71b82f66ea7ff1ddab1d4a4bc71516b46ab02359e2464b5c87d4ac5f50e99d0e

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
20/05/2024, 22:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

71b82f66ea7ff1ddab1d4a4bc71516b46ab02359e2464b5c87d4ac5f50e99d0e.exe
Size

1.1MB
MD5

022ac5dfc456dacd5a2b1c2f1726dc8c
SHA1

480fff24d3352ca3aae873894f1d9d02715c594b
SHA256

71b82f66ea7ff1ddab1d4a4bc71516b46ab02359e2464b5c87d4ac5f50e99d0e
SHA512

64e0b266bf5a70510debb32759b7621b87839b05284efe29d306d943a3cee4ecfd11f62a43fb4b363ad953c91d785c65db4d6c7704f15e7bbe5e1f6bc9c3f6fa
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QD:CcaClSFlG4ZM7QzMk

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2588	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2588	svchcst.exe
2396	svchcst.exe
1792	svchcst.exe
1404	svchcst.exe
1964	svchcst.exe
2372	svchcst.exe
2004	svchcst.exe
1784	svchcst.exe
3000	svchcst.exe
1728	svchcst.exe
328	svchcst.exe
1228	svchcst.exe
1352	svchcst.exe
1500	svchcst.exe
316	svchcst.exe
2448	svchcst.exe
1788	svchcst.exe
2776	svchcst.exe
1064	svchcst.exe
2680	svchcst.exe
1644	svchcst.exe
2256	svchcst.exe
548	svchcst.exe

Loads dropped DLL 42 IoCs

pid	Process
2248	WScript.exe
2248	WScript.exe
2520	WScript.exe
2520	WScript.exe
2788	WScript.exe
2424	WScript.exe
2424	WScript.exe
2424	WScript.exe
588	WScript.exe
588	WScript.exe
1776	WScript.exe
1776	WScript.exe
1388	WScript.exe
1388	WScript.exe
2044	WScript.exe
2044	WScript.exe
2552	WScript.exe
2400	WScript.exe
2400	WScript.exe
2400	WScript.exe
2480	WScript.exe
2480	WScript.exe
2356	WScript.exe
2356	WScript.exe
2392	WScript.exe
2392	WScript.exe
1372	WScript.exe
1372	WScript.exe
1456	WScript.exe
1456	WScript.exe
2440	WScript.exe
2440	WScript.exe
2512	WScript.exe
2512	WScript.exe
1488	WScript.exe
1488	WScript.exe
1608	WScript.exe
1608	WScript.exe
2268	WScript.exe
2268	WScript.exe
1968	WScript.exe
1968	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2236	71b82f66ea7ff1ddab1d4a4bc71516b46ab02359e2464b5c87d4ac5f50e99d0e.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2396	svchcst.exe
2396	svchcst.exe
2396	svchcst.exe
2396	svchcst.exe
2396	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2236	71b82f66ea7ff1ddab1d4a4bc71516b46ab02359e2464b5c87d4ac5f50e99d0e.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2236	71b82f66ea7ff1ddab1d4a4bc71516b46ab02359e2464b5c87d4ac5f50e99d0e.exe
2236	71b82f66ea7ff1ddab1d4a4bc71516b46ab02359e2464b5c87d4ac5f50e99d0e.exe
2588	svchcst.exe
2588	svchcst.exe
2396	svchcst.exe
2396	svchcst.exe
1792	svchcst.exe
1792	svchcst.exe
1404	svchcst.exe
1404	svchcst.exe
1964	svchcst.exe
1964	svchcst.exe
2372	svchcst.exe
2372	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
1784	svchcst.exe
1784	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
1728	svchcst.exe
1728	svchcst.exe
328	svchcst.exe
328	svchcst.exe
1228	svchcst.exe
1228	svchcst.exe
1352	svchcst.exe
1352	svchcst.exe
1500	svchcst.exe
1500	svchcst.exe
316	svchcst.exe
316	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
1788	svchcst.exe
1788	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
1064	svchcst.exe
1064	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
548	svchcst.exe
548	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2248	2236	71b82f66ea7ff1ddab1d4a4bc71516b46ab02359e2464b5c87d4ac5f50e99d0e.exe	28
PID 2236 wrote to memory of 2248	2236	71b82f66ea7ff1ddab1d4a4bc71516b46ab02359e2464b5c87d4ac5f50e99d0e.exe	28
PID 2236 wrote to memory of 2248	2236	71b82f66ea7ff1ddab1d4a4bc71516b46ab02359e2464b5c87d4ac5f50e99d0e.exe	28
PID 2236 wrote to memory of 2248	2236	71b82f66ea7ff1ddab1d4a4bc71516b46ab02359e2464b5c87d4ac5f50e99d0e.exe	28
PID 2248 wrote to memory of 2588	2248	WScript.exe	30
PID 2248 wrote to memory of 2588	2248	WScript.exe	30
PID 2248 wrote to memory of 2588	2248	WScript.exe	30
PID 2248 wrote to memory of 2588	2248	WScript.exe	30
PID 2588 wrote to memory of 2520	2588	svchcst.exe	31
PID 2588 wrote to memory of 2520	2588	svchcst.exe	31
PID 2588 wrote to memory of 2520	2588	svchcst.exe	31
PID 2588 wrote to memory of 2520	2588	svchcst.exe	31
PID 2520 wrote to memory of 2396	2520	WScript.exe	32
PID 2520 wrote to memory of 2396	2520	WScript.exe	32
PID 2520 wrote to memory of 2396	2520	WScript.exe	32
PID 2520 wrote to memory of 2396	2520	WScript.exe	32
PID 2396 wrote to memory of 2788	2396	svchcst.exe	33
PID 2396 wrote to memory of 2788	2396	svchcst.exe	33
PID 2396 wrote to memory of 2788	2396	svchcst.exe	33
PID 2396 wrote to memory of 2788	2396	svchcst.exe	33
PID 2788 wrote to memory of 1792	2788	WScript.exe	34
PID 2788 wrote to memory of 1792	2788	WScript.exe	34
PID 2788 wrote to memory of 1792	2788	WScript.exe	34
PID 2788 wrote to memory of 1792	2788	WScript.exe	34
PID 1792 wrote to memory of 2424	1792	svchcst.exe	35
PID 1792 wrote to memory of 2424	1792	svchcst.exe	35
PID 1792 wrote to memory of 2424	1792	svchcst.exe	35
PID 1792 wrote to memory of 2424	1792	svchcst.exe	35
PID 2424 wrote to memory of 1404	2424	WScript.exe	36
PID 2424 wrote to memory of 1404	2424	WScript.exe	36
PID 2424 wrote to memory of 1404	2424	WScript.exe	36
PID 2424 wrote to memory of 1404	2424	WScript.exe	36
PID 1404 wrote to memory of 2920	1404	svchcst.exe	37
PID 1404 wrote to memory of 2920	1404	svchcst.exe	37
PID 1404 wrote to memory of 2920	1404	svchcst.exe	37
PID 1404 wrote to memory of 2920	1404	svchcst.exe	37
PID 2424 wrote to memory of 1964	2424	WScript.exe	38
PID 2424 wrote to memory of 1964	2424	WScript.exe	38
PID 2424 wrote to memory of 1964	2424	WScript.exe	38
PID 2424 wrote to memory of 1964	2424	WScript.exe	38
PID 1964 wrote to memory of 588	1964	svchcst.exe	39
PID 1964 wrote to memory of 588	1964	svchcst.exe	39
PID 1964 wrote to memory of 588	1964	svchcst.exe	39
PID 1964 wrote to memory of 588	1964	svchcst.exe	39
PID 588 wrote to memory of 2372	588	WScript.exe	40
PID 588 wrote to memory of 2372	588	WScript.exe	40
PID 588 wrote to memory of 2372	588	WScript.exe	40
PID 588 wrote to memory of 2372	588	WScript.exe	40
PID 2372 wrote to memory of 1776	2372	svchcst.exe	41
PID 2372 wrote to memory of 1776	2372	svchcst.exe	41
PID 2372 wrote to memory of 1776	2372	svchcst.exe	41
PID 2372 wrote to memory of 1776	2372	svchcst.exe	41
PID 1776 wrote to memory of 2004	1776	WScript.exe	44
PID 1776 wrote to memory of 2004	1776	WScript.exe	44
PID 1776 wrote to memory of 2004	1776	WScript.exe	44
PID 1776 wrote to memory of 2004	1776	WScript.exe	44
PID 2004 wrote to memory of 1388	2004	svchcst.exe	45
PID 2004 wrote to memory of 1388	2004	svchcst.exe	45
PID 2004 wrote to memory of 1388	2004	svchcst.exe	45
PID 2004 wrote to memory of 1388	2004	svchcst.exe	45
PID 1388 wrote to memory of 1784	1388	WScript.exe	46
PID 1388 wrote to memory of 1784	1388	WScript.exe	46
PID 1388 wrote to memory of 1784	1388	WScript.exe	46
PID 1388 wrote to memory of 1784	1388	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\71b82f66ea7ff1ddab1d4a4bc71516b46ab02359e2464b5c87d4ac5f50e99d0e.exe
"C:\Users\Admin\AppData\Local\Temp\71b82f66ea7ff1ddab1d4a4bc71516b46ab02359e2464b5c87d4ac5f50e99d0e.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2520
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2396
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:588
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1784
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:2044
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3000
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2552
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1728
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2400
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:328
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1228
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:2480
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1352
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:2356
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1500
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:2392
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:316
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:1372
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2448
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:1456
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1788
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:2440
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2776
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:2512
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1064
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:1488
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2680
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:1608
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1644
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:2268
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2256
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:1968
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:548
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        
        PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
52f768936fd202fb752f97ec0b0e3e00

SHA1
95513312386de02ae586c8180acef87d21fe27c9

SHA256
91ec31373ad6ec3677ec30a82a149d22728fc3ce1d882515ec5e2b7b3b34c5a7

SHA512
91b4643ae192476ad7dc27e6e560fd82703db2fd7e241b0360d0f5205c7aa974d3e8c1093313ab1f144b42d75efdfda0044b3ae86e8450ca7904db8a1d279914

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6a10838e65cf3aedda11230ee7f407b7

SHA1
7878e96feb82d309b74e4fe98ad256d3bfd63d08

SHA256
79b9776ab8d5f525f63ccab50ff6d79e7a7daeb47894ce971b63ab072314009e

SHA512
7fd419656935cef9e30f36f618df90399b015dc281dea6b30f12ba7bf2c07a58e7aa570ea5fd1f04b3643be33eb1d8521787c94384cb7ef0ec8d5459a8c50eaa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
06a252a9516053e44ec8e64f1ebf0533

SHA1
29ac97e0cdade946c4feb81ad3f78d70953a2277

SHA256
6b8a799c3d4b977adb7220f6790b2ac09080ca3ccde5a2c33c83b33ea905928c

SHA512
0775aabeef7c910e03efc40f96143025a2ee3544dd656c78d09ef63c85d040037752aabe72fdf3b636ee31422ae8de01b73c85e27247203d5efc1635eaf15b2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
bdff210bf33c9ed5f2b10773c8c98ff5

SHA1
fc4fbaca4c7f23506dc792dec89e640050ad62e9

SHA256
900ab6b8ac0df4e138335d9d8e283495f569bf9fa1f401a6f8122661104f8cf8

SHA512
45849b735796586ea2518bd4aec42377db54b2de01025df65e52d8d1561d7e26702051c945ac7257857e00d7ab9d2d7fbf87f178e1e606905e095b22d95e5b32

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1ca638ab56e1883ffe75969d1d8c4a61

SHA1
2f32fe1ad07a21f4aade2693ef174e30427e4f26

SHA256
ab716890ffa3b303c706ba2fc2ff48ba57e82b94b3bb3198cbb5700d74218c9d

SHA512
91f259046507902e077ac73aa23005f33cb3f93b6822e325bf3dd785b7616128bae36e13ba016f6a67cdddedef644d9cf44d49bba7d989dc5e59b93d446d626c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f3159db8bd483868144429c5909d280a

SHA1
a3698b1ebb0e43a564357bb77c3462539a114f87

SHA256
f31b8921a342ba1eecff8852bd1904a17e94e544a1975106b9b5533155ed044c

SHA512
328e166bbd706c7e6848c246909d96779ee2efcdf7bdb0ff47eed24e0267dcca005bb41651b60393ffafbb7b7467d94b22454e8c4be57108ffeb6238e88db916

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8364c7b31d7cc2ff033d43e692633d35

SHA1
8c51dd902e1739104aff48093aecb669522fea1f

SHA256
7ac0c74de647ef78ef6fffba49310f3c9c1b7d9ad19121d3502ec03c6e412a42

SHA512
0615c03be93f2b8cadfa7f0fca0ec6a790728d61980a9cd5edc372c99d3d73c5bdd1e6abfc055d4bd7ff2a2aa67f6fd5221c0d0479e33ac6736522fdc0572571

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b5e11596fa3b5ec67af0232750a3cadb

SHA1
80cb25f5250390b6b2130c8b4eefc9872cc4939d

SHA256
d6429bbb3e3d5c86f30efdb3aa599d47eb8f130c1d0f2a6345e3e9387f7670b3

SHA512
06c71dd481c8936cb5c8a259111986a31b94e7bf73267a081e2162e16b3bffc633a257b5dcf2fd64c7bcc95a20ee841d5d07ca2ea5a16b7f862aec9cde5f17f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5465e98b54b47d65941e5d12deb27c9d

SHA1
50e5e6ced6e5e332b303de4fa146482fbdf782d5

SHA256
38f339c2f4c0d7ea1ba1500460c63bc626a2465b3ca48c4d63ee2b0f3eafb82a

SHA512
50c6bc8c7da8c036c909672ade71b08aea49bc58474c40e660d7dc23c3a9869cfad82b4dc96335057ecd5bd1011f3db712f667b4085555e3dc6fb90de56b1c3a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ebf405e49dade13da94f737cdc03dba1

SHA1
8a0c39e59beed0deb4e726566b235c42c70942bb

SHA256
d15af3885670c4fea9dd97da21025faa5fd2b42bddc310bad2893e23a3ed2bef

SHA512
bbdef781757a387898665650d8f951e7fc495770d34595d9badbe5a39d46ec49a06ec00cbe28ed5e2677e5eeea518241fb638580668baca8d7728c44f2069ea2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
780c5b88f55c3463a252f361d53f98db

SHA1
244e739c7401ce41027d7786f4a48f4806a9939b

SHA256
d8b383df125f83a39c299a3134c88e981cf47755ddd6b44310f70231305c6bb0

SHA512
b12e3266edea4f9dff105ed8617c81a29f9873d646b6b326c5c29c0c590049dd85458b8ff7541957f9ab995896e7bfd08b171959e592ccc6edbedf998fdf1045

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
68131c1f4506af5c010d5e01f031bfae

SHA1
51cc54917c040091c3a39dd33ec52fc5f4cb4c15

SHA256
d235953ddf5884a014ce05d8a26b9b93bafd580bdeda08e369e2d6e395d34a95

SHA512
69be7da57430dd6d3f1deea9c2a4f78a0ec41a74fc593f033a7944504cd9c4fe6d2f7a0be052e40238a4389b649c36a603b1725959fab050a0114714a6d65c6d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
df56efc5aa49720056952b653a76a0d1

SHA1
82823a83837e69b031a973238d78e0360d113ac7

SHA256
bd6fdd2db5dd3828baa84352f1c382304ce0481755f000a7445e3977c24d0a35

SHA512
ffd2ffc465dcd33cca7fdf4cce8711ce7a5cb6af0933fbf2885b7b4164ea2c19ec1a776f2422996599e28b05a3ff927dd76221b9b4dec49b942941b48962034c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
38933bb15b6e4f3c86410b97ff3cf2fa

SHA1
af41fe78415a9ad3f2806e9d7966c93dc9644e93

SHA256
e734ecda765f219cae453b2e56f69f59dac31a5f483c9efedb1a56c19e4dccdc

SHA512
c078af1b4132e8acb024f05a4bdaa3ea9d2d9c9b5c8bcee19baa4e2e81956857fa396b30af044833964eef158115d31dd65a1f3716d39e66d9ad4952b34f86ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
73463e152bc2b12c3f617f7514ea2610

SHA1
b24e9b27ba34de01dd64a32b59b67a6834e9bd92

SHA256
bac03e8bd0970a2f31a4ec7288f002e2139544d26a14e27b5b83c322fb1bd77d

SHA512
0c46e37d44c8a5185c018b0674e94a16d3ddd32ab3ef24cae2c7d30c5c425bdb73e60ae8707f7115ac6659dd733c40281252cc9ca63aef058ce17932889ea447

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
94ebc321f6a50796b4ecf4d388bc835f

SHA1
1326a62108d4cd7dbb1508da95e3c930d4c59285

SHA256
c458b1ab399008c34435f3a363ee4e4cc3dee5ea2d02e18ebafb8f186603850b

SHA512
bbb8537ac7bd9c0343ad7c9fe1c7e8b4b75f296611d5e652e44fe8c3708c776107f2fab5b8df957aaeddad863267256db2713eb96ff4fa59eaa8de5ea60ccdef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
76a0d22ab21a4f76ee9eefef5f73acd0

SHA1
35ddfa3f136e2b1d9fbedf23c3d8d17c0508b025

SHA256
5359dc06d5e927943fb443995fd6c61800c926f2c49e2deeff49c8f90a1cf46c

SHA512
073140538278af0a83799372a48906d896f15a4f47755a9e89f2781bd10cbe45ad09c93ebc51b6e0be9d7aec5075295ed9f6d281d5497de1836768348c0a3a0c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
cb4078a2d6baad1d3b9e27ef135b9adf

SHA1
be9ce3b4347c805148364a57633b63dd296ff4d1

SHA256
9a5d866291c3088042da1f1b8564eb97623273ac024b2101721a8920fed97c35

SHA512
b6457bb1214e25bdf553e2a9fa3f8d4aa8b037d0486791f720d183551fa824109c000b7d57e39b011de78fc5f766b1c5fbcae756345c25bb275cb077f222cc17

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
746a4bf809408bbcee68549a672cc6d8

SHA1
5b80b804e42ab61b4e71b3ae9307f9dcddfb5881

SHA256
e666c62ea9c2bff684e5809437b7b7a7bcf77dc02f1a75613f4666589c25436a

SHA512
1dac9b2d20daf73165abf5754c123dff11208a09db943e25edf1f3b2f88ccffe5706b1591d050c3b98ea78ab063d2902a6bb3b435d8b6abcca9a6689d539e7f7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
51ed3ac2e5af075048291ace72c562d7

SHA1
13544a49bb4c03bd14b1020b268751350154ab2f

SHA256
967b4ddb01173b5f992f1dc473bc7c471d8b712c8b0b5577820f000483cc3548

SHA512
f5cf8cbfb1e9ec806bd9ea3e87ec5eca54895899dcde1b6261cb4ee06f8bc6823afee9c5b2c9001d5be3706b97535d92396c19970e3633c6573e834167d373b1

Download Submit
memory/2236-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download