093c6ab2d64eea9932b94b6fdd03903a6e5d45de83760619beb53fe556fca5e2

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 06:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

093c6ab2d64eea9932b94b6fdd03903a6e5d45de83760619beb53fe556fca5e2.exe
Size

1.1MB
MD5

416665dc85736f7667e544e0aa830fda
SHA1

c602e02564cc3c6283aac2838ab40201b69f20d5
SHA256

093c6ab2d64eea9932b94b6fdd03903a6e5d45de83760619beb53fe556fca5e2
SHA512

737bf453a1446c183642d16c87c50f3b1af9b0d93bb6aafca30525c0c4bcbb04739945e54eb7452cde0a1f7c5f211634623ab0a8521d384bf25d95316c47584b
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QQ:acallSllG4ZM7QzM3

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2944	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2944	svchcst.exe
1892	svchcst.exe
3016	svchcst.exe
600	svchcst.exe
1560	svchcst.exe
948	svchcst.exe
2712	svchcst.exe
2812	svchcst.exe
2680	svchcst.exe
2008	svchcst.exe
1600	svchcst.exe
1524	svchcst.exe
1356	svchcst.exe
1772	svchcst.exe
2128	svchcst.exe
2108	svchcst.exe
2620	svchcst.exe
2364	svchcst.exe
2924	svchcst.exe
980	svchcst.exe
2312	svchcst.exe
1560	svchcst.exe
1044	svchcst.exe

Loads dropped DLL 37 IoCs

pid	Process
1676	WScript.exe
1676	WScript.exe
2636	WScript.exe
3020	WScript.exe
2416	WScript.exe
2416	WScript.exe
3056	WScript.exe
3056	WScript.exe
3064	WScript.exe
2536	WScript.exe
2536	WScript.exe
2708	WScript.exe
2708	WScript.exe
2708	WScript.exe
2956	WScript.exe
2388	WScript.exe
996	WScript.exe
996	WScript.exe
996	WScript.exe
1720	WScript.exe
1720	WScript.exe
2216	WScript.exe
2216	WScript.exe
2800	WScript.exe
2800	WScript.exe
3012	WScript.exe
3012	WScript.exe
1252	WScript.exe
1252	WScript.exe
2160	WScript.exe
2160	WScript.exe
584	WScript.exe
584	WScript.exe
752	WScript.exe
752	WScript.exe
2848	WScript.exe
2848	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2948	093c6ab2d64eea9932b94b6fdd03903a6e5d45de83760619beb53fe556fca5e2.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2948	093c6ab2d64eea9932b94b6fdd03903a6e5d45de83760619beb53fe556fca5e2.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2948	093c6ab2d64eea9932b94b6fdd03903a6e5d45de83760619beb53fe556fca5e2.exe
2948	093c6ab2d64eea9932b94b6fdd03903a6e5d45de83760619beb53fe556fca5e2.exe
2944	svchcst.exe
2944	svchcst.exe
1892	svchcst.exe
1892	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
600	svchcst.exe
600	svchcst.exe
1560	svchcst.exe
1560	svchcst.exe
948	svchcst.exe
948	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2008	svchcst.exe
2008	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1524	svchcst.exe
1524	svchcst.exe
1356	svchcst.exe
1356	svchcst.exe
1772	svchcst.exe
1772	svchcst.exe
2128	svchcst.exe
2128	svchcst.exe
2108	svchcst.exe
2108	svchcst.exe
2620	svchcst.exe
2620	svchcst.exe
2364	svchcst.exe
2364	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
980	svchcst.exe
980	svchcst.exe
2312	svchcst.exe
2312	svchcst.exe
1560	svchcst.exe
1560	svchcst.exe
1044	svchcst.exe
1044	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 1676	2948	093c6ab2d64eea9932b94b6fdd03903a6e5d45de83760619beb53fe556fca5e2.exe	30
PID 2948 wrote to memory of 1676	2948	093c6ab2d64eea9932b94b6fdd03903a6e5d45de83760619beb53fe556fca5e2.exe	30
PID 2948 wrote to memory of 1676	2948	093c6ab2d64eea9932b94b6fdd03903a6e5d45de83760619beb53fe556fca5e2.exe	30
PID 2948 wrote to memory of 1676	2948	093c6ab2d64eea9932b94b6fdd03903a6e5d45de83760619beb53fe556fca5e2.exe	30
PID 1676 wrote to memory of 2944	1676	WScript.exe	32
PID 1676 wrote to memory of 2944	1676	WScript.exe	32
PID 1676 wrote to memory of 2944	1676	WScript.exe	32
PID 1676 wrote to memory of 2944	1676	WScript.exe	32
PID 2944 wrote to memory of 2636	2944	svchcst.exe	33
PID 2944 wrote to memory of 2636	2944	svchcst.exe	33
PID 2944 wrote to memory of 2636	2944	svchcst.exe	33
PID 2944 wrote to memory of 2636	2944	svchcst.exe	33
PID 2636 wrote to memory of 1892	2636	WScript.exe	34
PID 2636 wrote to memory of 1892	2636	WScript.exe	34
PID 2636 wrote to memory of 1892	2636	WScript.exe	34
PID 2636 wrote to memory of 1892	2636	WScript.exe	34
PID 1892 wrote to memory of 3020	1892	svchcst.exe	35
PID 1892 wrote to memory of 3020	1892	svchcst.exe	35
PID 1892 wrote to memory of 3020	1892	svchcst.exe	35
PID 1892 wrote to memory of 3020	1892	svchcst.exe	35
PID 3020 wrote to memory of 3016	3020	WScript.exe	37
PID 3020 wrote to memory of 3016	3020	WScript.exe	37
PID 3020 wrote to memory of 3016	3020	WScript.exe	37
PID 3020 wrote to memory of 3016	3020	WScript.exe	37
PID 3016 wrote to memory of 2416	3016	svchcst.exe	38
PID 3016 wrote to memory of 2416	3016	svchcst.exe	38
PID 3016 wrote to memory of 2416	3016	svchcst.exe	38
PID 3016 wrote to memory of 2416	3016	svchcst.exe	38
PID 2416 wrote to memory of 600	2416	WScript.exe	39
PID 2416 wrote to memory of 600	2416	WScript.exe	39
PID 2416 wrote to memory of 600	2416	WScript.exe	39
PID 2416 wrote to memory of 600	2416	WScript.exe	39
PID 600 wrote to memory of 3056	600	svchcst.exe	40
PID 600 wrote to memory of 3056	600	svchcst.exe	40
PID 600 wrote to memory of 3056	600	svchcst.exe	40
PID 600 wrote to memory of 3056	600	svchcst.exe	40
PID 3056 wrote to memory of 1560	3056	WScript.exe	41
PID 3056 wrote to memory of 1560	3056	WScript.exe	41
PID 3056 wrote to memory of 1560	3056	WScript.exe	41
PID 3056 wrote to memory of 1560	3056	WScript.exe	41
PID 1560 wrote to memory of 3064	1560	svchcst.exe	42
PID 1560 wrote to memory of 3064	1560	svchcst.exe	42
PID 1560 wrote to memory of 3064	1560	svchcst.exe	42
PID 1560 wrote to memory of 3064	1560	svchcst.exe	42
PID 3064 wrote to memory of 948	3064	WScript.exe	43
PID 3064 wrote to memory of 948	3064	WScript.exe	43
PID 3064 wrote to memory of 948	3064	WScript.exe	43
PID 3064 wrote to memory of 948	3064	WScript.exe	43
PID 948 wrote to memory of 2536	948	svchcst.exe	44
PID 948 wrote to memory of 2536	948	svchcst.exe	44
PID 948 wrote to memory of 2536	948	svchcst.exe	44
PID 948 wrote to memory of 2536	948	svchcst.exe	44
PID 2536 wrote to memory of 2712	2536	WScript.exe	45
PID 2536 wrote to memory of 2712	2536	WScript.exe	45
PID 2536 wrote to memory of 2712	2536	WScript.exe	45
PID 2536 wrote to memory of 2712	2536	WScript.exe	45
PID 2712 wrote to memory of 1752	2712	svchcst.exe	46
PID 2712 wrote to memory of 1752	2712	svchcst.exe	46
PID 2712 wrote to memory of 1752	2712	svchcst.exe	46
PID 2712 wrote to memory of 1752	2712	svchcst.exe	46
PID 2536 wrote to memory of 2812	2536	WScript.exe	47
PID 2536 wrote to memory of 2812	2536	WScript.exe	47
PID 2536 wrote to memory of 2812	2536	WScript.exe	47
PID 2536 wrote to memory of 2812	2536	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\093c6ab2d64eea9932b94b6fdd03903a6e5d45de83760619beb53fe556fca5e2.exe
"C:\Users\Admin\AppData\Local\Temp\093c6ab2d64eea9932b94b6fdd03903a6e5d45de83760619beb53fe556fca5e2.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1892
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:600
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2812
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:2708
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2680
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2008
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2956
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1600
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2388
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1524
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:996
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1356
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1772
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:1720
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2128
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:2216
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2108
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:2800
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2620
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:3012
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2364
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:1252
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2924
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:2160
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:980
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:584
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2312
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:752
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1560
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:2848
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1044
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        
        PID:1372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
8398b8891a1030043b3c05ca6f094a38

SHA1
6595f90af8cc7eba7cc114327a7b2cf5b8243b5e

SHA256
fe30a890690fd26c9777822aa988003f912797a5a640e249d6b7419516650e48

SHA512
79ab7c258c0a1fdde743729d55e4946eed50ae1c8f659eb201df4ad29257a786b99b93ec0aece7a92062c2dccdcf63fd91feae011baad1cd3640a9512c0ada06

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
bf8c66bc238068346f8bc94f6763b894

SHA1
43019b1b9d3d7e90719747856103a1af12d024ef

SHA256
de7fa3ae16d70f789b4d0aa427b017215cdb51f141038688ca5ba2cbb4060b5d

SHA512
a5d2d1662be29ceebb5d9441b537804722646c7ee3974d89d87bb37d1563bdbcac709f29e3251cf9d45845bdedd518bca99e203102b5c7f0e3657eca406277c6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
06a252a9516053e44ec8e64f1ebf0533

SHA1
29ac97e0cdade946c4feb81ad3f78d70953a2277

SHA256
6b8a799c3d4b977adb7220f6790b2ac09080ca3ccde5a2c33c83b33ea905928c

SHA512
0775aabeef7c910e03efc40f96143025a2ee3544dd656c78d09ef63c85d040037752aabe72fdf3b636ee31422ae8de01b73c85e27247203d5efc1635eaf15b2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5200291c61f8a54498d5ea3882597c4f

SHA1
7faf4fa36d25b6e6a25fa637cd4d565bacfc98c9

SHA256
370d3f0009b4f5179e917aaf335aa8267dd7e03688f0fff18f72d7d7af43d55f

SHA512
7fab6730403115fe4a56ca1d5d9056a0796ca40f75c0499cb0a1d7cb77ad696163f960414f3248c7893a1cc99dadcdb73251603bca50a54668b45b79bc62b06e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6cefcde7a292edfc29b3882cdeb23dba

SHA1
3588db649319258acc78049555e0c587aae5dcf1

SHA256
4fc01d17db5185ecf506bb8ad2665dc04fbc85d9b55282b364687c5c82689251

SHA512
14f7f31813f271f8ab4c58ad06504769900ae075915db76882bce80dfaa82bb76bc6c40fa76f6eae4f3c65d2311a702d5581510ea5ade452ea8b6f957da1684c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ae75c3a96c26ddc15e3c678434b18374

SHA1
7abb4cd173f5c8565c891bc5305922439e880fed

SHA256
1b84f073d7c021672b1951a420b183f570b94f4d7c14c86698b22bbd353bf965

SHA512
e817ab91d4d73840a290ff2e999a5136328b315afa16ec831b6ddabea08cf07d8dd61b332cbeded13bde712e7c87538228ff8d163c0f659da84134f04e5a3b7e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c94fda6716d92036e02a0e70b433735f

SHA1
eb4e57b1461e03a201dbfd20dd308ca88694e55d

SHA256
ca8d32856a5ad76e2bf41249ee83a498c238f51d9d3addbd5ca456ee6a6108ba

SHA512
bf4b3613a4d6d2854f7750a73f84579a3022c2aaae770c392c3d4b273cbb2b493028f8109856ba66ee4636bcfac53b61b7f9b689002858a040b62b47d097d24f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
85fa416be0b995c6e53ce5e2df106d8a

SHA1
bcffe6d0eb7594897fb6c1c1e6e409bacd04f009

SHA256
f08a191ea7850c2d2e0fa0cd1f40254eecb8dcb63a9dfa94cc8a97f609c49293

SHA512
5d92938d833d0555e94027148d0d9fc064274885bb4992f4e5840e7be03b629a3d2dc3703f9a7aa7614cb46ee19f9cfe26c69cc2e3a162f4be9045e5da18efbf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0deab118abcf8e078322ee46edd4cfd3

SHA1
b0f46f2ca33e8ea264812838f6c7a98d0c55a0bf

SHA256
344ce7e23c768177547510b0627c60667804530f220048e11f21e1cda521c502

SHA512
e7e4c041addbecf42ec91877dac6c89a207a3c1eb0247d56c6e4844852a3c7a3a716809d5040d01b03ab332bd155a4f4fb014abc896b9598ac52218c74a1f3c0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8b412aa0b6687b4da946906a06c460fa

SHA1
180bb2d6f0645242e91d23e76043c0301916f7f5

SHA256
923ae6b14f6c2bebf34efcf9db8485390ca298cdb952df04bc457df9c45647b3

SHA512
73d949f5159a7c976e250d20b975fff6469d5c41b47488d9738a3466dfb372c7977846f6d8fbf676e07715a5fe284ca1597b74f090e0b55301314f71522ac143

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
152cdcb10a0dcbdcaeb00bd4b08b2f94

SHA1
d957bd7eff64e6b13d3a088c0ae764eaeedf0ad2

SHA256
5525126f60e1b6cf4d353d30db46873836712e3964020d1dbca2694b6dc3d599

SHA512
c2e61516af9e5c14978792ec3b5e20aa84d5f6d9607322575d2f0448a67b6a10911ebf350f51e24e19f40840897251c891cda2c651c0881fccc9e0006d1a2f99

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
75b8f60cfe6895a93f2d8f1b5568af94

SHA1
b80485bc82864b4e1bf0bcc44579eaa01776b1fb

SHA256
6ff47f7681e8f497470bd11b2cfd8156c5d8f1b01f48bfd89037cc4bfe0f34cc

SHA512
089e237c5309d36058e036f69d78deb4144749e91b3a8a8383f817af051a3452acfdf42227cc721517e93428cfd5d48b42e9750e9548762609e81917a4de29c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
26d074a4b00173d86b21c0ce32d97b90

SHA1
cf89a26780f5d2f1c90e95ad7be895e31d8e73e7

SHA256
0c0ec25c41d46134b7732ab2de9c5b302d44dc0926119d9592b913e2f881eb5b

SHA512
3112d9a60c3bd830fcb463a91d0f6f69a37776be4dd17f3bd7210e0f5c4194d2823e268a974016d94d26785c73781c3734b0b0b5913878ea34c3993b9b7b75cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
456151510d0c8fc301d9418d07d35c6d

SHA1
fb2a08b17d180036a977b801e9726d9913f1c9d5

SHA256
e05a2d51eefb666c2aacddf0263582719ae5f3fdca3048d0c7e5bfbd41a237b2

SHA512
060d83e44e6aa65304af3dd9ff4abe1cebb5bc634b4488d5edeeb839933b61adc38cea37ab9eef5ae33d41081721cee19f83938d5f86dbf42aca309011875de9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
561218451758b3048b7ea88e723b229e

SHA1
e76018a96ef9d9e8e889c798c95445dfd670c4c7

SHA256
db767282cff54241dae67571a471d61458e2caf3b67c645afae136d8106480b0

SHA512
63136b209dd869c5555e395ed727a5e78749d95ea9f9b2541ac8a932df29b496f29b10bffbfcf527c1124c7def9c8845b0678c2f5dc553280cfd5f7dddfd569f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0134e90d2029626656a554f7f16886f3

SHA1
2853a638e442f154b5b22cd20806e81bb5e19dcf

SHA256
4600ba7fe554d7cda395a537bcfac9fa13a7a799f18260fd04319e5f596b5f0c

SHA512
864df5ca00ddd5a1fc4eb135ba1e0a84cb86036ddec776df0069c8844c7f68f487df08077d424c2163291421bafe52eb3d1f8a584c175e63e21a23f4f3ec999e

Download Submit
memory/600-59-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/600-63-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/948-79-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/948-86-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/980-220-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/980-217-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/996-186-0x0000000005E10000-0x0000000005F6F000-memory.dmp

Filesize
1.4MB

Download
memory/1044-238-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1356-163-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1356-156-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1524-152-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1524-155-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1560-76-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1560-229-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1560-236-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1600-137-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1600-145-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1676-15-0x0000000005D20000-0x0000000005E7F000-memory.dmp

Filesize
1.4MB

Download
memory/1676-14-0x0000000005D20000-0x0000000005E7F000-memory.dmp

Filesize
1.4MB

Download
memory/1772-164-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1772-171-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1892-29-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1892-37-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2008-129-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2008-133-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2108-179-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2108-187-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2128-178-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2312-221-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2312-228-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2364-201-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2364-204-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2416-54-0x0000000005DF0000-0x0000000005F4F000-memory.dmp

Filesize
1.4MB

Download
memory/2416-53-0x0000000005DF0000-0x0000000005F4F000-memory.dmp

Filesize
1.4MB

Download
memory/2620-188-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2620-195-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2680-120-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2680-112-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2712-97-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2712-89-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2812-108-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2812-103-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2848-237-0x00000000045F0000-0x000000000474F000-memory.dmp

Filesize
1.4MB

Download
memory/2924-209-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2924-212-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2944-26-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2944-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2948-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2948-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3012-200-0x0000000004650000-0x00000000047AF000-memory.dmp

Filesize
1.4MB

Download
memory/3016-48-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3016-40-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3056-68-0x00000000046B0000-0x000000000480F000-memory.dmp

Filesize
1.4MB

Download