9bff81d7b8a1fd632cda9b0d5a1b8e3b264574644d1a7ee8c7307db50501d1e6

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9bff81d7b8a1fd632cda9b0d5a1b8e3b264574644d1a7ee8c7307db50501d1e6.exe
Size

1.1MB
MD5

246ac5b65eb0805c6710ecb0f6779693
SHA1

86d9c2ee11163e3699d0e1e0136bc2c3ef49e594
SHA256

9bff81d7b8a1fd632cda9b0d5a1b8e3b264574644d1a7ee8c7307db50501d1e6
SHA512

91285b80dd99caa82ffdc0cfbbd198f738ea776767856632e971b7c0da0c5e099ee68a68d9fdeb1ac6006cf13e89b696d19561d60b2496f2f228aaee1f868add
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Q7:CcaClSFlG4ZM7QzM8

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1372	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
1372	svchcst.exe
2180	svchcst.exe
2952	svchcst.exe
1472	svchcst.exe
2428	svchcst.exe
1324	svchcst.exe
1136	svchcst.exe
2728	svchcst.exe
2612	svchcst.exe
2052	svchcst.exe
1512	svchcst.exe
564	svchcst.exe
1244	svchcst.exe
2336	svchcst.exe
740	svchcst.exe
2748	svchcst.exe
3048	svchcst.exe
2028	svchcst.exe
2996	svchcst.exe
2052	svchcst.exe
2736	svchcst.exe
564	svchcst.exe
1976	svchcst.exe

Loads dropped DLL 42 IoCs

pid	Process
2708	WScript.exe
2708	WScript.exe
1776	WScript.exe
1744	WScript.exe
1516	WScript.exe
1516	WScript.exe
2260	WScript.exe
2432	WScript.exe
1656	WScript.exe
1656	WScript.exe
1384	WScript.exe
1384	WScript.exe
284	WScript.exe
284	WScript.exe
2436	WScript.exe
2436	WScript.exe
2876	WScript.exe
2876	WScript.exe
316	WScript.exe
316	WScript.exe
2512	WScript.exe
2512	WScript.exe
2356	WScript.exe
2356	WScript.exe
608	WScript.exe
608	WScript.exe
2432	WScript.exe
2432	WScript.exe
2680	WScript.exe
2680	WScript.exe
2900	WScript.exe
2900	WScript.exe
1556	WScript.exe
1556	WScript.exe
2688	WScript.exe
2688	WScript.exe
2860	WScript.exe
2860	WScript.exe
492	WScript.exe
492	WScript.exe
1784	WScript.exe
1784	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2012	9bff81d7b8a1fd632cda9b0d5a1b8e3b264574644d1a7ee8c7307db50501d1e6.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2012	9bff81d7b8a1fd632cda9b0d5a1b8e3b264574644d1a7ee8c7307db50501d1e6.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2012	9bff81d7b8a1fd632cda9b0d5a1b8e3b264574644d1a7ee8c7307db50501d1e6.exe
2012	9bff81d7b8a1fd632cda9b0d5a1b8e3b264574644d1a7ee8c7307db50501d1e6.exe
1372	svchcst.exe
1372	svchcst.exe
2180	svchcst.exe
2180	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
1472	svchcst.exe
1472	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
1324	svchcst.exe
1324	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2052	svchcst.exe
2052	svchcst.exe
1512	svchcst.exe
1512	svchcst.exe
564	svchcst.exe
564	svchcst.exe
1244	svchcst.exe
1244	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
740	svchcst.exe
740	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
2028	svchcst.exe
2028	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2052	svchcst.exe
2052	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
564	svchcst.exe
564	svchcst.exe
1976	svchcst.exe
1976	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 2708	2012	9bff81d7b8a1fd632cda9b0d5a1b8e3b264574644d1a7ee8c7307db50501d1e6.exe	31
PID 2012 wrote to memory of 2708	2012	9bff81d7b8a1fd632cda9b0d5a1b8e3b264574644d1a7ee8c7307db50501d1e6.exe	31
PID 2012 wrote to memory of 2708	2012	9bff81d7b8a1fd632cda9b0d5a1b8e3b264574644d1a7ee8c7307db50501d1e6.exe	31
PID 2012 wrote to memory of 2708	2012	9bff81d7b8a1fd632cda9b0d5a1b8e3b264574644d1a7ee8c7307db50501d1e6.exe	31
PID 2708 wrote to memory of 1372	2708	WScript.exe	33
PID 2708 wrote to memory of 1372	2708	WScript.exe	33
PID 2708 wrote to memory of 1372	2708	WScript.exe	33
PID 2708 wrote to memory of 1372	2708	WScript.exe	33
PID 1372 wrote to memory of 1776	1372	svchcst.exe	34
PID 1372 wrote to memory of 1776	1372	svchcst.exe	34
PID 1372 wrote to memory of 1776	1372	svchcst.exe	34
PID 1372 wrote to memory of 1776	1372	svchcst.exe	34
PID 1776 wrote to memory of 2180	1776	WScript.exe	35
PID 1776 wrote to memory of 2180	1776	WScript.exe	35
PID 1776 wrote to memory of 2180	1776	WScript.exe	35
PID 1776 wrote to memory of 2180	1776	WScript.exe	35
PID 2180 wrote to memory of 1744	2180	svchcst.exe	36
PID 2180 wrote to memory of 1744	2180	svchcst.exe	36
PID 2180 wrote to memory of 1744	2180	svchcst.exe	36
PID 2180 wrote to memory of 1744	2180	svchcst.exe	36
PID 1744 wrote to memory of 2952	1744	WScript.exe	37
PID 1744 wrote to memory of 2952	1744	WScript.exe	37
PID 1744 wrote to memory of 2952	1744	WScript.exe	37
PID 1744 wrote to memory of 2952	1744	WScript.exe	37
PID 2952 wrote to memory of 1516	2952	svchcst.exe	38
PID 2952 wrote to memory of 1516	2952	svchcst.exe	38
PID 2952 wrote to memory of 1516	2952	svchcst.exe	38
PID 2952 wrote to memory of 1516	2952	svchcst.exe	38
PID 1516 wrote to memory of 1472	1516	WScript.exe	39
PID 1516 wrote to memory of 1472	1516	WScript.exe	39
PID 1516 wrote to memory of 1472	1516	WScript.exe	39
PID 1516 wrote to memory of 1472	1516	WScript.exe	39
PID 1472 wrote to memory of 2260	1472	svchcst.exe	40
PID 1472 wrote to memory of 2260	1472	svchcst.exe	40
PID 1472 wrote to memory of 2260	1472	svchcst.exe	40
PID 1472 wrote to memory of 2260	1472	svchcst.exe	40
PID 2260 wrote to memory of 2428	2260	WScript.exe	41
PID 2260 wrote to memory of 2428	2260	WScript.exe	41
PID 2260 wrote to memory of 2428	2260	WScript.exe	41
PID 2260 wrote to memory of 2428	2260	WScript.exe	41
PID 2428 wrote to memory of 2432	2428	svchcst.exe	42
PID 2428 wrote to memory of 2432	2428	svchcst.exe	42
PID 2428 wrote to memory of 2432	2428	svchcst.exe	42
PID 2428 wrote to memory of 2432	2428	svchcst.exe	42
PID 2432 wrote to memory of 1324	2432	WScript.exe	43
PID 2432 wrote to memory of 1324	2432	WScript.exe	43
PID 2432 wrote to memory of 1324	2432	WScript.exe	43
PID 2432 wrote to memory of 1324	2432	WScript.exe	43
PID 1324 wrote to memory of 1656	1324	svchcst.exe	44
PID 1324 wrote to memory of 1656	1324	svchcst.exe	44
PID 1324 wrote to memory of 1656	1324	svchcst.exe	44
PID 1324 wrote to memory of 1656	1324	svchcst.exe	44
PID 1656 wrote to memory of 1136	1656	WScript.exe	45
PID 1656 wrote to memory of 1136	1656	WScript.exe	45
PID 1656 wrote to memory of 1136	1656	WScript.exe	45
PID 1656 wrote to memory of 1136	1656	WScript.exe	45
PID 1136 wrote to memory of 1384	1136	svchcst.exe	46
PID 1136 wrote to memory of 1384	1136	svchcst.exe	46
PID 1136 wrote to memory of 1384	1136	svchcst.exe	46
PID 1136 wrote to memory of 1384	1136	svchcst.exe	46
PID 1384 wrote to memory of 2728	1384	WScript.exe	47
PID 1384 wrote to memory of 2728	1384	WScript.exe	47
PID 1384 wrote to memory of 2728	1384	WScript.exe	47
PID 1384 wrote to memory of 2728	1384	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\9bff81d7b8a1fd632cda9b0d5a1b8e3b264574644d1a7ee8c7307db50501d1e6.exe
"C:\Users\Admin\AppData\Local\Temp\9bff81d7b8a1fd632cda9b0d5a1b8e3b264574644d1a7ee8c7307db50501d1e6.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1372
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1776
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2180
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2728
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:284
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2612
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2436
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2052
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:2876
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1512
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:316
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:564
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:2512
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1244
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:2356
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2336
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:608
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:740
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:2432
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2748
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:2680
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3048
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:2900
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2028
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:1556
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2996
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:2688
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2052
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:2860
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2736
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        
        PID:492
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:564
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        
        PID:1784
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1976
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        
        PID:884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
6ee2698ff49326d00c741b779a78465b

SHA1
de8d38ada7d62c2aa4088d43e3d68c7ba193bd26

SHA256
2b8f1a08d36ebdf60df973f56b3990cdf63d1d54b7717494304812694493f300

SHA512
afac2f3873b1054e2405c190e001bc75ed7b43e138721d0f95490901ba767d5e2ff8c5b0f5daea402918efa162a5e50e8a4744f9d281239597673754f85e5b7e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
25741fab0bc335b1ed971b3134b0edd3

SHA1
9849046efa3f20662f73cefd0d090bef480c9835

SHA256
05963c6d3a7cc5421377a784df6474456fcbd2f95c7190f2ddb4a9ccbfbe7f98

SHA512
6e772baf90739a76c5c477780e2d158502b55d9c898e69402b0a3bfb840949959c6779f9b291c0503a4fcad95369be55b5f3233ded9329d49d5cde3f1a8369e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
344b0286b823cd492e5ca9c83c00ba11

SHA1
b76dbac9b5724f5b1e11a10ed7a2125edb16259b

SHA256
04ea89515062031f99eb08fad07de798532e0adea7ff18c0c9a8b1e3a1d4dbbd

SHA512
9aba17235e4f1bd62f45545cfa0e4f302c0471732b33a8398b462e334126c5a3e74fdcbe17db70029184cc1207f558efc46b868475fb607ad536288b0796bb80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
bb73f45ba0ab8d0e25bc6dcd5900a0f1

SHA1
18dd20b311cabf033725cb71f00e22449f559963

SHA256
c5b311f8ce95c93ed51768b74c6765874352e5fc61641ab54034281a5206c3b5

SHA512
f2adbb4978b02ce150fc2f4a8f6d7734ca465351c502e5a425a9dc0f751be9a048df54dfff086b4b049a80cdc8127863ea704a3b6e1855f9d4406e5778b82e04

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
06a252a9516053e44ec8e64f1ebf0533

SHA1
29ac97e0cdade946c4feb81ad3f78d70953a2277

SHA256
6b8a799c3d4b977adb7220f6790b2ac09080ca3ccde5a2c33c83b33ea905928c

SHA512
0775aabeef7c910e03efc40f96143025a2ee3544dd656c78d09ef63c85d040037752aabe72fdf3b636ee31422ae8de01b73c85e27247203d5efc1635eaf15b2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ddd204c2596c95e0b37f2faf17345158

SHA1
fb5c9a676eb0b0e08ed0498a5696bbd7d443b1a2

SHA256
6ba8498e50d16dedd7a4479998981b504b684f524c08329269fd4eb6e3fe52a2

SHA512
17f8ff158d74cb8b37954cd5d458440cbf7e41dd03d08d5101b55f7ca259fdd1e36967e5231a31362c68456d0e91bdbac1c83cc19876ab7ec1c97bde0ec03244

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5ba8c208c5700f7f25c2e24e00d50ac8

SHA1
9838a0ab093ed94bc85a80b1feee14b68e4df8d1

SHA256
213371c33e19f6f9e28f089e3206fe50c39b190548b0500f7ba8aff869a68cd6

SHA512
065e45ebe4197cdf7e13b799928dfb29e17d4a1741e3e103000b147288b34f16300b72874ec85aefa2c04cc939df115a9fb383d5c95982c1371e75605d1a9b17

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e941c404604f780e37c7e63233301fa0

SHA1
d27c9a3b90881add1a06b41b5931267fc818ff08

SHA256
6add2531fc05662418f48a46f522fa4507053ece8d0d94a04c0c213d27da81ce

SHA512
1f448e52f5aa81f30ecf10d6222fa0913ab7a5f3c0f2c7e6a9deb231e9bf55937c4fb0f84bbaeccdd9040e163ae371daec55eff48d633cd6d6bd409433fbf4f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
297aff64991480fd92a4ce9fb4d40807

SHA1
c586f7003f854f442db26448516e59826dfe41e9

SHA256
5137a62e031c71093a7d6c2684519614bb5eed80fd8daa92912f085a6ab82b8a

SHA512
f7a2fae80f26e6fb846ec9675c5a03932c8bd842d75f68cdb05c2f18e9397ed32774ce0a1f495e5618a5ce1b37e088c8991a69fb999559d1e2b0dd360cc96b4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5c256ba320c7487a2c3cdb62bea97bb5

SHA1
2a28e5d7bd4483a40fb6035f1ec6fcf1d66cb2fc

SHA256
854aeaf6ba44537fc01088f8c336552a1aab4c6df84938d241c8616b6f0802e4

SHA512
bb55f293471dda9b074664d4cf2dad094f8f0c2479c1fd754dd85199d1d1b1012cfa3b050711ac0b59368d6bf1756cfcadcaff1e47d4f103a093a0b77782fdc0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
95cbcc068b61f14455af7f3daea5c57f

SHA1
7121bec25241666a150cd1a58eb7efb0b26eab96

SHA256
205412cd3d890bd070295ebf41e4a831de855a2b755c1a583b4dd2df66d5bc81

SHA512
5ae57031bb2ce71bf93c683f07f82b521918ef8a145a80f8e488e403d7ca97079cb305bb3f9ad93f2b3a99f44954063447a5f9a2c0f6f276a2ef84beff5674a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d0a7594dbfff2934bae6e22de9f233fe

SHA1
b2a276918a0f5fb2da4440d77ec65c3c644dcf74

SHA256
b5ba466f75e4b160d164ce3886c42fe86c339961f2f303cfdba40d2c711bc61d

SHA512
3d0c5b27841efaa0286d2b58d1749c1efe45ce115cbcb2af1473e29ec3791501a278c90f087e995279518b3c3aec687edca8937f77ff2520ed6b8d3dff6c0a63

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0229f77aae77d61244da7967401f2b50

SHA1
7b318491d88f633e5c8276515eaab0e921a31707

SHA256
3c27e2fd30b12493b0d5da5dbe0b467ede4e12752e6f3fd3fe285cae4f8ba033

SHA512
2b3b0c4acb44a884c0085f59fc9f8b9a959bcd84a7832355b2365ee2b714f2589ab5787aadbffbabec534c6fffc4b5d1322f298271ed94a7177cb63a3403793f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
96b33a2fdba1dbc1b64a9f47d2860cfa

SHA1
af36372da1bd393402434fdd307d2fd51fa7e979

SHA256
75755d66f9fd31dd5ec254540e0587c882144544f7400fe19137db588328552a

SHA512
23b18a36247826691e6714955e434506e4dc6cec3acccdc48cfb6671a1a957e2588b15ba17ed3900d7fede151ababae27537f5c239d9c2eb9beea11e1786f9c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1f2a0a7a71415a804d577b2bc74576a8

SHA1
07148c1274d758df5db9134bb7e254918c161212

SHA256
5997ea781c4ad6ee5d17dd6f0b6e6a045a5e74a58ab76e861e44ed956de318e3

SHA512
cdf9434d7d1a9a655aab6a6c26b1691dc5f0452ccfe629527d10d1a21ac6d09bc378aadb7312964a76f106b809b219c0ea56595310507a92f3a1f150d5ac1b43

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f08632c98f139cb4edae4d01c48714d5

SHA1
df2ac60a0507c3fcabb274701243831bc4add428

SHA256
dcc11a7a8e1911b2ce94cd0bed24b9bdea56a82599e129f6f40d4261206f037c

SHA512
c7ebd93dfda68428cdc4653522a8cadde09b0742598c990d1a25ab7dc020f9ef0af1266fa0513c3751431d303c275eb3af95cf635494080dfca8e45c8996d6a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
27bc8b337b435cb19192d0828d97890c

SHA1
aef8f510c1fc09754c5b2431d00e3cd7a144c2e1

SHA256
b8c9ed0dbab7e44f38decdfaa61952e25628de61daef01f1e6e0c179a023470e

SHA512
3df3a1337ec2a82b4d6d6ed2fadd03f79217036fe963862f68086fdd46f5fa524cc60af43f51570a712c20b0ec6ba62677271f2baaf17f4f576485ab0e60671b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
88821cc97fadce6b88d4f27f1be7342f

SHA1
28e743221f5fd79dc0f325becd15b38229fb519c

SHA256
2c875bcce286c8190d2fff7b9f67ecc09fda1cc423b4a69e357c42a40499ca39

SHA512
b70805a0523e241961f145c13225b81bf79a53759180da31f3ba1da8d4e9ff09080b69cf63c0486e9605fa0fd24f4c317a15f48356e3e3fb26e6cbef0a43b2b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
45477b01b96dd37cac6426f021d46567

SHA1
46add87282efd5550173c6fdfcfdf030dcd1c4c3

SHA256
0b756350e12dadfaf96438dcaebf4e9314ed365752837a72048e25242db6080f

SHA512
e9f1687c24ced1fd449ff2a7194e45b122ddab0ed1b733805ffbd90eebb460d4914db5525bcb9852118e92ff859b22081e4867655808eea76218747a9a7730c1

Download Submit
memory/2012-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download