d04b091c209580e3845fbecd947ac80e7623c2b8d455733c1c610b9f1ef930a5

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
22/05/2024, 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d04b091c209580e3845fbecd947ac80e7623c2b8d455733c1c610b9f1ef930a5.exe
Size

1.1MB
MD5

8f198b8766cd4634aa26fcacd9396ea5
SHA1

60e6842d27b3e0f09f22654d3f21b64498ec2120
SHA256

d04b091c209580e3845fbecd947ac80e7623c2b8d455733c1c610b9f1ef930a5
SHA512

0607cfb76dcf703b751b3ccd47871d0493df3dc03a96bf8a5f60f0a82fc55a2c51b5adddf569794bddd472969179d16ea360567f22b6821878468c43f4a2b9ca
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qd:CcaClSFlG4ZM7QzM2

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2492	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2492	svchcst.exe
1500	svchcst.exe
1960	svchcst.exe
1160	svchcst.exe
692	svchcst.exe
412	svchcst.exe
3052	svchcst.exe
2872	svchcst.exe
2392	svchcst.exe
2488	svchcst.exe
1908	svchcst.exe
1920	svchcst.exe
1164	svchcst.exe
1644	svchcst.exe
2840	svchcst.exe
1580	svchcst.exe
3060	svchcst.exe
2180	svchcst.exe
404	svchcst.exe
2972	svchcst.exe
2524	svchcst.exe
1048	svchcst.exe
1760	svchcst.exe

Loads dropped DLL 34 IoCs

pid	Process
3068	WScript.exe
3068	WScript.exe
2464	WScript.exe
2648	WScript.exe
2916	WScript.exe
2052	WScript.exe
2052	WScript.exe
888	WScript.exe
3040	WScript.exe
2116	WScript.exe
2116	WScript.exe
1756	WScript.exe
1756	WScript.exe
1872	WScript.exe
2176	WScript.exe
2176	WScript.exe
2428	WScript.exe
2428	WScript.exe
3004	WScript.exe
3004	WScript.exe
2864	WScript.exe
2864	WScript.exe
1748	WScript.exe
1748	WScript.exe
2472	WScript.exe
2472	WScript.exe
2832	WScript.exe
2832	WScript.exe
1836	WScript.exe
1836	WScript.exe
1148	WScript.exe
1148	WScript.exe
2612	WScript.exe
2612	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2372	d04b091c209580e3845fbecd947ac80e7623c2b8d455733c1c610b9f1ef930a5.exe
2492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
1500	svchcst.exe
1500	svchcst.exe
1500	svchcst.exe
1500	svchcst.exe
1500	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2372	d04b091c209580e3845fbecd947ac80e7623c2b8d455733c1c610b9f1ef930a5.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2372	d04b091c209580e3845fbecd947ac80e7623c2b8d455733c1c610b9f1ef930a5.exe
2372	d04b091c209580e3845fbecd947ac80e7623c2b8d455733c1c610b9f1ef930a5.exe
2492	svchcst.exe
2492	svchcst.exe
1500	svchcst.exe
1500	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1160	svchcst.exe
1160	svchcst.exe
692	svchcst.exe
692	svchcst.exe
412	svchcst.exe
412	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
1908	svchcst.exe
1908	svchcst.exe
1920	svchcst.exe
1920	svchcst.exe
1164	svchcst.exe
1164	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
1580	svchcst.exe
1580	svchcst.exe
3060	svchcst.exe
3060	svchcst.exe
2180	svchcst.exe
2180	svchcst.exe
404	svchcst.exe
404	svchcst.exe
2972	svchcst.exe
2972	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
1048	svchcst.exe
1048	svchcst.exe
1760	svchcst.exe
1760	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 3068	2372	d04b091c209580e3845fbecd947ac80e7623c2b8d455733c1c610b9f1ef930a5.exe	28
PID 2372 wrote to memory of 3068	2372	d04b091c209580e3845fbecd947ac80e7623c2b8d455733c1c610b9f1ef930a5.exe	28
PID 2372 wrote to memory of 3068	2372	d04b091c209580e3845fbecd947ac80e7623c2b8d455733c1c610b9f1ef930a5.exe	28
PID 2372 wrote to memory of 3068	2372	d04b091c209580e3845fbecd947ac80e7623c2b8d455733c1c610b9f1ef930a5.exe	28
PID 3068 wrote to memory of 2492	3068	WScript.exe	30
PID 3068 wrote to memory of 2492	3068	WScript.exe	30
PID 3068 wrote to memory of 2492	3068	WScript.exe	30
PID 3068 wrote to memory of 2492	3068	WScript.exe	30
PID 2492 wrote to memory of 2464	2492	svchcst.exe	31
PID 2492 wrote to memory of 2464	2492	svchcst.exe	31
PID 2492 wrote to memory of 2464	2492	svchcst.exe	31
PID 2492 wrote to memory of 2464	2492	svchcst.exe	31
PID 2464 wrote to memory of 1500	2464	WScript.exe	32
PID 2464 wrote to memory of 1500	2464	WScript.exe	32
PID 2464 wrote to memory of 1500	2464	WScript.exe	32
PID 2464 wrote to memory of 1500	2464	WScript.exe	32
PID 1500 wrote to memory of 2648	1500	svchcst.exe	33
PID 1500 wrote to memory of 2648	1500	svchcst.exe	33
PID 1500 wrote to memory of 2648	1500	svchcst.exe	33
PID 1500 wrote to memory of 2648	1500	svchcst.exe	33
PID 2648 wrote to memory of 1960	2648	WScript.exe	34
PID 2648 wrote to memory of 1960	2648	WScript.exe	34
PID 2648 wrote to memory of 1960	2648	WScript.exe	34
PID 2648 wrote to memory of 1960	2648	WScript.exe	34
PID 1960 wrote to memory of 2916	1960	svchcst.exe	35
PID 1960 wrote to memory of 2916	1960	svchcst.exe	35
PID 1960 wrote to memory of 2916	1960	svchcst.exe	35
PID 1960 wrote to memory of 2916	1960	svchcst.exe	35
PID 2916 wrote to memory of 1160	2916	WScript.exe	36
PID 2916 wrote to memory of 1160	2916	WScript.exe	36
PID 2916 wrote to memory of 1160	2916	WScript.exe	36
PID 2916 wrote to memory of 1160	2916	WScript.exe	36
PID 1160 wrote to memory of 2052	1160	svchcst.exe	37
PID 1160 wrote to memory of 2052	1160	svchcst.exe	37
PID 1160 wrote to memory of 2052	1160	svchcst.exe	37
PID 1160 wrote to memory of 2052	1160	svchcst.exe	37
PID 2052 wrote to memory of 692	2052	WScript.exe	38
PID 2052 wrote to memory of 692	2052	WScript.exe	38
PID 2052 wrote to memory of 692	2052	WScript.exe	38
PID 2052 wrote to memory of 692	2052	WScript.exe	38
PID 692 wrote to memory of 2448	692	svchcst.exe	39
PID 692 wrote to memory of 2448	692	svchcst.exe	39
PID 692 wrote to memory of 2448	692	svchcst.exe	39
PID 692 wrote to memory of 2448	692	svchcst.exe	39
PID 2052 wrote to memory of 412	2052	WScript.exe	40
PID 2052 wrote to memory of 412	2052	WScript.exe	40
PID 2052 wrote to memory of 412	2052	WScript.exe	40
PID 2052 wrote to memory of 412	2052	WScript.exe	40
PID 412 wrote to memory of 888	412	svchcst.exe	41
PID 412 wrote to memory of 888	412	svchcst.exe	41
PID 412 wrote to memory of 888	412	svchcst.exe	41
PID 412 wrote to memory of 888	412	svchcst.exe	41
PID 888 wrote to memory of 3052	888	WScript.exe	42
PID 888 wrote to memory of 3052	888	WScript.exe	42
PID 888 wrote to memory of 3052	888	WScript.exe	42
PID 888 wrote to memory of 3052	888	WScript.exe	42
PID 3052 wrote to memory of 3040	3052	svchcst.exe	43
PID 3052 wrote to memory of 3040	3052	svchcst.exe	43
PID 3052 wrote to memory of 3040	3052	svchcst.exe	43
PID 3052 wrote to memory of 3040	3052	svchcst.exe	43
PID 3040 wrote to memory of 2872	3040	WScript.exe	46
PID 3040 wrote to memory of 2872	3040	WScript.exe	46
PID 3040 wrote to memory of 2872	3040	WScript.exe	46
PID 3040 wrote to memory of 2872	3040	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\d04b091c209580e3845fbecd947ac80e7623c2b8d455733c1c610b9f1ef930a5.exe
"C:\Users\Admin\AppData\Local\Temp\d04b091c209580e3845fbecd947ac80e7623c2b8d455733c1c610b9f1ef930a5.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2464
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1500
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:692
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:412
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:888
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2872
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:2116
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2392
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2488
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:1756
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1908
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:1872
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1920
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:2176
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1164
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1644
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:2428
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2840
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:3004
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1580
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:2864
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3060
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:1748
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2180
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:2472
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:404
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:2832
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2972
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:1836
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2524
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:1148
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1048
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:2612
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1760
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        
        PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d0a7594dbfff2934bae6e22de9f233fe

SHA1
b2a276918a0f5fb2da4440d77ec65c3c644dcf74

SHA256
b5ba466f75e4b160d164ce3886c42fe86c339961f2f303cfdba40d2c711bc61d

SHA512
3d0c5b27841efaa0286d2b58d1749c1efe45ce115cbcb2af1473e29ec3791501a278c90f087e995279518b3c3aec687edca8937f77ff2520ed6b8d3dff6c0a63

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
b7aa4c3e1c84865da90206ff69c1c065

SHA1
7e773e8ad575f2ec40eb03072efd1aa97b70b259

SHA256
457df1900b5115c8e97edf087b17ef46af143f5cb2611a5192d967196350636d

SHA512
04fe5638ce1a7cd151e5104bcd1e30497e7e2e2c6b90eb754e2a30114881eee2dea219dfeabaf206863a6c3a854640cd5937feaa306acc9562cb8b2bc8f40a9b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6cc9dd78b42e2ca0e1deb237988b6ae2

SHA1
6ec16a7e43a4c558a19f125758d56ed9a180e6ee

SHA256
11367ac6f6a1b237ca69aeeb571a435181256f8836d6910f036beb90e160f7b2

SHA512
331f0ae896c0fb9906dd2fc2e3d58860073af97deb31cdb2184cc4bd104e2e066bfec6bdef0e16a8eda3d5605875fe7c03480b1e2d68bc9d7e3a2b237a3020a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
4433cc23fc280ad8dcff9966bac19fe4

SHA1
62cc2abfe6e2ee0fd6b5cbce20daff4ba787bff0

SHA256
ca7cfd972b03d0b30404c8233125adda1dacc81a2e43e919d70bf1c2700af55b

SHA512
6a5e7454dde98251a987bedc21e628550c469480cbe41f3b3644789da38e782c8b94660d4a076697cc7abf3fcc767650d00ac3639b11cfeba96ece8110920b4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0667072f0b99c114be29b17a58be850a

SHA1
8ec8d5ba1f5842c2f07a4332fb04ba60b0bc7143

SHA256
002841eff29a50e5cf34cf60cfb5bbbf780c4d2f8809016ab22a0e084fc10d07

SHA512
5e0c61897463fd935f2e0420389e4d7c6b08232e63175ccc96db2b6f3d294e9196bc5efd6445ccc8f460efc0791c13ea040b36ce3130f12e414a3ab7b678dfd9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
44c38fa25d3a9963483b583388b6f47b

SHA1
e9b37eb8bcbe2ddda96178ee7502616660cfce57

SHA256
004b640ccc72e36c16e85661847b12fff228d63de834042accadde333aa33e36

SHA512
c39bd240b263314169cef9af85a8e8a89146e96400026936b68a69a7c732d301c16561971dbeaee752e2618f2a592bff5a6a91ee75893522e77f574176887905

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
99c82369839776d3d954a85361e76565

SHA1
fe01d71a20a80f468e5fa4df991eacca97e650a1

SHA256
ecfe1904a389f25b460a8eec64349498fde06733fa12cd5ae8e0c49a9699154f

SHA512
5deb6fd1534298cbc80f4653e60b9dcaba6cfd4af1f3b1e5369929472ab4f8cba7d50d3f63d7154170b5ea84f40f7511f1839f2e89340c6942fede255c93b69f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
297aff64991480fd92a4ce9fb4d40807

SHA1
c586f7003f854f442db26448516e59826dfe41e9

SHA256
5137a62e031c71093a7d6c2684519614bb5eed80fd8daa92912f085a6ab82b8a

SHA512
f7a2fae80f26e6fb846ec9675c5a03932c8bd842d75f68cdb05c2f18e9397ed32774ce0a1f495e5618a5ce1b37e088c8991a69fb999559d1e2b0dd360cc96b4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1c0ff223574a58a062d6e26c4b0bb7cd

SHA1
b61341ae86f6fd2a2e76592a2fc693479b62f37c

SHA256
b9baaa35fb2544dd650a875b31c12ae5393b345528009fc8c438296ac71da48b

SHA512
b89b388955e99d95ea0a6be87df42a49823ca71ab65505e19689b8ecc56484246bc36abaac9b7b76874b8c287a33645932573b90786886e0289dff05a6874cc5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
9627e3850f4f7495f6d36ebae56aa594

SHA1
001694633bc632a7ae2812ed74828335bec77531

SHA256
0aeaf02fb74a0799c8eccaa37e1586435318608e7945b8084fe87f956822cb25

SHA512
03986ee3b4faf96fdb2bdeb1c41e216c81e1c0f7d4403b69c7e7e39baa45e2806d57fad32904bdf04728eb9db7570d94341e73bf8a1f6ba1964072a65de4e894

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
30eafc82ac9962314c98d54ef2588957

SHA1
3bf1e1f24264448ba2688366b10b083c808e1e7a

SHA256
fc93c94af2daa9c8b70b9f6104f613a1cf0ac39bf1856542a3dbb6f828d2bee6

SHA512
5cd90109e61e06fda91874fd3cd28d83b42b6e586446ce99cf69a611f0015f56010937fadca4accef57ab47b5bca54b4171479a9a989ab5b1a015d491f985fb5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
951aaea1269f2a203f3dd7cd181c5d34

SHA1
3623d216764b24aa0b02cbc136287252bf5b412a

SHA256
228b66ed4c4a1270fe5a6655cdd849de937351e95974b96acafa59b8107b7dd4

SHA512
cd84967ad43a13c3cd57cc80f6533a9e9fd93a5eddf4807825b8d19883da4acda3e7b4ff963f23209c579050fedf834382d8e718386c852ceaf350b2b0f91816

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
efa4b9f79f0e80cc4480b4196f965c98

SHA1
56401c277c2e9c8111a865c9225b943fc4a7433b

SHA256
5db1107f337e47becfbcacfdc107678db82fb69fc4a9a1341c0decacff5146c3

SHA512
c3b3f2cd4b0a7257fcb391a7defee9a0db1650febb3dab466732bf81cdec9a8bbfb9e28afd2ffff03d57f2cd2be8adc8da67abeb39e295c94b3dd536fb092180

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2d6346060ca3fc500cee252cd3378dcf

SHA1
dc61cd97111b2d082b521306305f9054908d4dc1

SHA256
d141753e150a8e7dc249054710e4f81c4b84da9f171c19ba20da9e25443c1f6b

SHA512
0db57874ebd4520f3bd95a3b9311db78455ba76a8717c07a05069141015912fdcaf6b1fd5fd882ebd4415d7d62f00523011c50914be97dc3b61cd26b586de3a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f7f972e4d2cc1a8db455ebb4639c7c34

SHA1
f538a8ebc7e95d6e8b789a000ae647aa65ce0390

SHA256
7a6bd80767e102a2fa225f0f41958078f57ee9660868ef32afcb74560de35ae4

SHA512
cd1f2ec0934038aa0cc0559c3c10d467a7c0f64062c5ea5cd15b8817d7bb606508cd3fa3396ba89b5008d17c99fbc1548a7f0ec69abd5a4c125545cea3ad76c6

Download Submit
memory/2372-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download