b7d320e2ed7fab9bb482db86f00baac138ecbe63d5a1e6982cfccedb151c98ba

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09/07/2024, 16:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7d320e2ed7fab9bb482db86f00baac138ecbe63d5a1e6982cfccedb151c98ba.exe
Size

1.1MB
MD5

398769265b6300d82b6bf9920fc04531
SHA1

3f1e274298955e8b3c081065d4c0e6ac6c3cc9dd
SHA256

b7d320e2ed7fab9bb482db86f00baac138ecbe63d5a1e6982cfccedb151c98ba
SHA512

fc03e4c26848961557e7e4a1fc06839c99db43152283e139b95602e7cce7f4cd58fc2036fc275d0549a39aea9f3d8aade0fe8d36baae31a7eefb0a0000a1e8db
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qn:CcaClSFlG4ZM7QzMA

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3068	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
3068	svchcst.exe
2180	svchcst.exe
1748	svchcst.exe
2192	svchcst.exe
676	svchcst.exe
376	svchcst.exe
1252	svchcst.exe
2740	svchcst.exe
2380	svchcst.exe
2840	svchcst.exe
2012	svchcst.exe
1912	svchcst.exe
2608	svchcst.exe
708	svchcst.exe
1468	svchcst.exe
2860	svchcst.exe
2740	svchcst.exe
1756	svchcst.exe
2820	svchcst.exe
1764	svchcst.exe
2016	svchcst.exe
3048	svchcst.exe
2932	svchcst.exe

Loads dropped DLL 46 IoCs

pid	Process
2904	WScript.exe
2904	WScript.exe
1632	WScript.exe
1632	WScript.exe
1460	WScript.exe
1460	WScript.exe
1900	WScript.exe
1900	WScript.exe
3040	WScript.exe
3040	WScript.exe
2384	WScript.exe
2384	WScript.exe
1628	WScript.exe
1628	WScript.exe
2128	WScript.exe
2128	WScript.exe
584	WScript.exe
584	WScript.exe
2184	WScript.exe
2184	WScript.exe
2636	WScript.exe
2636	WScript.exe
536	WScript.exe
536	WScript.exe
924	WScript.exe
924	WScript.exe
1824	WScript.exe
1824	WScript.exe
2264	WScript.exe
2264	WScript.exe
1604	WScript.exe
1604	WScript.exe
2996	WScript.exe
2996	WScript.exe
1212	WScript.exe
1212	WScript.exe
2916	WScript.exe
2916	WScript.exe
1416	WScript.exe
1416	WScript.exe
2032	WScript.exe
2032	WScript.exe
1148	WScript.exe
1148	WScript.exe
2212	WScript.exe
2212	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2716	b7d320e2ed7fab9bb482db86f00baac138ecbe63d5a1e6982cfccedb151c98ba.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2716	b7d320e2ed7fab9bb482db86f00baac138ecbe63d5a1e6982cfccedb151c98ba.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2716	b7d320e2ed7fab9bb482db86f00baac138ecbe63d5a1e6982cfccedb151c98ba.exe
2716	b7d320e2ed7fab9bb482db86f00baac138ecbe63d5a1e6982cfccedb151c98ba.exe
3068	svchcst.exe
3068	svchcst.exe
2180	svchcst.exe
2180	svchcst.exe
1748	svchcst.exe
1748	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
676	svchcst.exe
676	svchcst.exe
376	svchcst.exe
376	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
2740	svchcst.exe
2740	svchcst.exe
2380	svchcst.exe
2380	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2012	svchcst.exe
2012	svchcst.exe
1912	svchcst.exe
1912	svchcst.exe
2608	svchcst.exe
2608	svchcst.exe
708	svchcst.exe
708	svchcst.exe
1468	svchcst.exe
1468	svchcst.exe
2860	svchcst.exe
2860	svchcst.exe
2740	svchcst.exe
2740	svchcst.exe
1756	svchcst.exe
1756	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
2932	svchcst.exe
2932	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 2904	2716	b7d320e2ed7fab9bb482db86f00baac138ecbe63d5a1e6982cfccedb151c98ba.exe	30
PID 2716 wrote to memory of 2904	2716	b7d320e2ed7fab9bb482db86f00baac138ecbe63d5a1e6982cfccedb151c98ba.exe	30
PID 2716 wrote to memory of 2904	2716	b7d320e2ed7fab9bb482db86f00baac138ecbe63d5a1e6982cfccedb151c98ba.exe	30
PID 2716 wrote to memory of 2904	2716	b7d320e2ed7fab9bb482db86f00baac138ecbe63d5a1e6982cfccedb151c98ba.exe	30
PID 2904 wrote to memory of 3068	2904	WScript.exe	32
PID 2904 wrote to memory of 3068	2904	WScript.exe	32
PID 2904 wrote to memory of 3068	2904	WScript.exe	32
PID 2904 wrote to memory of 3068	2904	WScript.exe	32
PID 3068 wrote to memory of 1632	3068	svchcst.exe	33
PID 3068 wrote to memory of 1632	3068	svchcst.exe	33
PID 3068 wrote to memory of 1632	3068	svchcst.exe	33
PID 3068 wrote to memory of 1632	3068	svchcst.exe	33
PID 1632 wrote to memory of 2180	1632	WScript.exe	34
PID 1632 wrote to memory of 2180	1632	WScript.exe	34
PID 1632 wrote to memory of 2180	1632	WScript.exe	34
PID 1632 wrote to memory of 2180	1632	WScript.exe	34
PID 2180 wrote to memory of 1460	2180	svchcst.exe	35
PID 2180 wrote to memory of 1460	2180	svchcst.exe	35
PID 2180 wrote to memory of 1460	2180	svchcst.exe	35
PID 2180 wrote to memory of 1460	2180	svchcst.exe	35
PID 1460 wrote to memory of 1748	1460	WScript.exe	36
PID 1460 wrote to memory of 1748	1460	WScript.exe	36
PID 1460 wrote to memory of 1748	1460	WScript.exe	36
PID 1460 wrote to memory of 1748	1460	WScript.exe	36
PID 1748 wrote to memory of 1900	1748	svchcst.exe	37
PID 1748 wrote to memory of 1900	1748	svchcst.exe	37
PID 1748 wrote to memory of 1900	1748	svchcst.exe	37
PID 1748 wrote to memory of 1900	1748	svchcst.exe	37
PID 1900 wrote to memory of 2192	1900	WScript.exe	38
PID 1900 wrote to memory of 2192	1900	WScript.exe	38
PID 1900 wrote to memory of 2192	1900	WScript.exe	38
PID 1900 wrote to memory of 2192	1900	WScript.exe	38
PID 2192 wrote to memory of 3040	2192	svchcst.exe	39
PID 2192 wrote to memory of 3040	2192	svchcst.exe	39
PID 2192 wrote to memory of 3040	2192	svchcst.exe	39
PID 2192 wrote to memory of 3040	2192	svchcst.exe	39
PID 3040 wrote to memory of 676	3040	WScript.exe	40
PID 3040 wrote to memory of 676	3040	WScript.exe	40
PID 3040 wrote to memory of 676	3040	WScript.exe	40
PID 3040 wrote to memory of 676	3040	WScript.exe	40
PID 676 wrote to memory of 2384	676	svchcst.exe	41
PID 676 wrote to memory of 2384	676	svchcst.exe	41
PID 676 wrote to memory of 2384	676	svchcst.exe	41
PID 676 wrote to memory of 2384	676	svchcst.exe	41
PID 2384 wrote to memory of 376	2384	WScript.exe	42
PID 2384 wrote to memory of 376	2384	WScript.exe	42
PID 2384 wrote to memory of 376	2384	WScript.exe	42
PID 2384 wrote to memory of 376	2384	WScript.exe	42
PID 376 wrote to memory of 1628	376	svchcst.exe	43
PID 376 wrote to memory of 1628	376	svchcst.exe	43
PID 376 wrote to memory of 1628	376	svchcst.exe	43
PID 376 wrote to memory of 1628	376	svchcst.exe	43
PID 1628 wrote to memory of 1252	1628	WScript.exe	44
PID 1628 wrote to memory of 1252	1628	WScript.exe	44
PID 1628 wrote to memory of 1252	1628	WScript.exe	44
PID 1628 wrote to memory of 1252	1628	WScript.exe	44
PID 1252 wrote to memory of 2128	1252	svchcst.exe	45
PID 1252 wrote to memory of 2128	1252	svchcst.exe	45
PID 1252 wrote to memory of 2128	1252	svchcst.exe	45
PID 1252 wrote to memory of 2128	1252	svchcst.exe	45
PID 2128 wrote to memory of 2740	2128	WScript.exe	46
PID 2128 wrote to memory of 2740	2128	WScript.exe	46
PID 2128 wrote to memory of 2740	2128	WScript.exe	46
PID 2128 wrote to memory of 2740	2128	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\b7d320e2ed7fab9bb482db86f00baac138ecbe63d5a1e6982cfccedb151c98ba.exe
"C:\Users\Admin\AppData\Local\Temp\b7d320e2ed7fab9bb482db86f00baac138ecbe63d5a1e6982cfccedb151c98ba.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1632
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2180
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:676
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:376
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2740
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:584
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2380
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2184
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2840
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:2636
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2012
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:536
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1912
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:924
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2608
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:1824
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:708
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:2264
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1468
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:1604
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2860
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:2996
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2740
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:1212
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1756
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:2916
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2820
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:1416
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1764
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:2032
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2016
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        
        PID:1148
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3048
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        
        PID:2212
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2932
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        
        PID:996
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        
        PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
30a92c5910b6558669cb876050cbab56

SHA1
35167b83a52f892ad75ae63e78355b4bc3b67db6

SHA256
0ad75eb17870b075a923636c228747a257838d3dc99e450631030d78c3dfa0b0

SHA512
0b0c4bfdf0e3fa4b3c9e2d8611301ff1ee1362b9fd86962be7a9d7e9af1f1025775c216faa7c97ff52cab408d0569e0127ce21be81658135eee1657927ac1bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
072a46f071251f08c67b3aba4c983435

SHA1
371837f885eac20c802901026d2e7aa1d4f6cd5c

SHA256
0d0a8daeceed64600e817a5a0437a39048c52e857868a35d9130d42fdfa896ed

SHA512
e3d35d428a29eec047b0cc43c87aa701eed81e9efe921b4ef13fa2e8e24ef11ce602bd67868b7ad1bdbd9f39eb681a8c95c715479238a2f17c17105ea4653c83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1ddf68547078713a6bd04e589e87bc2f

SHA1
cdfb5481f8214590744133c77204eff54e733b90

SHA256
a5954677872e02157f5c6921ef883fbc22a4f7940d17403a9a0658931d4971fc

SHA512
194d12570a7d4e8e9341f56d23fda7ff49e131e818b93633b75c6ef05b6972b8428294bb95529af25cf75cbe2d86756dab000be200466a30a64922e764ebfc2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5200291c61f8a54498d5ea3882597c4f

SHA1
7faf4fa36d25b6e6a25fa637cd4d565bacfc98c9

SHA256
370d3f0009b4f5179e917aaf335aa8267dd7e03688f0fff18f72d7d7af43d55f

SHA512
7fab6730403115fe4a56ca1d5d9056a0796ca40f75c0499cb0a1d7cb77ad696163f960414f3248c7893a1cc99dadcdb73251603bca50a54668b45b79bc62b06e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
4433cc23fc280ad8dcff9966bac19fe4

SHA1
62cc2abfe6e2ee0fd6b5cbce20daff4ba787bff0

SHA256
ca7cfd972b03d0b30404c8233125adda1dacc81a2e43e919d70bf1c2700af55b

SHA512
6a5e7454dde98251a987bedc21e628550c469480cbe41f3b3644789da38e782c8b94660d4a076697cc7abf3fcc767650d00ac3639b11cfeba96ece8110920b4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
03f68343f5906993640e0b9e3f9c7964

SHA1
699e9c3fda1aa89e7a47ac8b77b41178c99cc8e2

SHA256
dd2d5bf380874e81adc5e05b667047dcf1b6c8a8953068fb177053e20c35f727

SHA512
76de9e035c0ad6ee3237006749fd28ee93a6fcd09700e265aaea432f7d2292aac87f0799221559caacd6dd58ff72af17d67627aace77bd2a36a802bbdc88b99c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6cc9dd78b42e2ca0e1deb237988b6ae2

SHA1
6ec16a7e43a4c558a19f125758d56ed9a180e6ee

SHA256
11367ac6f6a1b237ca69aeeb571a435181256f8836d6910f036beb90e160f7b2

SHA512
331f0ae896c0fb9906dd2fc2e3d58860073af97deb31cdb2184cc4bd104e2e066bfec6bdef0e16a8eda3d5605875fe7c03480b1e2d68bc9d7e3a2b237a3020a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d6998fa6acf02bf81ca3b787bf2aac86

SHA1
c3c08503b40c243120c2815bec43823d1457c93f

SHA256
5f2a7d05a52819de3a4caa28c4b355ca484eea50de6ed9ce8078d244de25e365

SHA512
068536d1ae495d6610534c4536f6024b33bac2e935cb37f99668affefcb8d1fcd8c420e150b6e5807a58157eec83b24cc9017e7cb7b597a7523decdfbaf2a8e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
49586bddf88b5db5b4106eee55d7e03b

SHA1
3001fb71136b5c8d307695de4f651ccd9b4dcebc

SHA256
bf9c7a65973ae0ee9e2da4bae47ba378234e45820598034a3672edfb233e002d

SHA512
6933b416d4af6997e31e7277ddbf5820f421f01763ee6560e50a0dfb8323e8c66312511b4093d16540c17521f338b239e79d67c70fcda4ff793363e1366d4011

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7d2c3f227d42fae4a5b7fbcb491b74e3

SHA1
c1271bbd86747cc709b694ba9579a68b5e75a17c

SHA256
9353a2f27a61e571c5bc92ccc1046c1059c5fad8e1e2cafe63a9cc73e1169c33

SHA512
50330ad733975966b32fbedffb99a25cd13004d685e5788ef11f1f0fedfc62658e3e8f5ed0030fe60ecb02ba95ffa7d440c067a1e164cc3bc02ac5008b6a27d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2551ae733b39ac9061a9d5ebd2f29d98

SHA1
08247d27dd5bf959db0b29d3e5b0551dc47c9d02

SHA256
c69ee4a632cc1c351d5fa930d42546923a4125e7d9cbccb2ad9f9e3318be2b77

SHA512
a1c669cb87194c2b496a7131f7f2920b6c31156f88d6c1140e79f3b83fbca3785cd57fea2d47cb951ed576e69a1240e81746a5bc5444e65fd05fa5234125731c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
22ee4efbc67fc70b9f9d483cf169e846

SHA1
5e0a01490f92c7a77457c1df61c009cdc5c641dd

SHA256
abd4fb5ee308e65770cced9ea111c1dcfc48e0571cfcb79284f4fbbab293e161

SHA512
7638f6551734a6256e6d7666a9811368ee2894afeb442f65c6da0680fe8134059c52f552e36b2539774c4e3e5fc0cc1ae027e3ef872b5bb5d4b8e0f6687ce238

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0667072f0b99c114be29b17a58be850a

SHA1
8ec8d5ba1f5842c2f07a4332fb04ba60b0bc7143

SHA256
002841eff29a50e5cf34cf60cfb5bbbf780c4d2f8809016ab22a0e084fc10d07

SHA512
5e0c61897463fd935f2e0420389e4d7c6b08232e63175ccc96db2b6f3d294e9196bc5efd6445ccc8f460efc0791c13ea040b36ce3130f12e414a3ab7b678dfd9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ecb83cd3a866088c4c6ceab64e232904

SHA1
fac701c675efbb7014a9680aadff2bb74e328d11

SHA256
1995dee9d48d16127fe5c2dcb945d20264e7578be04a03871b7d5575db9396c2

SHA512
5cf44b4a17b580375326726056bdda1ec3c6e4797e6211be7791333ec63ee95d094b77e9bf07dc1f2a1d446958af14043cc6a82eeabe299c770bd0b798643ccb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1a9c52aed4181c9ed5d37ac2a3da410c

SHA1
d7fb08cc2229f8088edb92780faf652a03e8ddc6

SHA256
5b8b88197c4039fac510e9364ae4d1423f52ef81ed6f11ec9e2022f2a39bd07d

SHA512
a7b92a0fcb4c05b6354249d8c36efe1cbfb232a6e6b25f026995a2a9cfb3bf9c56f8ee0ade238ae315385b3d8c66663d6a9d44aacfd8d00c4e0462a5a94e48f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9782256a54de3274d346f2a5cb114818

SHA1
74f47044c7a75e3236e2c0b38fccf4627c8ddd76

SHA256
c9785809a5f195ba190b13a1cd8644138887abb787b08069f6628ef0e0e1d414

SHA512
5144662739ea0a1a448b6e259158bffe1ede66879a6ba1bb7076e3f5f8726e30c70abd21d72b8cd5d947c07ce07a4aa97425020a31d1af06246e579eed186e19

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
678ec565a6e552caf1b25ff40eb0fda2

SHA1
daaf83d4f9778233ad1589d8144e50e378433398

SHA256
a045f987d36829ab0e3b622d66141b2c9907659a43c03a956bf4856f64cd68e4

SHA512
bca0c58af55c0965fb497b5ab18444564eebe8477adeaeca0aba3c110b136e014f333e3dc967b331d969c6d58226b307065ae90f3ce999df5c1e3d951a2b2e0d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
43252353348e1fffca065ed52fc049e4

SHA1
2d59fc460c9db179aba70d7567d16c3120bd3f1d

SHA256
b7e7c589a0aaff7cd292338711377cd0a2e8ca0c3958f1cfbeafddb1c6e21325

SHA512
2e6b4764718e1e400bd55ce27e3b06cb9809ed295f5d93da88888b18c70ff35d9c4e4368c8cdfb5cd6357b1d27245c6fe96ff890b92af7cf87c42b25a5b766c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ddf5ff0e566fd36650df85212a12c4af

SHA1
7ebc2da21fd067db89d5cd47ff9bd8419eec7ff7

SHA256
ad385801720ed7183a910f5b54b123353cb1161c47c5cfb4fac309b6945983bb

SHA512
168305a495ccfaae27a73ee07420ca1a4d38e82656ba89fedb82586a367cdf32af81020e7c0246854fa2f3c41d352272bb6efd7d9010b2189790d23a7b611ec9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f52cbf8c3bdcf8247812a89c7a1fd55f

SHA1
2c4f8c28b2db72b65e91dd44e94b86897133cb55

SHA256
89899df5c9c0f33eb737141d8ba00fc785b1116d1bfb07a7366da3f5e335757f

SHA512
5c80a1831af64ed07eccac1acd1b7a0f3100cfd3ded85d52a611f197687cea2b6c7a5e06a590e7f5c2918bbd2c59eb064e12624cf2207a0b60141ec4a3bd7c33

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
00b3dbd7ebc388efbb8979b717c21014

SHA1
a82445c67090efb2e4f87dca5728ea53c7aa8ce3

SHA256
1d75530ec0ded7cf8b84299bb70afb8cbbb68f0af80cc2702faa889972524fcf

SHA512
bb5c6213e2232c12f528b02953eda47ca33130315d35f3a1457d27a6114748ce07f5e23001a3b194d03b2ee3aae5ba299d2968551ee276391e338cf5f2a89b75

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
fc72f8e7960be4ffd2cd9cf8be72c718

SHA1
eecc35ecd0d7c0152ef8372dcc41333d3df2864d

SHA256
bc84edc3d7a48ca55722e3d7e51f0b05b456dd06c727a92d2a47500b4b9b8551

SHA512
e2443cf7de855777db06e41f80322de044a01f9c437638d80963dad1ed94c2ee805c93213a8283ddd65a94efa4814a5aa7077136940e938e3e0af26746e92a10

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
bb7f8703875a58cc74fb20ce477f7c37

SHA1
179297b0cda7a50a0d813d2efa39c2fff543ff53

SHA256
1458622b1d902eb73edbdd7bec09679155e52d0ab786328feb28106b32c53c48

SHA512
7f2b211313d4ab9720cede04ba801dfe8413a7bd44736939095180df43b6585d8ff72bbfa3b06950f4571a8742f7bd4d4dc20189983491fba70c74284dea3993

Download Submit
memory/2716-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download