32d4dcc67570e1334905f3ce115c7f5f7d650f87e80b5d2924d3e25dba93dc99

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
10/07/2024, 01:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32d4dcc67570e1334905f3ce115c7f5f7d650f87e80b5d2924d3e25dba93dc99.exe
Size

1.1MB
MD5

b80011a27595a4adeb83ee59b8ad63a3
SHA1

cfbdfaaca7e4cb430fd5bce625caccba898a7a32
SHA256

32d4dcc67570e1334905f3ce115c7f5f7d650f87e80b5d2924d3e25dba93dc99
SHA512

cd266e9eef3a54d217d5db818c309ce40283f9c5d71f0f68a19df872d43499cd19396f2faa063638bd0a5e1fc73934b2b3d03eab031b6695dee604c294570244
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QW:CcaClSFlG4ZM7QzMd

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2880	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2880	svchcst.exe
3000	svchcst.exe
1556	svchcst.exe
1880	svchcst.exe
2660	svchcst.exe
1444	svchcst.exe
2668	svchcst.exe
2192	svchcst.exe
2348	svchcst.exe
2872	svchcst.exe
988	svchcst.exe
696	svchcst.exe
2488	svchcst.exe
2452	svchcst.exe
876	svchcst.exe
868	svchcst.exe
2720	svchcst.exe
660	svchcst.exe
2308	svchcst.exe
1784	svchcst.exe
2460	svchcst.exe
1212	svchcst.exe
1764	svchcst.exe

Loads dropped DLL 44 IoCs

pid	Process
2076	WScript.exe
2076	WScript.exe
2416	WScript.exe
2416	WScript.exe
1752	WScript.exe
1752	WScript.exe
2548	WScript.exe
2548	WScript.exe
2456	WScript.exe
2456	WScript.exe
1600	WScript.exe
2160	WScript.exe
2908	WScript.exe
2908	WScript.exe
2412	WScript.exe
2412	WScript.exe
2880	WScript.exe
2880	WScript.exe
1520	WScript.exe
1520	WScript.exe
2148	WScript.exe
2148	WScript.exe
2840	WScript.exe
2840	WScript.exe
852	WScript.exe
852	WScript.exe
344	WScript.exe
344	WScript.exe
1672	WScript.exe
1672	WScript.exe
1476	WScript.exe
1476	WScript.exe
2744	WScript.exe
2744	WScript.exe
2612	WScript.exe
2612	WScript.exe
2800	WScript.exe
2800	WScript.exe
1752	WScript.exe
1752	WScript.exe
1216	WScript.exe
1216	WScript.exe
780	WScript.exe
780	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2680	32d4dcc67570e1334905f3ce115c7f5f7d650f87e80b5d2924d3e25dba93dc99.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2680	32d4dcc67570e1334905f3ce115c7f5f7d650f87e80b5d2924d3e25dba93dc99.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2680	32d4dcc67570e1334905f3ce115c7f5f7d650f87e80b5d2924d3e25dba93dc99.exe
2680	32d4dcc67570e1334905f3ce115c7f5f7d650f87e80b5d2924d3e25dba93dc99.exe
2880	svchcst.exe
2880	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
1556	svchcst.exe
1556	svchcst.exe
1880	svchcst.exe
1880	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
1444	svchcst.exe
1444	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2348	svchcst.exe
2348	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
988	svchcst.exe
988	svchcst.exe
696	svchcst.exe
696	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe
2452	svchcst.exe
2452	svchcst.exe
876	svchcst.exe
876	svchcst.exe
868	svchcst.exe
868	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
660	svchcst.exe
660	svchcst.exe
2308	svchcst.exe
2308	svchcst.exe
1784	svchcst.exe
1784	svchcst.exe
2460	svchcst.exe
2460	svchcst.exe
1212	svchcst.exe
1212	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 2076	2680	32d4dcc67570e1334905f3ce115c7f5f7d650f87e80b5d2924d3e25dba93dc99.exe	30
PID 2680 wrote to memory of 2076	2680	32d4dcc67570e1334905f3ce115c7f5f7d650f87e80b5d2924d3e25dba93dc99.exe	30
PID 2680 wrote to memory of 2076	2680	32d4dcc67570e1334905f3ce115c7f5f7d650f87e80b5d2924d3e25dba93dc99.exe	30
PID 2680 wrote to memory of 2076	2680	32d4dcc67570e1334905f3ce115c7f5f7d650f87e80b5d2924d3e25dba93dc99.exe	30
PID 2076 wrote to memory of 2880	2076	WScript.exe	33
PID 2076 wrote to memory of 2880	2076	WScript.exe	33
PID 2076 wrote to memory of 2880	2076	WScript.exe	33
PID 2076 wrote to memory of 2880	2076	WScript.exe	33
PID 2880 wrote to memory of 2416	2880	svchcst.exe	34
PID 2880 wrote to memory of 2416	2880	svchcst.exe	34
PID 2880 wrote to memory of 2416	2880	svchcst.exe	34
PID 2880 wrote to memory of 2416	2880	svchcst.exe	34
PID 2416 wrote to memory of 3000	2416	WScript.exe	35
PID 2416 wrote to memory of 3000	2416	WScript.exe	35
PID 2416 wrote to memory of 3000	2416	WScript.exe	35
PID 2416 wrote to memory of 3000	2416	WScript.exe	35
PID 3000 wrote to memory of 1752	3000	svchcst.exe	36
PID 3000 wrote to memory of 1752	3000	svchcst.exe	36
PID 3000 wrote to memory of 1752	3000	svchcst.exe	36
PID 3000 wrote to memory of 1752	3000	svchcst.exe	36
PID 1752 wrote to memory of 1556	1752	WScript.exe	37
PID 1752 wrote to memory of 1556	1752	WScript.exe	37
PID 1752 wrote to memory of 1556	1752	WScript.exe	37
PID 1752 wrote to memory of 1556	1752	WScript.exe	37
PID 1556 wrote to memory of 2548	1556	svchcst.exe	38
PID 1556 wrote to memory of 2548	1556	svchcst.exe	38
PID 1556 wrote to memory of 2548	1556	svchcst.exe	38
PID 1556 wrote to memory of 2548	1556	svchcst.exe	38
PID 2548 wrote to memory of 1880	2548	WScript.exe	39
PID 2548 wrote to memory of 1880	2548	WScript.exe	39
PID 2548 wrote to memory of 1880	2548	WScript.exe	39
PID 2548 wrote to memory of 1880	2548	WScript.exe	39
PID 1880 wrote to memory of 2456	1880	svchcst.exe	40
PID 1880 wrote to memory of 2456	1880	svchcst.exe	40
PID 1880 wrote to memory of 2456	1880	svchcst.exe	40
PID 1880 wrote to memory of 2456	1880	svchcst.exe	40
PID 2456 wrote to memory of 2660	2456	WScript.exe	41
PID 2456 wrote to memory of 2660	2456	WScript.exe	41
PID 2456 wrote to memory of 2660	2456	WScript.exe	41
PID 2456 wrote to memory of 2660	2456	WScript.exe	41
PID 2660 wrote to memory of 1600	2660	svchcst.exe	42
PID 2660 wrote to memory of 1600	2660	svchcst.exe	42
PID 2660 wrote to memory of 1600	2660	svchcst.exe	42
PID 2660 wrote to memory of 1600	2660	svchcst.exe	42
PID 1600 wrote to memory of 1444	1600	WScript.exe	43
PID 1600 wrote to memory of 1444	1600	WScript.exe	43
PID 1600 wrote to memory of 1444	1600	WScript.exe	43
PID 1600 wrote to memory of 1444	1600	WScript.exe	43
PID 1444 wrote to memory of 2160	1444	svchcst.exe	44
PID 1444 wrote to memory of 2160	1444	svchcst.exe	44
PID 1444 wrote to memory of 2160	1444	svchcst.exe	44
PID 1444 wrote to memory of 2160	1444	svchcst.exe	44
PID 2160 wrote to memory of 2668	2160	WScript.exe	45
PID 2160 wrote to memory of 2668	2160	WScript.exe	45
PID 2160 wrote to memory of 2668	2160	WScript.exe	45
PID 2160 wrote to memory of 2668	2160	WScript.exe	45
PID 2668 wrote to memory of 2908	2668	svchcst.exe	46
PID 2668 wrote to memory of 2908	2668	svchcst.exe	46
PID 2668 wrote to memory of 2908	2668	svchcst.exe	46
PID 2668 wrote to memory of 2908	2668	svchcst.exe	46
PID 2908 wrote to memory of 2192	2908	WScript.exe	47
PID 2908 wrote to memory of 2192	2908	WScript.exe	47
PID 2908 wrote to memory of 2192	2908	WScript.exe	47
PID 2908 wrote to memory of 2192	2908	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\32d4dcc67570e1334905f3ce115c7f5f7d650f87e80b5d2924d3e25dba93dc99.exe
"C:\Users\Admin\AppData\Local\Temp\32d4dcc67570e1334905f3ce115c7f5f7d650f87e80b5d2924d3e25dba93dc99.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2416
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3000
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2192
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2412
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2348
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2880
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2872
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:1520
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:988
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:2148
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:696
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:2840
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2488
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:852
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2452
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:344
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:876
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:1672
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:868
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:1476
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2720
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:2744
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:660
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:2612
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2308
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:2800
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1784
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:1752
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2460
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        
        PID:1216
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1212
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        
        PID:780
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1764
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        
        PID:612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
619955d43a58558c766025119a5a66cb

SHA1
cfb43d2b9cb68699667ca8d4929e71b25ed115ab

SHA256
a129bff17a859b7b2d6681f519c985c661797dd508ac249d30f02a0a78858cee

SHA512
20f9499cddf2fb824365830736255a1dce689da0e94fa8e999ee4e28883e65637410710ea01204b5f3d48213f697461288da2b7a535511da87f848b1e6e83bc6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
e1c8bed38d84d936f0a8ffeb8faf83f5

SHA1
e739b9377b294f5c3db7c0fb193ccac54988de26

SHA256
0d9d18f0dff096f1c7be52965387ddad64a64b8380d8c3dccbac742e78c25e69

SHA512
ee80762b5325f5a29b78f92a394daf9844c691b736523ef6314ce5048508e28bb1a860b8bcb984c16468ee666ec3c10244449209f9e7d1e07aa87db1b2e086f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5f2a40f410e1db471d583c90bb1bf208

SHA1
1e49ed23e02976dede24633c367ab8c92fb4fd9b

SHA256
03c04fafe55862423025fe6e16bbeda1dbded8150a0c0dd363164733051fe1e4

SHA512
98a4ba3960f66728d4a286c8cff2223742d701467a647b6d4a2f118a6e2c53c9a4f6c329a36c099b151d42279ba0823ff07a8df49c87d02a7470f595052f725c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7a01dad1af2b3e0327e1d352436bbcd7

SHA1
10612930777b11e8edeb9bd33c74a6a2404c9d6b

SHA256
185fe22d4d1af7aee3fd8cf94dcfe20c5daf320764d2c96c2ad5f2cff4cd1655

SHA512
1fee128690213b1ffd6c1f95d9894f52c2b0374ca99b16795028fab6b364298c1d678c3f92775c410c0fe7a1a71a33d3db5635e5bb6c71449feb60c9f5316616

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
cd34ba54e0dd84bc94990092afc183a9

SHA1
938feedabe63e3e7c6cbb6a405512e21a7ebe449

SHA256
44358f1aedf540acf9e56069e4cc6d4e6a2445ccba362dad9ec4e2f59e0178ab

SHA512
1c261ac13591d4d1cd3692dae12de7fb393134b014dbc766b2946b6ea983e74cef7984bb7003241d5221dea9df78e5f5fe31a839ad7d8453a79db887c8d09958

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8cb32754e88999ece2a392d94875313e

SHA1
da0ef4e297872b82db206ebdc4cafefeed2a4e3d

SHA256
3dc5ae697f3f5a3ffe053412e05a646883c49be29b179039ceadf5f71a595f9d

SHA512
a331a2472d0ef04f4d6a9b41a147020a688c96977feec8d61878f31382af8c27b8e990dc404137475d48f0155d600cc0d6ebe0a5d1cbb60b1fecf364301ebaa7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
66dec81d7f7dc4e36f9d8151fe38056a

SHA1
fc169994b2239eb407778d28d35025f7c9a1658e

SHA256
a09a3c722b494400011829c5645415020d39c8e6ec90f466fc3109a1ba49db2a

SHA512
3e8af1d301ba9228d5afcfaa1e1d3e6f931c5f0ba5e19c74f73b88ddf7c4baa7b24f13533679096f6c94871985de9e47d0f91362ec2ee9132b1e1b772d56fbcc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
379619305716718fbeeab2f364946c39

SHA1
b663cf106c4673549692fa39d25e9e8f4561cd64

SHA256
c844bc25686320e65c1b5259a6d0d6d47f61709f46e2c8eb2ad3f9c3b9333d84

SHA512
b2c91d0f1cbc9e253bb3bb339acbab0e31eef31188cc00132c423fee2a85c7a91132c9259b99b23a149f6ba1172b8522e2d8350f88dbb735ad8d7a32f71e2ed8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
24e4a44b907089d788280d647e33c77e

SHA1
ac5a4e397dea243c0022c55319e7c7035d013905

SHA256
7fcd076a55f0b7c8e9407217aee7e68893461d15cb8d2946ac5250af35137211

SHA512
c4a8dac1c1d5dfa976cc3e8fd299e423ab620463983b8c602be8a83ecc6598eb3f1d60a7370806e1f85a52dd91e4f1337a6dff2e99459f9a1e429a1ffb65a00b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
072a46f071251f08c67b3aba4c983435

SHA1
371837f885eac20c802901026d2e7aa1d4f6cd5c

SHA256
0d0a8daeceed64600e817a5a0437a39048c52e857868a35d9130d42fdfa896ed

SHA512
e3d35d428a29eec047b0cc43c87aa701eed81e9efe921b4ef13fa2e8e24ef11ce602bd67868b7ad1bdbd9f39eb681a8c95c715479238a2f17c17105ea4653c83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
779acb671ae880168d928684718a459c

SHA1
2d031ec0f617fe51df57452137359037f5d3ac51

SHA256
eb0eb06e0d45adefbdbdb34a30c9e8682c778e1f183975b389f78a8a71052ba8

SHA512
8fed82f32c8bc03b0e2950217283d8b21c049b23e00e41552d0f6dacd81209818e02a5d75f6825ecc269640fdfd11aec8c35bdb88342a81bfcbeafca188a3665

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b0168598080900d7ff1886aee1ab3dea

SHA1
6dd6a42a588b2f6349eb8a2b2b3bbd5db3420d4f

SHA256
87d37ed010dcff93dec64f2e8e69cebb9641d32a3ce09cd1b7cec2ac9bc37491

SHA512
26ffa4dee2be970d4dd32d0ce659cf533c23ba737adfbe85d7eebe4588044a4e9bf3683d53822137fbbd28f806935d05ef04f1e0837deaa999a64bbb23dca9a9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
04d4f158af48ac6a441ad5369eba8468

SHA1
f0dc6bead4c417ff8c46b4d0e055ce59980a13e7

SHA256
b71d695a6b44931ad8cce30969b33561c953438f81e20d2160e27d2e78ed9147

SHA512
15c724d6d4a60f844ff0234cb5a3bfaebe3ff79c2c49f53db8009717ec1a96e23cfe1fd4e3205f0ddb50aa6513c0125258f928e079bbbf98a278aaefba68d0df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d583f1db5d00406dbeb7f48f9edfdb9c

SHA1
a1c4f6805bf1517bf7af41ad23b701c2fbaa37d1

SHA256
78ee5ba175d5ae1f3031304c92ad897bf2003263b90ad802ce03d30c2f22bbe4

SHA512
ad924bedfa47a27221d76da7282b30ecd7d09e338ee8ec63b1760f461b01c59a3d738099e02cd6cacbec453284c9154c7e4652e1309f5cc4b7d0568a7e481600

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
8dd54aed0af19a61471f854015e9be90

SHA1
e52b7af34e19e17b5ed8ac75ec350291d8268268

SHA256
83b9446060c12db5633b90e603554588a78b4e149154e173166d601af383a55a

SHA512
b425f5cb8496eef9169abde78210e4200f003875b1db81eec785b4b478559d2c56390fe1dc9ba69268dc93973aa354683175c3db8b1eb2a5abba1e151b16163a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
373f3b736dbf53f62fa9f1d09c9319f8

SHA1
e456e20ee647c3d9288a67674ca67fcb431af0b2

SHA256
d383d19319cb9e34d976a8704ed91bee0a7980cd63c3fed2b99300fdd7a3e14c

SHA512
f5001e4f58ed60ce51746a67ccde43c202b5dd002f1b6d512c430130fd71cc6a4651d6c848d1358191515730c6a869f885cd6feedb94d0a24c8c93ffc4e3df6a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ac98dc94993ca0b10b7a478d03153897

SHA1
37d43d09aa623b9e3b01a3e0b0398dfe618527ba

SHA256
530cffe4858b28b1fb7bea948d5dd44a8ade0cea577625eab06701d29ddc42d1

SHA512
17e8f2192890d02c1d8f8a4e8c0f0c7b8bca9ad510b8b439d9d22848226c9e72a7c71835d26a67d90c6619393ec2949a02752f857bdf5fc14deeae08ca1338a9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0b1a5b81a4b4776c3e885ae6493c41e9

SHA1
77dd703c9d7a24e8bad2e02f89f007fc22e4f5a4

SHA256
efed92325b918382dd5185376970852750eaa59636e1402853fc44c92935a094

SHA512
a33f45a62fe9ce62c1d1baa2a3467d1b40761fd02758d780e5c0858ff6ab9a5a2bcb04ca52ddcf57e703d461839dccf24738e935759b6bfeaaadea6d1a1fae2c

Download Submit
memory/2680-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download