93a3cd1052ff2fa591b2e599a3e3699b691db0bb87f9b043c1d9fc39f0997936

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
30/05/2024, 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93a3cd1052ff2fa591b2e599a3e3699b691db0bb87f9b043c1d9fc39f0997936.exe
Size

1.1MB
MD5

541bce12a5994aea4f149831a146c496
SHA1

0d8f1755c7bda06a4e46007ddba5c0bc2b482adb
SHA256

93a3cd1052ff2fa591b2e599a3e3699b691db0bb87f9b043c1d9fc39f0997936
SHA512

9caa3761212a356fa50b36e04ee91f0819f5219dc62f2848aa366de71e0a2f7da2a9ef29102671a9a2ce335e3f9039f6982b8b8e2831029a06eb51d7617ea986
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Q9:CcaClSFlG4ZM7QzMm

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2632	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2632	svchcst.exe
2844	svchcst.exe
1944	svchcst.exe
1776	svchcst.exe
1040	svchcst.exe
2276	svchcst.exe
2320	svchcst.exe
2720	svchcst.exe
2468	svchcst.exe
2748	svchcst.exe
1728	svchcst.exe
1700	svchcst.exe
488	svchcst.exe
700	svchcst.exe
2152	svchcst.exe
2296	svchcst.exe
2536	svchcst.exe
1952	svchcst.exe
2344	svchcst.exe
2260	svchcst.exe
2504	svchcst.exe
2772	svchcst.exe
1488	svchcst.exe

Loads dropped DLL 44 IoCs

pid	Process
2640	WScript.exe
2640	WScript.exe
2472	WScript.exe
2472	WScript.exe
556	WScript.exe
556	WScript.exe
2688	WScript.exe
2688	WScript.exe
1100	WScript.exe
1100	WScript.exe
1792	WScript.exe
1792	WScript.exe
1880	WScript.exe
1880	WScript.exe
2872	WScript.exe
2572	WScript.exe
2572	WScript.exe
2632	WScript.exe
2632	WScript.exe
2824	WScript.exe
2772	WScript.exe
2772	WScript.exe
1920	WScript.exe
1920	WScript.exe
1092	WScript.exe
1092	WScript.exe
644	WScript.exe
644	WScript.exe
2172	WScript.exe
2172	WScript.exe
3004	WScript.exe
3004	WScript.exe
3024	WScript.exe
3024	WScript.exe
2572	WScript.exe
2572	WScript.exe
944	WScript.exe
944	WScript.exe
2820	WScript.exe
2820	WScript.exe
1844	WScript.exe
1844	WScript.exe
584	WScript.exe
584	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2932	93a3cd1052ff2fa591b2e599a3e3699b691db0bb87f9b043c1d9fc39f0997936.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2932	93a3cd1052ff2fa591b2e599a3e3699b691db0bb87f9b043c1d9fc39f0997936.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2932	93a3cd1052ff2fa591b2e599a3e3699b691db0bb87f9b043c1d9fc39f0997936.exe
2932	93a3cd1052ff2fa591b2e599a3e3699b691db0bb87f9b043c1d9fc39f0997936.exe
2632	svchcst.exe
2632	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1776	svchcst.exe
1776	svchcst.exe
1040	svchcst.exe
1040	svchcst.exe
2276	svchcst.exe
2276	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2468	svchcst.exe
2468	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
1728	svchcst.exe
1728	svchcst.exe
1700	svchcst.exe
1700	svchcst.exe
488	svchcst.exe
488	svchcst.exe
700	svchcst.exe
700	svchcst.exe
2152	svchcst.exe
2152	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2536	svchcst.exe
2536	svchcst.exe
1952	svchcst.exe
1952	svchcst.exe
2344	svchcst.exe
2344	svchcst.exe
2260	svchcst.exe
2260	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
1488	svchcst.exe
1488	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2640	2932	93a3cd1052ff2fa591b2e599a3e3699b691db0bb87f9b043c1d9fc39f0997936.exe	28
PID 2932 wrote to memory of 2640	2932	93a3cd1052ff2fa591b2e599a3e3699b691db0bb87f9b043c1d9fc39f0997936.exe	28
PID 2932 wrote to memory of 2640	2932	93a3cd1052ff2fa591b2e599a3e3699b691db0bb87f9b043c1d9fc39f0997936.exe	28
PID 2932 wrote to memory of 2640	2932	93a3cd1052ff2fa591b2e599a3e3699b691db0bb87f9b043c1d9fc39f0997936.exe	28
PID 2640 wrote to memory of 2632	2640	WScript.exe	30
PID 2640 wrote to memory of 2632	2640	WScript.exe	30
PID 2640 wrote to memory of 2632	2640	WScript.exe	30
PID 2640 wrote to memory of 2632	2640	WScript.exe	30
PID 2632 wrote to memory of 2472	2632	svchcst.exe	31
PID 2632 wrote to memory of 2472	2632	svchcst.exe	31
PID 2632 wrote to memory of 2472	2632	svchcst.exe	31
PID 2632 wrote to memory of 2472	2632	svchcst.exe	31
PID 2472 wrote to memory of 2844	2472	WScript.exe	32
PID 2472 wrote to memory of 2844	2472	WScript.exe	32
PID 2472 wrote to memory of 2844	2472	WScript.exe	32
PID 2472 wrote to memory of 2844	2472	WScript.exe	32
PID 2844 wrote to memory of 556	2844	svchcst.exe	33
PID 2844 wrote to memory of 556	2844	svchcst.exe	33
PID 2844 wrote to memory of 556	2844	svchcst.exe	33
PID 2844 wrote to memory of 556	2844	svchcst.exe	33
PID 556 wrote to memory of 1944	556	WScript.exe	34
PID 556 wrote to memory of 1944	556	WScript.exe	34
PID 556 wrote to memory of 1944	556	WScript.exe	34
PID 556 wrote to memory of 1944	556	WScript.exe	34
PID 1944 wrote to memory of 2688	1944	svchcst.exe	35
PID 1944 wrote to memory of 2688	1944	svchcst.exe	35
PID 1944 wrote to memory of 2688	1944	svchcst.exe	35
PID 1944 wrote to memory of 2688	1944	svchcst.exe	35
PID 2688 wrote to memory of 1776	2688	WScript.exe	36
PID 2688 wrote to memory of 1776	2688	WScript.exe	36
PID 2688 wrote to memory of 1776	2688	WScript.exe	36
PID 2688 wrote to memory of 1776	2688	WScript.exe	36
PID 1776 wrote to memory of 1100	1776	svchcst.exe	37
PID 1776 wrote to memory of 1100	1776	svchcst.exe	37
PID 1776 wrote to memory of 1100	1776	svchcst.exe	37
PID 1776 wrote to memory of 1100	1776	svchcst.exe	37
PID 1100 wrote to memory of 1040	1100	WScript.exe	38
PID 1100 wrote to memory of 1040	1100	WScript.exe	38
PID 1100 wrote to memory of 1040	1100	WScript.exe	38
PID 1100 wrote to memory of 1040	1100	WScript.exe	38
PID 1040 wrote to memory of 1792	1040	svchcst.exe	39
PID 1040 wrote to memory of 1792	1040	svchcst.exe	39
PID 1040 wrote to memory of 1792	1040	svchcst.exe	39
PID 1040 wrote to memory of 1792	1040	svchcst.exe	39
PID 1792 wrote to memory of 2276	1792	WScript.exe	40
PID 1792 wrote to memory of 2276	1792	WScript.exe	40
PID 1792 wrote to memory of 2276	1792	WScript.exe	40
PID 1792 wrote to memory of 2276	1792	WScript.exe	40
PID 2276 wrote to memory of 1880	2276	svchcst.exe	41
PID 2276 wrote to memory of 1880	2276	svchcst.exe	41
PID 2276 wrote to memory of 1880	2276	svchcst.exe	41
PID 2276 wrote to memory of 1880	2276	svchcst.exe	41
PID 1880 wrote to memory of 2320	1880	WScript.exe	42
PID 1880 wrote to memory of 2320	1880	WScript.exe	42
PID 1880 wrote to memory of 2320	1880	WScript.exe	42
PID 1880 wrote to memory of 2320	1880	WScript.exe	42
PID 2320 wrote to memory of 2872	2320	svchcst.exe	43
PID 2320 wrote to memory of 2872	2320	svchcst.exe	43
PID 2320 wrote to memory of 2872	2320	svchcst.exe	43
PID 2320 wrote to memory of 2872	2320	svchcst.exe	43
PID 2872 wrote to memory of 2720	2872	WScript.exe	46
PID 2872 wrote to memory of 2720	2872	WScript.exe	46
PID 2872 wrote to memory of 2720	2872	WScript.exe	46
PID 2872 wrote to memory of 2720	2872	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\93a3cd1052ff2fa591b2e599a3e3699b691db0bb87f9b043c1d9fc39f0997936.exe
"C:\Users\Admin\AppData\Local\Temp\93a3cd1052ff2fa591b2e599a3e3699b691db0bb87f9b043c1d9fc39f0997936.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2472
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2844
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1100
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2720
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2572
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2468
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2632
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2748
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:2824
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1728
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:2772
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1700
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:1920
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:488
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:1092
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:700
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:644
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2152
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:2172
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2296
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:3004
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2536
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:3024
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1952
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:2572
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2344
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:944
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2260
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:2820
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2504
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        
        PID:1844
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2772
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        
        PID:584
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1488
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        
        PID:1100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a66ca64afe431b7c50358bd05ba54e34

SHA1
f34d905ac06b3c07f936352bff4db70469f5057c

SHA256
3a2a423d9df888fadef3786fdbf7fb0125eb8e1d08b22a707b6efa4bc00b7f43

SHA512
90ea8413b1fce013f8e902e0e3efbbfd1ec30c7f26ca2fb05e390a847d22a1181eeb60dccf6e3f8fec5aeff2568506977ab47018a54d328078ab14407f3eeb09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
bdff210bf33c9ed5f2b10773c8c98ff5

SHA1
fc4fbaca4c7f23506dc792dec89e640050ad62e9

SHA256
900ab6b8ac0df4e138335d9d8e283495f569bf9fa1f401a6f8122661104f8cf8

SHA512
45849b735796586ea2518bd4aec42377db54b2de01025df65e52d8d1561d7e26702051c945ac7257857e00d7ab9d2d7fbf87f178e1e606905e095b22d95e5b32

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
463784728a0ab2b8cc52ee1ed0e5258e

SHA1
620a618c31439d36e8539e50359713befcc28e92

SHA256
a34e1ed304dca4f58275bdd5daaf071d1767db7bb7ccc6bf2aea2df5e2be023b

SHA512
52f9736297fbaf65179d35e01c7a15d516d2ff8b5c949a45046bc668bbe94b5da63aea4d5920ebfc1a884721f16fdcae75ea08ca9a6aa78297a44051ed979c7f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c0b5050d31a3c3086d56cf03dbf39e65

SHA1
2f16721133b7efffc3b7c495803a409b47223c1f

SHA256
4eed6a5c4f010b8604f822c91683ba0cf9c2c1f7fd803bcd9c05bfd36d84f37a

SHA512
be8a9ade498e5b54e7ca07bb3f9f114962847942d282e46e2b4f3e53704b27b47853c7bc60e5fdfc777b6e1fa2f8d34aa0d3321354c8a6b81d1640ce7780d9d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
234d3bd7d4c79c9f8515c4e3812a1c9b

SHA1
f0add1f9e02bad7016d7b183f6d64d4800df4e12

SHA256
c9ba84b70031261f15918f7e74bd45b7b889b8e8427efa4ff19537e3d27633d0

SHA512
3d42cb367d8ba46cff006692c69f88ab165b9b326000c0bf187e682ce181413dd6f8eb083972765f332dc4309996b3621018ce3cf22d4d944c2b3c0e51f4aea0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8cb32754e88999ece2a392d94875313e

SHA1
da0ef4e297872b82db206ebdc4cafefeed2a4e3d

SHA256
3dc5ae697f3f5a3ffe053412e05a646883c49be29b179039ceadf5f71a595f9d

SHA512
a331a2472d0ef04f4d6a9b41a147020a688c96977feec8d61878f31382af8c27b8e990dc404137475d48f0155d600cc0d6ebe0a5d1cbb60b1fecf364301ebaa7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3fe126921f6537cf36cd507b1649ffbb

SHA1
445c8796d072bb5829f0af8421e3eb7da34add70

SHA256
b4af7c7ab452f12e0ea38532d00cfa19cf99247ef169e5e698acd882e72750a6

SHA512
5d8527210f01cc30bda93521cdbd9828d03f2af3e2810996ad8c60cf62a35e415c0e54a34e00847ae30bf2718e8c431b65ed4f509c11986a8eb54ed6ed64ac94

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
57e51d7e4374cd875109b11b9b8deb29

SHA1
aa5554bdcf8417f4b5fc9242f1de625e2fb820bf

SHA256
054ccb4671ec5693715c290f0bed875878cda62addcb38ef21257c59037fe30a

SHA512
6f58d52a71466d92d7da68e1bfdd91db03619d810eae2622b4e5623d2ad4e30e294d885c8c5405b775aa3256e3acbd0442a3bb2a4b6eb50001ee5f8848d66da3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2c3b5340da071ac89dded61dffd49fb5

SHA1
77a880658d0b70e5455379099427bfdae8cc0ae8

SHA256
d7433fbea40ea3f87e991ce54c73436c110cfbb83748d554aea8d94051a5224e

SHA512
7e69f14c55afec39149491531c2a499b6253aa71ad448e722912f239fde055826b34383bd8d14773af08ef475b5fe53451a0a93e0bcc46fbeba3872198200f3c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
f41f8af6fd5918e73208b2bc108e45e3

SHA1
753f9e7cd5e6c362bef1023ddd12f455e9f534a6

SHA256
bf47b03f05f0a804b5e619f9fd96182a9a34826193a5bcffd9f9e61719b0fcf8

SHA512
3b96d20894950dea7cb93f9241b87adf4f00e6ac71f79b72369a984fc6cfee9214fcace4f0ddf453cbce4cacfe0c40a48b2942c875db1fa8e74321e7a2bd37c0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
344b0286b823cd492e5ca9c83c00ba11

SHA1
b76dbac9b5724f5b1e11a10ed7a2125edb16259b

SHA256
04ea89515062031f99eb08fad07de798532e0adea7ff18c0c9a8b1e3a1d4dbbd

SHA512
9aba17235e4f1bd62f45545cfa0e4f302c0471732b33a8398b462e334126c5a3e74fdcbe17db70029184cc1207f558efc46b868475fb607ad536288b0796bb80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d35f27adb7c3cf1eab4d6eabc20ec0a1

SHA1
07a451f14511996fb38d1a7ba54a9bc59ee31793

SHA256
ad3593789b8d84570dca6387425bfc1628c33f99a82f3822618cf6016b30d947

SHA512
eb19817c5967b4089711ba1e2598e796ddc25725cd309fbf39a95cf5d37afd41ac0e5b9c8bcff901a1a35255bce6cac1e488ca49a9c9d5f967f60f3c1d145cc0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d686e2c5e1fd782a7e1a15f2b6b66610

SHA1
9e13892aec85c4ecaf602d7f68ca89e0baad9a60

SHA256
e36423da9e1d28bc9d70fd9163f64e854566639079c1c465326c55fa7d98e745

SHA512
e127d8ea970d27bd73ec77dd895fce22b8a29b673df003b03886f6edc367e6e6b96c3c9737b1a527a2cbbf0b80fedb5d5dd2b57ebd0421d48f4720b34b111113

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e620c47f232ff1bd40814c4780391d2c

SHA1
64dabb11b374bf837a69e849a20f831695283a44

SHA256
627905ca53a1915a4c9ee5eb797bd4fca9dbb13abc63a30d421efbb2d18090c5

SHA512
37a87bc5b363086ce79b6f8ca1199ed45475aa99d8264783a36ff099e835d77c4af3fb48806f550feb8a1a922bc7e7f750bdce50aa0b1eda92d40d6cc87b041a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9b341f717cfd3926e466f8400b4ba905

SHA1
2d836b2ed7bbf21d51e8506c557df511c75338eb

SHA256
027f9274521234df58aac6e75b71551e04ca458c27a25a147d55f73ae81ad061

SHA512
429967be3dbb553f0968f23b5c7a3958ce4334ab21167ef945092db6e54493faf792b95122251de2874ebf25a5f64822e68c8fc8980971027791b4a872d45b67

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9de7f3f7c48dd4ca43fae59745fb6fa1

SHA1
d8cc636142fc4045fc1b0585422837d7f4f0199f

SHA256
5028eccb686514263fdb393f5d0850cb1cf9e3c1eabef7fb22b3033149028941

SHA512
f8e3081b7277612d8533f081af6f85bc428b84adce15acdea1585eb5fb5d8b26e518745eb6b7c885f9ab656c4d7a83bac7beaabe378ad2e85452cece9aa4abdc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a178f4c9748d9608c84fe7994ec454c4

SHA1
ad3b184f9106005394f1364d7dcae99037136148

SHA256
ab383576ef2c688212adb11dc95ae1c08088a7d1b09961fac95758a78314e4ac

SHA512
1ee183a94c739005757676a1d4e09d2fca55850785881453ac199a094365b3aa1b034c7fef5b2003de88c93b717cfe9f1d594dbf843af73f176b3243ecbee4f8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f363907e3b7e5e49c69901dd63c08761

SHA1
65070b4a80adc4ff56e8107688ba9fbd68552c87

SHA256
050020ff3661f21e3ed0187a0ade57bf9d5a5a2023261992eb52fde25c0262db

SHA512
e1ab00a3dc9a069f42d7d74167a7a5e410f2b1b81360ff87116907532481796077d44f8c97fffb69170761586e568d9d1c531dd1233d0abbf2c5176bdc500b6e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b140b0bb27c381e04a2d207c1e0a9f09

SHA1
859baeadfb36089b67de43e5c238940718064437

SHA256
49debf007a22ce7be32f625dad1425bb9bb4d138820340d35f3f152713fba9dc

SHA512
205339a8a50345566c9a7f8414b3150a2c0ab7167b4367b1775464d6c64cc4c4f5bf85c2cc5d838047396c62afc47028d6f23dfd47f8d40ec6c87d6b65bd3210

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
4cf5479a2683a39bf88e020489980a2a

SHA1
92b2880bc9cb266e574b4455f45b22f40001582f

SHA256
29c2c75ffaa736607b8e2f7bbdbbb33e69466b95d203732d5dddbdab188364ee

SHA512
b00f6a9ce72437c71e7b34a5d05dc17d9ee0ab93cdd12f896aa0fc58ca6708376b1ac89b85b8175361686eb17f5ed20034b7ba33c1f3d9efe536bcb746c44901

Download Submit
memory/2932-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download