd3ef2abd77bf2671acc8008a2c.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1328	2bfe663182d19fb2a224d40ffe026b46cae1afd3ef2abd77bf2671acc8008a2c.exe

Suspicious use of SetWindowsHookEx 50 IoCs

pid	Process
1328	2bfe663182d19fb2a224d40ffe026b46cae1afd3ef2abd77bf2671acc8008a2c.exe
1328	2bfe663182d19fb2a224d40ffe026b46cae1afd3ef2abd77bf2671acc8008a2c.exe
3048	svchcst.exe
3048	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
1852	svchcst.exe
1852	svchcst.exe
1696	svchcst.exe
1696	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
1800	svchcst.exe
1800	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2704	svchcst.exe
2704	svchcst.exe
2172	svchcst.exe
2172	svchcst.exe
680	svchcst.exe
680	svchcst.exe
1112	svchcst.exe
1112	svchcst.exe
872	svchcst.exe
872	svchcst.exe
1516	svchcst.exe
1516	svchcst.exe
1280	svchcst.exe
1280	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2056	svchcst.exe
2056	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
1924	svchcst.exe
1924	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
352	svchcst.exe
352	svchcst.exe
776	svchcst.exe
776	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1328 wrote to memory of 3056	1328	2bfe663182d19fb2a224d40ffe026b46cae1afd3ef2abd77bf2671acc8008a2c.exe	30
PID 1328 wrote to memory of 3056	1328	2bfe663182d19fb2a224d40ffe026b46cae1afd3ef2abd77bf2671acc8008a2c.exe	30
PID 1328 wrote to memory of 3056	1328	2bfe663182d19fb2a224d40ffe026b46cae1afd3ef2abd77bf2671acc8008a2c.exe	30
PID 1328 wrote to memory of 3056	1328	2bfe663182d19fb2a224d40ffe026b46cae1afd3ef2abd77bf2671acc8008a2c.exe	30
PID 3056 wrote to memory of 3048	3056	WScript.exe	32
PID 3056 wrote to memory of 3048	3056	WScript.exe	32
PID 3056 wrote to memory of 3048	3056	WScript.exe	32
PID 3056 wrote to memory of 3048	3056	WScript.exe	32
PID 3048 wrote to memory of 1780	3048	svchcst.exe	33
PID 3048 wrote to memory of 1780	3048	svchcst.exe	33
PID 3048 wrote to memory of 1780	3048	svchcst.exe	33
PID 3048 wrote to memory of 1780	3048	svchcst.exe	33
PID 3048 wrote to memory of 2032	3048	svchcst.exe	34
PID 3048 wrote to memory of 2032	3048	svchcst.exe	34
PID 3048 wrote to memory of 2032	3048	svchcst.exe	34
PID 3048 wrote to memory of 2032	3048	svchcst.exe	34
PID 1780 wrote to memory of 2868	1780	WScript.exe	35
PID 1780 wrote to memory of 2868	1780	WScript.exe	35
PID 1780 wrote to memory of 2868	1780	WScript.exe	35
PID 1780 wrote to memory of 2868	1780	WScript.exe	35
PID 2032 wrote to memory of 1852	2032	WScript.exe	36
PID 2032 wrote to memory of 1852	2032	WScript.exe	36
PID 2032 wrote to memory of 1852	2032	WScript.exe	36
PID 2032 wrote to memory of 1852	2032	WScript.exe	36
PID 1852 wrote to memory of 2728	1852	svchcst.exe	37
PID 1852 wrote to memory of 2728	1852	svchcst.exe	37
PID 1852 wrote to memory of 2728	1852	svchcst.exe	37
PID 1852 wrote to memory of 2728	1852	svchcst.exe	37
PID 2728 wrote to memory of 1696	2728	WScript.exe	38
PID 2728 wrote to memory of 1696	2728	WScript.exe	38
PID 2728 wrote to memory of 1696	2728	WScript.exe	38
PID 2728 wrote to memory of 1696	2728	WScript.exe	38
PID 1696 wrote to memory of 1916	1696	svchcst.exe	39
PID 1696 wrote to memory of 1916	1696	svchcst.exe	39
PID 1696 wrote to memory of 1916	1696	svchcst.exe	39
PID 1696 wrote to memory of 1916	1696	svchcst.exe	39
PID 1916 wrote to memory of 2356	1916	WScript.exe	40
PID 1916 wrote to memory of 2356	1916	WScript.exe	40
PID 1916 wrote to memory of 2356	1916	WScript.exe	40
PID 1916 wrote to memory of 2356	1916	WScript.exe	40
PID 2356 wrote to memory of 564	2356	svchcst.exe	41
PID 2356 wrote to memory of 564	2356	svchcst.exe	41
PID 2356 wrote to memory of 564	2356	svchcst.exe	41
PID 2356 wrote to memory of 564	2356	svchcst.exe	41
PID 564 wrote to memory of 1800	564	WScript.exe	42
PID 564 wrote to memory of 1800	564	WScript.exe	42
PID 564 wrote to memory of 1800	564	WScript.exe	42
PID 564 wrote to memory of 1800	564	WScript.exe	42
PID 1800 wrote to memory of 1652	1800	svchcst.exe	43
PID 1800 wrote to memory of 1652	1800	svchcst.exe	43
PID 1800 wrote to memory of 1652	1800	svchcst.exe	43
PID 1800 wrote to memory of 1652	1800	svchcst.exe	43
PID 1652 wrote to memory of 2440	1652	WScript.exe	44
PID 1652 wrote to memory of 2440	1652	WScript.exe	44
PID 1652 wrote to memory of 2440	1652	WScript.exe	44
PID 1652 wrote to memory of 2440	1652	WScript.exe	44
PID 2440 wrote to memory of 2620	2440	svchcst.exe	45
PID 2440 wrote to memory of 2620	2440	svchcst.exe	45
PID 2440 wrote to memory of 2620	2440	svchcst.exe	45
PID 2440 wrote to memory of 2620	2440	svchcst.exe	45
PID 2620 wrote to memory of 2928	2620	WScript.exe	46
PID 2620 wrote to memory of 2928	2620	WScript.exe	46
PID 2620 wrote to memory of 2928	2620	WScript.exe	46
PID 2620 wrote to memory of 2928	2620	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\2bfe663182d19fb2a224d40ffe026b46cae1afd3ef2abd77bf2671acc8008a2c.exe
"C:\Users\Admin\AppData\Local\Temp\2bfe663182d19fb2a224d40ffe026b46cae1afd3ef2abd77bf2671acc8008a2c.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1780
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2868
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2032
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1852
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:564
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2928
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:2108
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2704
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2832
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2172
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2988
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:680
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:2312
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1112
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:1528
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:872
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:784
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1516
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:2436
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1280
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:1652
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2596
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:2828
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2940
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:2188
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2056
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:1680
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2748
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:2284
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1248
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:1612
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1924
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:2176
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1092
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        
        PID:2500
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:352
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        
        PID:2196
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:776
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        
        PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
c5b2c0f33cc8c2d28707c976d12ea5b7

SHA1
203df77e8f03c5f9c190ffb3432ab1bfe598b4e7

SHA256
80a0e658d67a3a392a98313527e7381904e5352eb7c74cc2b61c1aea2bb60060

SHA512
cd3abc4533c3676a5230d82c32d40536ff60464a22b37e543167895a15c89e1f077b6341dd6a0736a3abb48c08f90f3f68ff922d7fc2ecf8604b22fa9faef18e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
66073a2944d79129b28645fed6bc1286

SHA1
2cbba938ab66f7f5c9b0cb2a5c58940e2e14599b

SHA256
87d79920ed0fb49971153bdcb8a8ca003a247e5937d8cc3dc3b871e91ef79042

SHA512
95b8dffed82c126394ce16db0af1874ade41cca2b096d9ffe388e9c6a462c86e21723f811c0fb8c8445047906b0dfe035f5a421b5d406b8e8d3e6a1ad5d4351b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
faa8ef2e758448ccba58a486794e0699

SHA1
85bd05023b75335ca0ff084efcd02e7e9e447e88

SHA256
f4c0222febb3104b66ec8578be36697e28bc8956d3606e711c39b3ad7fcf6b8b

SHA512
8a1074670bbf7942ba1cef24d474aa26b9a66c378cc790a5577bc3d487f7174dad7890d2fdd43eccad42c4da28e282e5909a8f9de120a3ba81ee2847b44a328e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c0b5050d31a3c3086d56cf03dbf39e65

SHA1
2f16721133b7efffc3b7c495803a409b47223c1f

SHA256
4eed6a5c4f010b8604f822c91683ba0cf9c2c1f7fd803bcd9c05bfd36d84f37a

SHA512
be8a9ade498e5b54e7ca07bb3f9f114962847942d282e46e2b4f3e53704b27b47853c7bc60e5fdfc777b6e1fa2f8d34aa0d3321354c8a6b81d1640ce7780d9d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0deab118abcf8e078322ee46edd4cfd3

SHA1
b0f46f2ca33e8ea264812838f6c7a98d0c55a0bf

SHA256
344ce7e23c768177547510b0627c60667804530f220048e11f21e1cda521c502

SHA512
e7e4c041addbecf42ec91877dac6c89a207a3c1eb0247d56c6e4844852a3c7a3a716809d5040d01b03ab332bd155a4f4fb014abc896b9598ac52218c74a1f3c0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1a94fff9bade36e4d067e0fcefb1a8f5

SHA1
1713c3fc499a56cd97035e44405e0b5e1a0a586b

SHA256
1977a5ac15e88252efdd11b9aace6de92383e71132a94273b0e890e92ae91048

SHA512
89a7dd6811f9491a14bf49f1cbce3e869107d2e0d410fa3d3c867ce68d573d6f8e6ada98ac3635fc620c96c61676b5cef2563b5fbea14f617c1fa61bce4f3ac7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
be85ce7bb02d959078db568ee3a8905d

SHA1
e3598468f1db49d961a98da4deda91a619b56985

SHA256
4d76969f7a746574f6be0eca7b1939230ca7607610f12f82b670f4b7bf829806

SHA512
8ffd0d9432c57b2a445afb0701de88903bee1df5295b7ec14042623bfd5d72d0d3cdf198bbdce55be06439c8ac594ddc9bcf53f425bf9e9c9ebb299f6d8150cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b01deb2dadc8260c4bcb435df78599d9

SHA1
7ac78543d19aefbe54d4e7d12d045cff0e7934f0

SHA256
4f88b370f98b6357f72a7942c293827b72164112e87fbbb6c842d9b206ab53b0

SHA512
319c1925e74af3cace9d3c3fafb7ff3c28ae3240e1d67da7d05ed25b7ec523eec9a974f21ff9914e602334c192e5801a55695ad705dbaa2a32e3b08e7996bb4b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3be529c48598ce74c5871846d63ca15c

SHA1
93bb8e6882b776b47589ffa48116e17c98071383

SHA256
f9f80c033a3cb1e2e9a8aa108427d6985dd2a08c2bea70e4dda2309f03ab7b2a

SHA512
e848a532aa9acfddfb754e081353660af23f3d0ee7720f6162fc5e8a2104d98b7be8aa461ea274a311634ae3b5b0bd219731da7d6b43c3b381de56d03bb43608

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3612d3ea6472851cf27d0650f30a8461

SHA1
6deb8050a9d5911a2bcaa1dff30442b243389423

SHA256
2952c41a53b0569f4005c91e142940e5e96ab915146591fd27e380826de74370

SHA512
274ea073a41fbb585172d72f0f3c37132154378212b24cf3609f2bb450d631741c438035f81046ec36f08e62f287949079776d359cd42602ad097cfc0689f49c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1c76e0c1381db94649fe75ef1e19f94f

SHA1
bd486c68252c670375af00279499fb7d58d2ca0b

SHA256
36382aaf04e695d8627d21d512c0f31176a8ed38a1dfa8aa1bca9468b596ce8d

SHA512
87a419f6cfcd4f3fc796ebf2c092d4f3c773082ff4cee0b75fd80baf9da5a4aba4a35107d92caf4b77ba7653075aa998050264a1c82e70860b0fc83f18b19614

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9f4101fac38281f1220bb0afbbffa4f6

SHA1
7b29e225b72dffc083c022a84b38b2d3d8d2663f

SHA256
0935b79114dbf8d06442596ddabe3dc26257e7df70d9bbb7c5585cfcca0f7854

SHA512
2a7dbc0048a86032de425f0fc726d51d4208c601df29acbd74fa41ba022e9b00fd5d095acc20351ad94f657f3b93f01882be22dcc00067bc07c99ab49633e205

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
94ab0b42680096bd2581ed84ec49ce04

SHA1
792ce9fa72df6bef7294fa3e4c0b06587ca5f618

SHA256
c93fa7a3d6128bb237cff84cfbae39d5138a95641acc63653e83bf63c06fce42

SHA512
578cc34a72def55741f1f91363adbcb66889ff45a5faed428d01b82585a22ac634ed9eb6986da782c4d2f681a994318c7c5cc67377e2c927538925e6e99d86f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a8d37d109885256e7654aaa833b08ab2

SHA1
ee4382d1599b31b991522ee1d91fb55a5e4c11d2

SHA256
0799ab74d0f26a8be0b30b52275164f8be2cdc8fa2877a332444a1e54d565949

SHA512
141954c6fecd051b2b396e1a125a29710b16b0cfb32df40d01cfbe70ca15332bdb557ac02e1e6eb94e750974fa92da82ecdf3c230ec57f0d41ef4907b8876342

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9d5d10f0c9db0c9bc3c0fd334253fae8

SHA1
c14d558e6d968d3694920d19c38f9482dbed448c

SHA256
c35ddaca91810845685d62fc26a4e7ad7c66f4554dd67a887076bce15565113b

SHA512
0792a961f6b33bb0d9b454d8a6d96668e839c6c871441ec61fdd6d7f4b6a70a3b29f9f3d8b083ecfa9bb1b959fd13dddd36d93f21a9b0ee07c2d6a2f8db6bf52

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
157a85ed0c35e6c252895e905089c533

SHA1
6ee0427ba0d4dda16f30cffaee9850d906e75cdf

SHA256
7d73e920cef427a165300c1f19590201532908125f395e859779d8004c717326

SHA512
90e9925f2bb75c0d623a427c549ae3d6e19353bfa7f0db46475532d57631a3aa3138e6411611aad9562c415d3b94f47392e5cdb34d4fb0dc531afc4f79a9cb01

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
cd2f400a41e1d11abc0bd55c88ff215c

SHA1
031d4c08f72b5d1fb06d4a8bbbc5036209e91767

SHA256
bdc31af2b57b2432103ea664934463125abd517403c3675482a6cfe6c50670e4

SHA512
6e2ccef428f2048895c45eb67fe5ac0201814f60b7859fee6b98dce8c2fe2a86914e2f3c5b054366bd93336016d8eac428ff0826938183e89a33c08b90084f6e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d513578453dff38c7d288ff199b2efde

SHA1
ef4a1029f02e692033b72471f5507a41c82e5b46

SHA256
9f9ec6118b91ea65b7d6708c6b80286ae77f9039d22b3dd2fa0cabd43557f813

SHA512
61e26ba810fda3dfa4abda93d6ad254704feb9fa69fda4763a614948171a8681d9106d0d5827a62285b6339599c07cf2f50bce13b4cfb32640922fe82f572222

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
bdfe27b7f690f4a5dcc4de123f9631a0

SHA1
db6d9dc44775b3f0284cf4015e9b81b310313d6c

SHA256
a787ed8cefb309b8b7ce35e5faffac4ac976420eecc7468341dfd17ce49b5bfd

SHA512
19684d6b8905aca6c3f9c0ee9263c9f88b921983cd3cd1732fa0735ed46be4b86fd00e5f97d1ce872a753493e71696e7b42ba97242926c6c1ca769b598cad8ea

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1183374ed59c532aa87ac36cbd190efb

SHA1
2d32d63019ded5df4d36c548e839232328fb2de6

SHA256
2f55459190d8e1e0a22a53f946a122051d4edb05a65ca8f2ca3c3993c1fc1ed7

SHA512
019a23502b68bae2d1cf886e71544afc4af4bb35da01d099652ed19c82cf593534a80e18a5573a816f07515f98d0116df6247741d790e01e3a0cf84faa9e11df

Download Submit
memory/352-249-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/352-242-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/680-152-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/680-145-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/776-250-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/872-169-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/872-162-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1092-234-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1092-241-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1112-161-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1112-154-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1248-225-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1248-218-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1280-184-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1328-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1328-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1516-170-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1516-177-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1652-92-0x0000000004500000-0x000000000465F000-memory.dmp

Filesize
1.4MB

Download
memory/1696-51-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1696-59-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1780-34-0x0000000005B90000-0x0000000005CEF000-memory.dmp

Filesize
1.4MB

Download
memory/1780-33-0x0000000005B90000-0x0000000005CEF000-memory.dmp

Filesize
1.4MB

Download
memory/1800-87-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1852-46-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1916-65-0x00000000059D0000-0x0000000005B2F000-memory.dmp

Filesize
1.4MB

Download
memory/1916-64-0x00000000059D0000-0x0000000005B2F000-memory.dmp

Filesize
1.4MB

Download
memory/1924-226-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1924-233-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2056-201-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2056-208-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2172-142-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2284-217-0x00000000045E0000-0x000000000473F000-memory.dmp

Filesize
1.4MB

Download
memory/2312-153-0x0000000004630000-0x000000000478F000-memory.dmp

Filesize
1.4MB

Download
memory/2356-66-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2356-74-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2440-93-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2440-102-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2596-185-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2596-192-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2704-128-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2748-209-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2748-216-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2832-133-0x0000000005E20000-0x0000000005F7F000-memory.dmp

Filesize
1.4MB

Download
memory/2868-35-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2868-38-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2928-107-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2928-116-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2940-200-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2940-193-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3048-27-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3048-15-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3056-14-0x0000000005A50000-0x0000000005BAF000-memory.dmp

Filesize
1.4MB

Download
memory/3056-16-0x0000000005A50000-0x0000000005BAF000-memory.dmp

Filesize
1.4MB

Download