34de962b4d15e9c5951df082cafb2677573ea1086c4f054dbd952b0c876b3e05

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 20:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34de962b4d15e9c5951df082cafb2677573ea1086c4f054dbd952b0c876b3e05.exe
Size

1.1MB
MD5

7859424922a5ec5e60b0102efa24bfe3
SHA1

02ec52f8042ea57fd355b5bbb6a6a26aa7d99504
SHA256

34de962b4d15e9c5951df082cafb2677573ea1086c4f054dbd952b0c876b3e05
SHA512

b69f6ecd67af3fe9bfe5224d0fad52abbe2ee32abf8f3e2fc8397d8e25b1018d0f92318c48575907e86acabe4891e33ef1286b15e1b493e47babb2ab6d028492
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qn:CcaClSFlG4ZM7QzMw

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2668	svchcst.exe

Executes dropped EXE 24 IoCs

pid	Process
2668	svchcst.exe
2452	svchcst.exe
2384	svchcst.exe
2364	svchcst.exe
1704	svchcst.exe
1724	svchcst.exe
1044	svchcst.exe
1236	svchcst.exe
2752	svchcst.exe
2632	svchcst.exe
2756	svchcst.exe
1268	svchcst.exe
2024	svchcst.exe
2844	svchcst.exe
1676	svchcst.exe
1628	svchcst.exe
584	svchcst.exe
1940	svchcst.exe
2460	svchcst.exe
964	svchcst.exe
2208	svchcst.exe
1716	svchcst.exe
1432	svchcst.exe
2844	svchcst.exe

Loads dropped DLL 45 IoCs

pid	Process
764	WScript.exe
764	WScript.exe
2828	WScript.exe
2828	WScript.exe
2920	WScript.exe
2920	WScript.exe
1260	WScript.exe
1260	WScript.exe
1864	WScript.exe
1864	WScript.exe
1304	WScript.exe
352	WScript.exe
352	WScript.exe
352	WScript.exe
3000	WScript.exe
3000	WScript.exe
536	WScript.exe
2644	WScript.exe
2644	WScript.exe
2452	WScript.exe
2452	WScript.exe
1760	WScript.exe
1760	WScript.exe
588	WScript.exe
588	WScript.exe
2780	WScript.exe
2780	WScript.exe
2412	WScript.exe
2412	WScript.exe
3008	WScript.exe
3008	WScript.exe
2736	WScript.exe
2736	WScript.exe
2464	WScript.exe
2464	WScript.exe
2560	WScript.exe
2560	WScript.exe
2756	WScript.exe
2756	WScript.exe
944	WScript.exe
944	WScript.exe
1280	WScript.exe
1280	WScript.exe
560	WScript.exe
560	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2156	34de962b4d15e9c5951df082cafb2677573ea1086c4f054dbd952b0c876b3e05.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2156	34de962b4d15e9c5951df082cafb2677573ea1086c4f054dbd952b0c876b3e05.exe

Suspicious use of SetWindowsHookEx 50 IoCs

pid	Process
2156	34de962b4d15e9c5951df082cafb2677573ea1086c4f054dbd952b0c876b3e05.exe
2156	34de962b4d15e9c5951df082cafb2677573ea1086c4f054dbd952b0c876b3e05.exe
2668	svchcst.exe
2668	svchcst.exe
2452	svchcst.exe
2452	svchcst.exe
2384	svchcst.exe
2384	svchcst.exe
2364	svchcst.exe
2364	svchcst.exe
1704	svchcst.exe
1704	svchcst.exe
1724	svchcst.exe
1724	svchcst.exe
1044	svchcst.exe
1044	svchcst.exe
1236	svchcst.exe
1236	svchcst.exe
2752	svchcst.exe
2752	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
2024	svchcst.exe
2024	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
1676	svchcst.exe
1676	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
584	svchcst.exe
584	svchcst.exe
1940	svchcst.exe
1940	svchcst.exe
2460	svchcst.exe
2460	svchcst.exe
964	svchcst.exe
964	svchcst.exe
2208	svchcst.exe
2208	svchcst.exe
1716	svchcst.exe
1716	svchcst.exe
1432	svchcst.exe
1432	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 764	2156	34de962b4d15e9c5951df082cafb2677573ea1086c4f054dbd952b0c876b3e05.exe	28
PID 2156 wrote to memory of 764	2156	34de962b4d15e9c5951df082cafb2677573ea1086c4f054dbd952b0c876b3e05.exe	28
PID 2156 wrote to memory of 764	2156	34de962b4d15e9c5951df082cafb2677573ea1086c4f054dbd952b0c876b3e05.exe	28
PID 2156 wrote to memory of 764	2156	34de962b4d15e9c5951df082cafb2677573ea1086c4f054dbd952b0c876b3e05.exe	28
PID 764 wrote to memory of 2668	764	WScript.exe	32
PID 764 wrote to memory of 2668	764	WScript.exe	32
PID 764 wrote to memory of 2668	764	WScript.exe	32
PID 764 wrote to memory of 2668	764	WScript.exe	32
PID 2668 wrote to memory of 2828	2668	svchcst.exe	33
PID 2668 wrote to memory of 2828	2668	svchcst.exe	33
PID 2668 wrote to memory of 2828	2668	svchcst.exe	33
PID 2668 wrote to memory of 2828	2668	svchcst.exe	33
PID 2828 wrote to memory of 2452	2828	WScript.exe	34
PID 2828 wrote to memory of 2452	2828	WScript.exe	34
PID 2828 wrote to memory of 2452	2828	WScript.exe	34
PID 2828 wrote to memory of 2452	2828	WScript.exe	34
PID 2452 wrote to memory of 2920	2452	svchcst.exe	35
PID 2452 wrote to memory of 2920	2452	svchcst.exe	35
PID 2452 wrote to memory of 2920	2452	svchcst.exe	35
PID 2452 wrote to memory of 2920	2452	svchcst.exe	35
PID 2920 wrote to memory of 2384	2920	WScript.exe	36
PID 2920 wrote to memory of 2384	2920	WScript.exe	36
PID 2920 wrote to memory of 2384	2920	WScript.exe	36
PID 2920 wrote to memory of 2384	2920	WScript.exe	36
PID 2384 wrote to memory of 1260	2384	svchcst.exe	37
PID 2384 wrote to memory of 1260	2384	svchcst.exe	37
PID 2384 wrote to memory of 1260	2384	svchcst.exe	37
PID 2384 wrote to memory of 1260	2384	svchcst.exe	37
PID 1260 wrote to memory of 2364	1260	WScript.exe	38
PID 1260 wrote to memory of 2364	1260	WScript.exe	38
PID 1260 wrote to memory of 2364	1260	WScript.exe	38
PID 1260 wrote to memory of 2364	1260	WScript.exe	38
PID 2364 wrote to memory of 1864	2364	svchcst.exe	39
PID 2364 wrote to memory of 1864	2364	svchcst.exe	39
PID 2364 wrote to memory of 1864	2364	svchcst.exe	39
PID 2364 wrote to memory of 1864	2364	svchcst.exe	39
PID 1864 wrote to memory of 1704	1864	WScript.exe	40
PID 1864 wrote to memory of 1704	1864	WScript.exe	40
PID 1864 wrote to memory of 1704	1864	WScript.exe	40
PID 1864 wrote to memory of 1704	1864	WScript.exe	40
PID 1704 wrote to memory of 1304	1704	svchcst.exe	41
PID 1704 wrote to memory of 1304	1704	svchcst.exe	41
PID 1704 wrote to memory of 1304	1704	svchcst.exe	41
PID 1704 wrote to memory of 1304	1704	svchcst.exe	41
PID 1304 wrote to memory of 1724	1304	WScript.exe	42
PID 1304 wrote to memory of 1724	1304	WScript.exe	42
PID 1304 wrote to memory of 1724	1304	WScript.exe	42
PID 1304 wrote to memory of 1724	1304	WScript.exe	42
PID 1724 wrote to memory of 352	1724	svchcst.exe	43
PID 1724 wrote to memory of 352	1724	svchcst.exe	43
PID 1724 wrote to memory of 352	1724	svchcst.exe	43
PID 1724 wrote to memory of 352	1724	svchcst.exe	43
PID 352 wrote to memory of 1044	352	WScript.exe	44
PID 352 wrote to memory of 1044	352	WScript.exe	44
PID 352 wrote to memory of 1044	352	WScript.exe	44
PID 352 wrote to memory of 1044	352	WScript.exe	44
PID 1044 wrote to memory of 3000	1044	svchcst.exe	45
PID 1044 wrote to memory of 3000	1044	svchcst.exe	45
PID 1044 wrote to memory of 3000	1044	svchcst.exe	45
PID 1044 wrote to memory of 3000	1044	svchcst.exe	45
PID 352 wrote to memory of 1236	352	WScript.exe	46
PID 352 wrote to memory of 1236	352	WScript.exe	46
PID 352 wrote to memory of 1236	352	WScript.exe	46
PID 352 wrote to memory of 1236	352	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\34de962b4d15e9c5951df082cafb2677573ea1086c4f054dbd952b0c876b3e05.exe
"C:\Users\Admin\AppData\Local\Temp\34de962b4d15e9c5951df082cafb2677573ea1086c4f054dbd952b0c876b3e05.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:764
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2828
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2452
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:352
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:3000
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2752
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1236
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:536
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2632
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2644
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2756
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2452
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1268
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:1760
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2024
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:588
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2844
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:2780
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1676
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:2412
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1628
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:3008
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:584
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:2736
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1940
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:2464
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2460
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:2560
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:964
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:2756
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2208
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:944
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1716
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:1280
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1432
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        
        PID:560
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2844
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        
        PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2caa2e102cde23b48c1d5a47d901c3ff

SHA1
715fcb390ad3d9016885ab48ea99b2e204d1989b

SHA256
8e1f14065ac316ee2fcefab057390fe8b1ec88d9c35536f0755204ddf0d84ada

SHA512
9f6b298b5becff9b0af67c3181177876366db57d8d48ad3974dffa4f61fe7512b68d770e518d08d59c58d2707c52bd78930d2e36f00ef06f0a26d208e5372ae3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
9da0bab38c44e721c743cd736b7d93d6

SHA1
f39ae436a7ed4f45bef756100c4454fa86856c9f

SHA256
b0ce11eb028a588be7e324f44398063202fb50560192b6f0d4f04022f7562a8b

SHA512
36be4c9093f358f02ca5bb8c56990e6ad252d4d24f7d1928c44c6d60d3cfdf77191bbd807975d6e09319b71807254fcb7a88ac328f55527817e042689bd23a8c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e5bba46683440caa1508061b6e638120

SHA1
538ff5b7cb3ca90cee3e60bae0b487f4b78912de

SHA256
9b324dbd185a14c0ebfd2cd2731f6bb32c501dfefa7aef4f65b137357502c65d

SHA512
466f00fee10e323273e5d1151062e9fcc36f5657a404c6dd3c0c9ecb56e5205930087e612b13a9c6d1a56df7e05a2bd9c14e95debd5e5aed96ad2ef867e8de4d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
951aaea1269f2a203f3dd7cd181c5d34

SHA1
3623d216764b24aa0b02cbc136287252bf5b412a

SHA256
228b66ed4c4a1270fe5a6655cdd849de937351e95974b96acafa59b8107b7dd4

SHA512
cd84967ad43a13c3cd57cc80f6533a9e9fd93a5eddf4807825b8d19883da4acda3e7b4ff963f23209c579050fedf834382d8e718386c852ceaf350b2b0f91816

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a6723d81dd75369a43431bd61814ac74

SHA1
c3d950a8d9f5738222594d01dcaae3fcb467d548

SHA256
add1a22f571c2dfbfda508d6ad632223ab81690c73a376500e56855afeb1752b

SHA512
d7a42037066b1b1d1dffbc792aef400ca374665b012f02de40a6ff118482acd14555edabd6750defb402a6cf4e273a132c1856103202e47aa090119546718727

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e941c404604f780e37c7e63233301fa0

SHA1
d27c9a3b90881add1a06b41b5931267fc818ff08

SHA256
6add2531fc05662418f48a46f522fa4507053ece8d0d94a04c0c213d27da81ce

SHA512
1f448e52f5aa81f30ecf10d6222fa0913ab7a5f3c0f2c7e6a9deb231e9bf55937c4fb0f84bbaeccdd9040e163ae371daec55eff48d633cd6d6bd409433fbf4f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a3b1a2435db9006df38c9e78df96e2f2

SHA1
a8a6d302d102686610f54547bdf0245b177a752f

SHA256
8ca1784265581709551e81326c9733c10ac943c899070bee9b799f88dad7870e

SHA512
fe8a0d2a67e28fcf1b31e640132a669186ddb33302b135d11c0706a5c9e98548d53d51be0d2ecc9d20c43efbe393d7865c57ca9b6c651deca93f67aff0968210

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f988db0382571319f9b0af53097c2376

SHA1
fd83936b61f5d4256a899610d5c13c5a9b24e625

SHA256
8557443470cff4b30c533603a8e73dd9b9c55af2bae1ed0a7ce86d860fe4953c

SHA512
8f0df896cf7432ac5248f1149a79cc721e40e80dc1ced770f830725c00e64bb96944bbdd375aa25587e0574dba32375934cbf99bf99f33267296c1e605ac8703

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
152cdcb10a0dcbdcaeb00bd4b08b2f94

SHA1
d957bd7eff64e6b13d3a088c0ae764eaeedf0ad2

SHA256
5525126f60e1b6cf4d353d30db46873836712e3964020d1dbca2694b6dc3d599

SHA512
c2e61516af9e5c14978792ec3b5e20aa84d5f6d9607322575d2f0448a67b6a10911ebf350f51e24e19f40840897251c891cda2c651c0881fccc9e0006d1a2f99

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b01deb2dadc8260c4bcb435df78599d9

SHA1
7ac78543d19aefbe54d4e7d12d045cff0e7934f0

SHA256
4f88b370f98b6357f72a7942c293827b72164112e87fbbb6c842d9b206ab53b0

SHA512
319c1925e74af3cace9d3c3fafb7ff3c28ae3240e1d67da7d05ed25b7ec523eec9a974f21ff9914e602334c192e5801a55695ad705dbaa2a32e3b08e7996bb4b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1cd04c63c025f0297f2ae60e978d92a1

SHA1
047246564f4b2ab71494a82cef25f5bcdeb63469

SHA256
c5d481502d8e9429512066a0eb058459e0d7d60fbfc4aed5169b3ea47966c9ed

SHA512
dede45f2ae3b7da526e64e82f5e550d9f29d7ad0409fe97a0067bcd8ad70859a8f05441dcad0f2364710f8d9bf58997ffea6874b4797948b61486570394325a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b1fc6b78b0d8b97cf34b7918d4190ae5

SHA1
db949dcc9ec98a68bc2a83d720c3a107ca98d0fc

SHA256
a9d740f987ef5419360f6d8207cb43cff799a1abb4efef30b6aafc354347e648

SHA512
84ba719f26274262562362dbd1258133fb65ce9b8556ede595e7526bc414303f2cf247c82ce36c62525fa8657d87217b140f054d3717d5d090dcc3cd3c49bd0b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
116d85c6d02d394e0cec8b0b3f5ccddb

SHA1
70518f99b9ee1a8435df75f945392d40cbcede75

SHA256
90808a0fc7902d234e8076946cfe079db9b757f876d3def82971eef7815a80e2

SHA512
b35e9105704ecfbd4c38e7cbe8bb1083e1f0ba8fff0512f1761033c4c89164e3a70bfca11d1c742aa60ee4867bbab32fcf1e7cb87e677c416c87d38d65563358

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1c77d24bf129d39a0890c1c055a5221f

SHA1
5e0b6fa5a0eb2eb367e4c875ca82a4695dda11b7

SHA256
e84410b7f2cbf575d342660c851af7214cd39de39f6618268522a7399985039e

SHA512
9a9892c72744a5e3306cf4caa2072297c0afd3599f524565f02bbabcd821af70addcd05f55d4ad928d12c85abd68ace453b87febe1fbf1875d8114b303d182c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e5da4fb8fac200219d969a6cef0b351a

SHA1
9d2f34199a2e5103179d058fb23b653c6778e13c

SHA256
47e07b803375359b318f2927a4ac583384015a13e5bc3fd365562fe9f0fa2e62

SHA512
c5802addaa58f4edbebf2e3b5d61b0fd3af3f28d8c8fcd304cee7b0a899effe01e2dbb7512015083e4911840d61b65981747b08c90c7de52037e269a57becab3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f4d56851822419ac94b5f48166b98fcd

SHA1
90ff69ef97e7a1dc2d52f40752df35e5ef2d55e0

SHA256
dffad1d9fd414863cc1bd972346f42c89c289bd324af1998e053da667d0f2136

SHA512
bb05f293d3ce9b3d6715da70fdb1cdba96b11a9ab4064c9d1ce6faea14d57f888e95dd73f95be7208615b60236962ee47a2192b359ecc5d558f984babb2852bc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
effaf4b5a339ab28d38e84dcc3b29fe5

SHA1
9b4d94fe1aad30d04c23cecea56506a14a365604

SHA256
5acf77163ab5591dd83b82967aba75651f44411403c3de4d3f33bba407190b0b

SHA512
f13b0d43368fd11ad0d7b3814add65b8f778b887dc8e922ef3e42be91964b1d50f52c970c1081bb435bb65e1f3df8ecc82ea54a774ff45be11132df70c8aa4a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
19513c13ff116686e0ecfdc9711dc39d

SHA1
80f688459c74cd033ed7eb7e35fc0644711ca39d

SHA256
69104acbb5918c49c6b48e28135c83876030faba2ea69aea40b000b4c76145b4

SHA512
778bb114daabc89fe808adf15c9578cc1e3df2eb46a4465558df5bf04993a3c783d751cf118f96bd16616b91d31ec32111f72e43380ed7f4f3be6bba1fcef113

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
db49af87c6db81ae065d9746fd18a444

SHA1
32090c717ca475ff9d7170e203cb88694ca27e11

SHA256
7db352a85f924b047e3040395f1300558b3e48bcfd81c59bb107b7617a9938ac

SHA512
44f76884114e193cab1cf8c5022668a32f058242e797d294d8ae0b9bf063d983698deccb43626d1287699b2e48a8f6856a4eac2483b18df5561ef42efa71b0ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
6d8bf992fffee2c5f52a05185efd53aa

SHA1
20b69099cd22b2c0a4e30f93eb2400d32250dd09

SHA256
f2726a966c539f47eeade2a80a3194146ce4d6d359575a09e3c781bc5d99f7b4

SHA512
ed58ca30f204558734088ffd16dd5425ca3fe71a84b392e0bbcc271cc3d0b3d4e73081785c5db56ba461b86e78e51af9f3cd38589cf2eb7b6b1f0b91dca12d02

Download Submit
memory/2156-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download