4f1f9b012491d922ccf73188f46d909cb6e7a1291dfa5ffcfc615a680d86fdb5

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
20/07/2024, 19:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4f1f9b012491d922ccf73188f46d909cb6e7a1291dfa5ffcfc615a680d86fdb5.exe
Size

1.1MB
MD5

e546453c65bd77c0d39a3332fce67750
SHA1

892d60084a026fd9450eefa72fdecb044242a255
SHA256

4f1f9b012491d922ccf73188f46d909cb6e7a1291dfa5ffcfc615a680d86fdb5
SHA512

50f96df6a3c7d219af9e99bccbd6c4ad7f0bd987f03710daaeb49cae9065c15a9c08dbb729198f322d3e8ac9fde745abd39bdd09362baf444f67affd3b3844d0
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qy:CcaClSFlG4ZM7QzMB

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2824	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2824	svchcst.exe
1988	svchcst.exe
2132	svchcst.exe
2172	svchcst.exe
3028	svchcst.exe
1552	svchcst.exe
1048	svchcst.exe
2404	svchcst.exe
2648	svchcst.exe
592	svchcst.exe
2988	svchcst.exe
2944	svchcst.exe
2364	svchcst.exe
764	svchcst.exe
572	svchcst.exe
2448	svchcst.exe
1896	svchcst.exe
2456	svchcst.exe
2292	svchcst.exe
536	svchcst.exe
2440	svchcst.exe
1092	svchcst.exe
1388	svchcst.exe

Loads dropped DLL 46 IoCs

pid	Process
2036	WScript.exe
2036	WScript.exe
2800	WScript.exe
2800	WScript.exe
2772	WScript.exe
2772	WScript.exe
1624	WScript.exe
1624	WScript.exe
2168	WScript.exe
2168	WScript.exe
1040	WScript.exe
1040	WScript.exe
2092	WScript.exe
2092	WScript.exe
2264	WScript.exe
2264	WScript.exe
2516	WScript.exe
2516	WScript.exe
2144	WScript.exe
2144	WScript.exe
1972	WScript.exe
1972	WScript.exe
1092	WScript.exe
1092	WScript.exe
2368	WScript.exe
2368	WScript.exe
1504	WScript.exe
1504	WScript.exe
3052	WScript.exe
3052	WScript.exe
2484	WScript.exe
2484	WScript.exe
2492	WScript.exe
2492	WScript.exe
2828	WScript.exe
2828	WScript.exe
2636	WScript.exe
2636	WScript.exe
2820	WScript.exe
2820	WScript.exe
2668	WScript.exe
2668	WScript.exe
1644	WScript.exe
1644	WScript.exe
1436	WScript.exe
1436	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2540	4f1f9b012491d922ccf73188f46d909cb6e7a1291dfa5ffcfc615a680d86fdb5.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2540	4f1f9b012491d922ccf73188f46d909cb6e7a1291dfa5ffcfc615a680d86fdb5.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2540	4f1f9b012491d922ccf73188f46d909cb6e7a1291dfa5ffcfc615a680d86fdb5.exe
2540	4f1f9b012491d922ccf73188f46d909cb6e7a1291dfa5ffcfc615a680d86fdb5.exe
2824	svchcst.exe
2824	svchcst.exe
1988	svchcst.exe
1988	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2172	svchcst.exe
2172	svchcst.exe
3028	svchcst.exe
3028	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
1048	svchcst.exe
1048	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
592	svchcst.exe
592	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2364	svchcst.exe
2364	svchcst.exe
764	svchcst.exe
764	svchcst.exe
572	svchcst.exe
572	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
1896	svchcst.exe
1896	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2292	svchcst.exe
2292	svchcst.exe
536	svchcst.exe
536	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
1092	svchcst.exe
1092	svchcst.exe
1388	svchcst.exe
1388	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 2036	2540	4f1f9b012491d922ccf73188f46d909cb6e7a1291dfa5ffcfc615a680d86fdb5.exe	30
PID 2540 wrote to memory of 2036	2540	4f1f9b012491d922ccf73188f46d909cb6e7a1291dfa5ffcfc615a680d86fdb5.exe	30
PID 2540 wrote to memory of 2036	2540	4f1f9b012491d922ccf73188f46d909cb6e7a1291dfa5ffcfc615a680d86fdb5.exe	30
PID 2540 wrote to memory of 2036	2540	4f1f9b012491d922ccf73188f46d909cb6e7a1291dfa5ffcfc615a680d86fdb5.exe	30
PID 2036 wrote to memory of 2824	2036	WScript.exe	32
PID 2036 wrote to memory of 2824	2036	WScript.exe	32
PID 2036 wrote to memory of 2824	2036	WScript.exe	32
PID 2036 wrote to memory of 2824	2036	WScript.exe	32
PID 2824 wrote to memory of 2800	2824	svchcst.exe	33
PID 2824 wrote to memory of 2800	2824	svchcst.exe	33
PID 2824 wrote to memory of 2800	2824	svchcst.exe	33
PID 2824 wrote to memory of 2800	2824	svchcst.exe	33
PID 2800 wrote to memory of 1988	2800	WScript.exe	35
PID 2800 wrote to memory of 1988	2800	WScript.exe	35
PID 2800 wrote to memory of 1988	2800	WScript.exe	35
PID 2800 wrote to memory of 1988	2800	WScript.exe	35
PID 1988 wrote to memory of 2772	1988	svchcst.exe	36
PID 1988 wrote to memory of 2772	1988	svchcst.exe	36
PID 1988 wrote to memory of 2772	1988	svchcst.exe	36
PID 1988 wrote to memory of 2772	1988	svchcst.exe	36
PID 2772 wrote to memory of 2132	2772	WScript.exe	37
PID 2772 wrote to memory of 2132	2772	WScript.exe	37
PID 2772 wrote to memory of 2132	2772	WScript.exe	37
PID 2772 wrote to memory of 2132	2772	WScript.exe	37
PID 2132 wrote to memory of 1624	2132	svchcst.exe	38
PID 2132 wrote to memory of 1624	2132	svchcst.exe	38
PID 2132 wrote to memory of 1624	2132	svchcst.exe	38
PID 2132 wrote to memory of 1624	2132	svchcst.exe	38
PID 1624 wrote to memory of 2172	1624	WScript.exe	39
PID 1624 wrote to memory of 2172	1624	WScript.exe	39
PID 1624 wrote to memory of 2172	1624	WScript.exe	39
PID 1624 wrote to memory of 2172	1624	WScript.exe	39
PID 2172 wrote to memory of 2168	2172	svchcst.exe	40
PID 2172 wrote to memory of 2168	2172	svchcst.exe	40
PID 2172 wrote to memory of 2168	2172	svchcst.exe	40
PID 2172 wrote to memory of 2168	2172	svchcst.exe	40
PID 2168 wrote to memory of 3028	2168	WScript.exe	41
PID 2168 wrote to memory of 3028	2168	WScript.exe	41
PID 2168 wrote to memory of 3028	2168	WScript.exe	41
PID 2168 wrote to memory of 3028	2168	WScript.exe	41
PID 3028 wrote to memory of 1040	3028	svchcst.exe	42
PID 3028 wrote to memory of 1040	3028	svchcst.exe	42
PID 3028 wrote to memory of 1040	3028	svchcst.exe	42
PID 3028 wrote to memory of 1040	3028	svchcst.exe	42
PID 1040 wrote to memory of 1552	1040	WScript.exe	43
PID 1040 wrote to memory of 1552	1040	WScript.exe	43
PID 1040 wrote to memory of 1552	1040	WScript.exe	43
PID 1040 wrote to memory of 1552	1040	WScript.exe	43
PID 1552 wrote to memory of 2092	1552	svchcst.exe	44
PID 1552 wrote to memory of 2092	1552	svchcst.exe	44
PID 1552 wrote to memory of 2092	1552	svchcst.exe	44
PID 1552 wrote to memory of 2092	1552	svchcst.exe	44
PID 2092 wrote to memory of 1048	2092	WScript.exe	45
PID 2092 wrote to memory of 1048	2092	WScript.exe	45
PID 2092 wrote to memory of 1048	2092	WScript.exe	45
PID 2092 wrote to memory of 1048	2092	WScript.exe	45
PID 1048 wrote to memory of 2264	1048	svchcst.exe	46
PID 1048 wrote to memory of 2264	1048	svchcst.exe	46
PID 1048 wrote to memory of 2264	1048	svchcst.exe	46
PID 1048 wrote to memory of 2264	1048	svchcst.exe	46
PID 2264 wrote to memory of 2404	2264	WScript.exe	47
PID 2264 wrote to memory of 2404	2264	WScript.exe	47
PID 2264 wrote to memory of 2404	2264	WScript.exe	47
PID 2264 wrote to memory of 2404	2264	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\4f1f9b012491d922ccf73188f46d909cb6e7a1291dfa5ffcfc615a680d86fdb5.exe
"C:\Users\Admin\AppData\Local\Temp\4f1f9b012491d922ccf73188f46d909cb6e7a1291dfa5ffcfc615a680d86fdb5.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2800
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1988
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2404
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2516
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2648
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2144
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:592
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:1972
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2988
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:1092
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2944
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:2368
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2364
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:1504
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:764
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:3052
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:572
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:2484
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2448
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:2492
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1896
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:2828
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2456
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:2636
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2292
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:2820
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:536
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:2668
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2440
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        
        PID:1644
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1092
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        
        PID:1436
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1388
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        
        PID:968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
ac292cd4f7fef7675d219a585a0b58c2

SHA1
1b740d7e2a53b50374bb0314db339cd15390050d

SHA256
124f2ad376942f3c7696f149985f31a74115b648de25607db0ac8582b646050c

SHA512
8d37c3d41208d0ebd946e25d70c4e90115b8db61326097974eead00ced4b1aa724b30419337673c651fdd9cf2d5edcd84fedb8db2e070bf9b5acbad064721f87

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1ac4421f71447c6f92ce3ac17a3d9d38

SHA1
97f4ebc5875af7ee54f93ba70089361ca88da8af

SHA256
615df52b00308d2a7f8aed927fd28d1e40b5ac6cf5e6da78ec69acd149618d59

SHA512
3d7d6a0124324731462a5e71d797c77e9942371fbdda8b870cb9d035db293ef1765e1890737fd89fd1b9d56941bd04745f93c95c844057830605365367ea410e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2551ae733b39ac9061a9d5ebd2f29d98

SHA1
08247d27dd5bf959db0b29d3e5b0551dc47c9d02

SHA256
c69ee4a632cc1c351d5fa930d42546923a4125e7d9cbccb2ad9f9e3318be2b77

SHA512
a1c669cb87194c2b496a7131f7f2920b6c31156f88d6c1140e79f3b83fbca3785cd57fea2d47cb951ed576e69a1240e81746a5bc5444e65fd05fa5234125731c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0746413c017663c2889cbadf684741eb

SHA1
6a61f92238e17b83adba719b52d2f3d9cd205b8a

SHA256
5e9eb3cc7e536ea1249b6bdb65b934565018fa760198e2b2c8f5537de84b86bd

SHA512
e222a18584aadd15f5c4706601acc6fa30d6a08325f2679724eba4b2952e56d4d7e1a97c42ae88aefacfa59b87723118d2dd28c1541204715dc1e11b4867b05c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
152cdcb10a0dcbdcaeb00bd4b08b2f94

SHA1
d957bd7eff64e6b13d3a088c0ae764eaeedf0ad2

SHA256
5525126f60e1b6cf4d353d30db46873836712e3964020d1dbca2694b6dc3d599

SHA512
c2e61516af9e5c14978792ec3b5e20aa84d5f6d9607322575d2f0448a67b6a10911ebf350f51e24e19f40840897251c891cda2c651c0881fccc9e0006d1a2f99

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a6723d81dd75369a43431bd61814ac74

SHA1
c3d950a8d9f5738222594d01dcaae3fcb467d548

SHA256
add1a22f571c2dfbfda508d6ad632223ab81690c73a376500e56855afeb1752b

SHA512
d7a42037066b1b1d1dffbc792aef400ca374665b012f02de40a6ff118482acd14555edabd6750defb402a6cf4e273a132c1856103202e47aa090119546718727

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
4433cc23fc280ad8dcff9966bac19fe4

SHA1
62cc2abfe6e2ee0fd6b5cbce20daff4ba787bff0

SHA256
ca7cfd972b03d0b30404c8233125adda1dacc81a2e43e919d70bf1c2700af55b

SHA512
6a5e7454dde98251a987bedc21e628550c469480cbe41f3b3644789da38e782c8b94660d4a076697cc7abf3fcc767650d00ac3639b11cfeba96ece8110920b4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1a9d2727f5157f704f57fb2f0e0a7939

SHA1
4085542ccb9a53b29208916307ee515880d6410f

SHA256
46c5d3b8a158fe319dfd325df66634b1bdef724bab79b7007f565e44beb34f31

SHA512
7ec52df630965769dae3e05a1b9fd489c7d5413ea77b28cbe2435e839f80d7eabdbbcc74af4cf544b9f0f57403a505501b08753ffeaec8cf6c32972fc3e72d68

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2af86d83545125b952334759f8554ae3

SHA1
ddfef7be6fbd8d8185c772a9a78eb18617a9637b

SHA256
7dd3660d7e87e64f451b4d1882d07c1733ce38d828770910453cc1b7f457d11d

SHA512
38d2854f941ff77a2fec871ba6513df9862fe4f86778b22053b4c3e25995b192f4ab943051a2c613cc3e78d275bc543b0dff09149cb4620e307809d20beae17b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
423a0fabd3a9fd2cbedc3aba67c69650

SHA1
880097557ac6718e93822ac7efc9a3e2986c51de

SHA256
d77f549afde3b88ac747c3d0dee3069f914fac77b572ae08737ffc05f696491b

SHA512
c65d3db8250c7885b05075ebc3485db4506dde6c435247ad6a86e9085d59b039f4629583b327662a2eb40c79bc135d5d17b5bfb01f63ee02726aa57ecd7ed139

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0fb49046e8a6b0a37d6c0e9c2ccb963c

SHA1
3df16327d92f791e25e859093457ba4b30784c16

SHA256
d55f6113ae5f1dac6ce76b12a24d486977916345ef0832f980cccfebdc6d4a84

SHA512
d6d9f319a6fbdc893bd595862ca302b7569b94a7dfa586f2161fb633ee75b564072c5cf86b607334015b8bcee037a06d09e92269cfb75ba71025480c1b07d4ea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e34c71670452d935d97f996b64265453

SHA1
6ea0a6692cbabcadc035ecdf7804d9b15da71da4

SHA256
b60db7880e83e44c93d481207e80ae0a79a21a60b6d48fe2f9006f535105418b

SHA512
0f335ca264aaa10371690ef5c76a423c14994528dbdfd72cc49293dfc6981225be936e3b16210f819aa927964d67e4dd7d6e1e3dafc10951e3d69fe2ab8ad20f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
164432ba67b297c359c1d3bb728c4cc2

SHA1
ef38c8dcf56d93b58eb9a89b9bd50020c47d4082

SHA256
85b24f6db6c3fa4fdb20939608230313fa3266d9342e7bbd9b1ab6f67666c9d9

SHA512
b5015885fb44cd9a853fd5e28cd656e82c4cb0ea2da7079c42e012db2c16abb8739a48009cf9dfb9764a12463e2dd81bd6ec9bcd68d704f4b203a10d3dc7ae85

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a95473113d66a6b758dbb3ce70ea12b2

SHA1
aede76a9b6b0caf32253157c91da771fb13874b7

SHA256
24453f32ef73dd4e1432ea3a9e7929dcaee0e7496d19a89777092a0c8cdc4f02

SHA512
eaaffdc7f55a846f8748ecc615359ac11d59d55aedc2dda6c07c335b51d444c3910fbadaaaaa8db3931cba047c589dd2b2ce2d39401a2f6832deec35bf21acac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f049db2da960920ae9bad7408bd27e4f

SHA1
aee70ffc4a278186c7079696eaf404d3f37b6dc2

SHA256
12e3d99b482abfcbc35fad0130ebd765658f77a47955f23225a799df8445199d

SHA512
dee9c0ac1e4b8e4945685b53d78a75eb2a6159a1d54ce573072668f08e19a6f91e56358e4e4c54ae3a8c56f02899b68cbfdc974ab0c8ef860ba02253fa42da0a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
cd67e18195d3d36e1e864858a88006e3

SHA1
f0b12a55cbcb9f8432df1486b64d5a59b2a0809b

SHA256
fd6ab5e20aea6ca661b4005c1ef330567311747f3a8c209948817fd2f03be246

SHA512
272e1462b4af721ed3eecad859fa61b7842e2538b52ccc24b26169b47f494cd1a2f0e2a3180032f9d794d710fbb2cfe674c71a92566619d6c12538bfb5f5c023

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
6222aec1e5946ee326ce28d47fc695df

SHA1
69c94038207cfb35884397bb34a76ced39eaf2b0

SHA256
d8037e51e331d52cd3f56cc7758cb61be82b201259dc24438ea263c91eaa3017

SHA512
a57db6a845f1149291d2a50f96f0d49488e8226da54185f25a28d5c0049f6f7acfebf8e06526987345bffa981c6966ea4dec40269f5ea8ea3b474e65b1f0a253

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
bf8649b517757a347d18a0796b1bef0a

SHA1
f6d4bdeba2b57b25d90cf1fe1483e72c548334b7

SHA256
3e07bd6d47d7d8543ab9fb699e3778cce110dffeb81e84ae4484fd6ad51b681a

SHA512
1ee894d0e2e2ab82fb89fdfc184cda9f5a8577dd707bb3382b0855532d921c329505b38b1d21856206260bdff2c953eba428d261849e6804974f5ca70e805f23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
397c1d6049fcc3642a2194a362fdb8e5

SHA1
04568f7d31793e1ff6630bbd29a13cfff90f47ec

SHA256
3c8d7f656f30f267184e443de0c50bcef06ca491efbfed005af68827ddf41105

SHA512
ba3ac81ca1866f35f0428f76bb346b5a454adf4bc6e04dd8245eab280b2962e1ecceeae5f5092fef9627b1d970f5541cbd75f0752cdd927cdbe00d1e779a7651

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9c290a32653bf9d41d55773856cece32

SHA1
7f9f53f658a3c110b9c322971ae47135938766df

SHA256
8ced9036494dceeba62fd00801fb2937c54d773c4ca2ad59b2ff3fee427ca5f4

SHA512
07d70de040287527ddc3bba76291ead1ce4e1c74469e4d3ff9ba0a2a5fb71d57a1b690b6c432ad9297fdbe4ed75e45919303d31f0d9ac841c56cc0781923069a

Download Submit
memory/2540-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download