11eea0792184c9cc6c1a6ebd834c11f4aee28bfa1dd5efd4db959c6c01895dd7

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 22:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

11eea0792184c9cc6c1a6ebd834c11f4aee28bfa1dd5efd4db959c6c01895dd7.exe
Size

1.1MB
MD5

f8603aefb819b60fb5bebea51ab0d02a
SHA1

72a2c80f15577fd81411fab5de3b7fcf2a77b7ae
SHA256

11eea0792184c9cc6c1a6ebd834c11f4aee28bfa1dd5efd4db959c6c01895dd7
SHA512

0f0c653422b15e62f75c64873c8cfcab7f0809340745ccedb1533cf30e8f06f23dfebaa8bfe168bac1a638b2d81d085a4e548710bc551d718a32559ce1f48349
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QU:CcaClSFlG4ZM7QzMD

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2696	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2696	svchcst.exe
1864	svchcst.exe
1460	svchcst.exe
2072	svchcst.exe
2500	svchcst.exe
640	svchcst.exe
756	svchcst.exe
2936	svchcst.exe
2960	svchcst.exe
2036	svchcst.exe
2460	svchcst.exe
1876	svchcst.exe
2124	svchcst.exe
2988	svchcst.exe
2784	svchcst.exe
2656	svchcst.exe
568	svchcst.exe
1924	svchcst.exe
2012	svchcst.exe
1972	svchcst.exe
1496	svchcst.exe
1012	svchcst.exe
1152	svchcst.exe

Loads dropped DLL 46 IoCs

pid	Process
2872	WScript.exe
2872	WScript.exe
704	WScript.exe
704	WScript.exe
2460	WScript.exe
2460	WScript.exe
2204	WScript.exe
2204	WScript.exe
2256	WScript.exe
2256	WScript.exe
2168	WScript.exe
2168	WScript.exe
1676	WScript.exe
1676	WScript.exe
2092	WScript.exe
2092	WScript.exe
1592	WScript.exe
1592	WScript.exe
588	WScript.exe
588	WScript.exe
656	WScript.exe
656	WScript.exe
3028	WScript.exe
3028	WScript.exe
1624	WScript.exe
1624	WScript.exe
2052	WScript.exe
2052	WScript.exe
640	WScript.exe
640	WScript.exe
2996	WScript.exe
2996	WScript.exe
2544	WScript.exe
2544	WScript.exe
2816	WScript.exe
2816	WScript.exe
1504	WScript.exe
1504	WScript.exe
1748	WScript.exe
1748	WScript.exe
2200	WScript.exe
2200	WScript.exe
836	WScript.exe
836	WScript.exe
1388	WScript.exe
1388	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2632	11eea0792184c9cc6c1a6ebd834c11f4aee28bfa1dd5efd4db959c6c01895dd7.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2632	11eea0792184c9cc6c1a6ebd834c11f4aee28bfa1dd5efd4db959c6c01895dd7.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2632	11eea0792184c9cc6c1a6ebd834c11f4aee28bfa1dd5efd4db959c6c01895dd7.exe
2632	11eea0792184c9cc6c1a6ebd834c11f4aee28bfa1dd5efd4db959c6c01895dd7.exe
2696	svchcst.exe
2696	svchcst.exe
1864	svchcst.exe
1864	svchcst.exe
1460	svchcst.exe
1460	svchcst.exe
2072	svchcst.exe
2072	svchcst.exe
2500	svchcst.exe
2500	svchcst.exe
640	svchcst.exe
640	svchcst.exe
756	svchcst.exe
756	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2960	svchcst.exe
2960	svchcst.exe
2036	svchcst.exe
2036	svchcst.exe
2460	svchcst.exe
2460	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
2124	svchcst.exe
2124	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
568	svchcst.exe
568	svchcst.exe
1924	svchcst.exe
1924	svchcst.exe
2012	svchcst.exe
2012	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
1496	svchcst.exe
1496	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 2872	2632	11eea0792184c9cc6c1a6ebd834c11f4aee28bfa1dd5efd4db959c6c01895dd7.exe	31
PID 2632 wrote to memory of 2872	2632	11eea0792184c9cc6c1a6ebd834c11f4aee28bfa1dd5efd4db959c6c01895dd7.exe	31
PID 2632 wrote to memory of 2872	2632	11eea0792184c9cc6c1a6ebd834c11f4aee28bfa1dd5efd4db959c6c01895dd7.exe	31
PID 2632 wrote to memory of 2872	2632	11eea0792184c9cc6c1a6ebd834c11f4aee28bfa1dd5efd4db959c6c01895dd7.exe	31
PID 2872 wrote to memory of 2696	2872	WScript.exe	33
PID 2872 wrote to memory of 2696	2872	WScript.exe	33
PID 2872 wrote to memory of 2696	2872	WScript.exe	33
PID 2872 wrote to memory of 2696	2872	WScript.exe	33
PID 2696 wrote to memory of 704	2696	svchcst.exe	34
PID 2696 wrote to memory of 704	2696	svchcst.exe	34
PID 2696 wrote to memory of 704	2696	svchcst.exe	34
PID 2696 wrote to memory of 704	2696	svchcst.exe	34
PID 704 wrote to memory of 1864	704	WScript.exe	35
PID 704 wrote to memory of 1864	704	WScript.exe	35
PID 704 wrote to memory of 1864	704	WScript.exe	35
PID 704 wrote to memory of 1864	704	WScript.exe	35
PID 1864 wrote to memory of 2460	1864	svchcst.exe	36
PID 1864 wrote to memory of 2460	1864	svchcst.exe	36
PID 1864 wrote to memory of 2460	1864	svchcst.exe	36
PID 1864 wrote to memory of 2460	1864	svchcst.exe	36
PID 2460 wrote to memory of 1460	2460	WScript.exe	37
PID 2460 wrote to memory of 1460	2460	WScript.exe	37
PID 2460 wrote to memory of 1460	2460	WScript.exe	37
PID 2460 wrote to memory of 1460	2460	WScript.exe	37
PID 1460 wrote to memory of 2204	1460	svchcst.exe	38
PID 1460 wrote to memory of 2204	1460	svchcst.exe	38
PID 1460 wrote to memory of 2204	1460	svchcst.exe	38
PID 1460 wrote to memory of 2204	1460	svchcst.exe	38
PID 2204 wrote to memory of 2072	2204	WScript.exe	39
PID 2204 wrote to memory of 2072	2204	WScript.exe	39
PID 2204 wrote to memory of 2072	2204	WScript.exe	39
PID 2204 wrote to memory of 2072	2204	WScript.exe	39
PID 2072 wrote to memory of 2256	2072	svchcst.exe	40
PID 2072 wrote to memory of 2256	2072	svchcst.exe	40
PID 2072 wrote to memory of 2256	2072	svchcst.exe	40
PID 2072 wrote to memory of 2256	2072	svchcst.exe	40
PID 2256 wrote to memory of 2500	2256	WScript.exe	41
PID 2256 wrote to memory of 2500	2256	WScript.exe	41
PID 2256 wrote to memory of 2500	2256	WScript.exe	41
PID 2256 wrote to memory of 2500	2256	WScript.exe	41
PID 2500 wrote to memory of 2168	2500	svchcst.exe	42
PID 2500 wrote to memory of 2168	2500	svchcst.exe	42
PID 2500 wrote to memory of 2168	2500	svchcst.exe	42
PID 2500 wrote to memory of 2168	2500	svchcst.exe	42
PID 2168 wrote to memory of 640	2168	WScript.exe	43
PID 2168 wrote to memory of 640	2168	WScript.exe	43
PID 2168 wrote to memory of 640	2168	WScript.exe	43
PID 2168 wrote to memory of 640	2168	WScript.exe	43
PID 640 wrote to memory of 1676	640	svchcst.exe	44
PID 640 wrote to memory of 1676	640	svchcst.exe	44
PID 640 wrote to memory of 1676	640	svchcst.exe	44
PID 640 wrote to memory of 1676	640	svchcst.exe	44
PID 1676 wrote to memory of 756	1676	WScript.exe	45
PID 1676 wrote to memory of 756	1676	WScript.exe	45
PID 1676 wrote to memory of 756	1676	WScript.exe	45
PID 1676 wrote to memory of 756	1676	WScript.exe	45
PID 756 wrote to memory of 2092	756	svchcst.exe	46
PID 756 wrote to memory of 2092	756	svchcst.exe	46
PID 756 wrote to memory of 2092	756	svchcst.exe	46
PID 756 wrote to memory of 2092	756	svchcst.exe	46
PID 2092 wrote to memory of 2936	2092	WScript.exe	47
PID 2092 wrote to memory of 2936	2092	WScript.exe	47
PID 2092 wrote to memory of 2936	2092	WScript.exe	47
PID 2092 wrote to memory of 2936	2092	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\11eea0792184c9cc6c1a6ebd834c11f4aee28bfa1dd5efd4db959c6c01895dd7.exe
"C:\Users\Admin\AppData\Local\Temp\11eea0792184c9cc6c1a6ebd834c11f4aee28bfa1dd5efd4db959c6c01895dd7.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:704
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1864
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2936
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:1592
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2960
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:588
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2036
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:656
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2460
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:3028
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1876
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:1624
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2124
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:2052
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2988
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:640
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2784
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:2996
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2656
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:2544
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:568
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:2816
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1924
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:1504
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2012
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:1748
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1972
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:2200
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1496
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        
        PID:836
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1012
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        
        PID:1388
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1152
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        
        PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
bfe648fe2f055d1bfaff7d2979612fd4

SHA1
18d7683ac04a3796ad136601668174e064c5f22e

SHA256
5f8299b064444808e77c5984b327f825629c8a55dd483a08e47772a14196388b

SHA512
d3c2d2c05d81ec40673540ad9975b19081a97bbf7f6056cb5376f23fa64fbef4c2d4fd214116ece6283700a0eb738ce7599176285ffa2dd0d60ef57742f81d2c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
423a0fabd3a9fd2cbedc3aba67c69650

SHA1
880097557ac6718e93822ac7efc9a3e2986c51de

SHA256
d77f549afde3b88ac747c3d0dee3069f914fac77b572ae08737ffc05f696491b

SHA512
c65d3db8250c7885b05075ebc3485db4506dde6c435247ad6a86e9085d59b039f4629583b327662a2eb40c79bc135d5d17b5bfb01f63ee02726aa57ecd7ed139

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
427acf0d31e4c051a5ecca486df18aaa

SHA1
66ed2e8e5533846366375ce855fb7b5d574d97fc

SHA256
397aa2536df328968f7006d3c5a2d0e7e53ab1e6d2deae8bb5bc7a242b4ba012

SHA512
aa2fe9a10550076d478762ed2043437460bfa1d81c3e6b793127d1235f8a6e75dc6002aad415f8086387faf7dc75a83f1790662cdfa58aa66596c640ed35b778

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
619955d43a58558c766025119a5a66cb

SHA1
cfb43d2b9cb68699667ca8d4929e71b25ed115ab

SHA256
a129bff17a859b7b2d6681f519c985c661797dd508ac249d30f02a0a78858cee

SHA512
20f9499cddf2fb824365830736255a1dce689da0e94fa8e999ee4e28883e65637410710ea01204b5f3d48213f697461288da2b7a535511da87f848b1e6e83bc6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
56b642f742552f48c6b8b9c099412a21

SHA1
c3cf968546d550feddcded0747d331305147e1e3

SHA256
a91e4afb0d2f495e9c4fd5031514174673505464922192f9d87832fc21ef119b

SHA512
43edab26c4c27b9458d393f139895b68ce6b230685fd112658b4046094beac5479329f63c9c836dace1e76984fc22b96aecdf0c0252cf656e6d1fe639abf403a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f02b234115a56496bcd6642d1de04e5d

SHA1
d383b9d3c82fe145f25a9a6e7e4333151fd4ecc6

SHA256
9eca0120263ab4947d38369d9a4986744e61189382c1d313eb464ad449ea2651

SHA512
c446eccd822729a81d49321c88ecc0fba4e4f7b6f6277d2660c7f3a18a67614915ae24a96353bf93b039eb441f0c260c1961a1363f16524dbeaf2554626c1b4e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
faa8ef2e758448ccba58a486794e0699

SHA1
85bd05023b75335ca0ff084efcd02e7e9e447e88

SHA256
f4c0222febb3104b66ec8578be36697e28bc8956d3606e711c39b3ad7fcf6b8b

SHA512
8a1074670bbf7942ba1cef24d474aa26b9a66c378cc790a5577bc3d487f7174dad7890d2fdd43eccad42c4da28e282e5909a8f9de120a3ba81ee2847b44a328e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
052d0351a5a2283ca385805bf30cc37b

SHA1
0f86c2c33b5641b89bcc430a98956447cb8f6f06

SHA256
643f8c0adfd63b72f9419f5b077829fa7f6d454b738cbcaeead63cd1feb4a9af

SHA512
6e4f1c407fa96a3ed03b416fcf4cb300f7ecefd2e67ddc0d45407b0f97f254ffa55cf34fac7c8ed1e69ece8704fae1d483612948dab8fb6d0c9d39e06bbb23ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
33923002ff087d4e9d20dc9167bf4b6f

SHA1
cd218dc8073081f7329889f96e1159c6d11fb8a1

SHA256
f24781ed9f535b0d29cbef666b2e299ee84ab75c48fd47bfdf0e9c2beaa0796e

SHA512
628c465e3ebed9b3ad689a6fa1fe38d3194c69a7446320408c28667acd49a157b853f734325e828a1577810393d0f9e69b6719bd7c201816ef0f06219a26534c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b80e64a84f22d05c1da6e47ce54973aa

SHA1
5cad9390328f2c7439c775fabb7a0456663085d9

SHA256
9dd0f5f176d3fad7c0eb3bdd6f14036a878cbce9fd50fb1a47318da147bfd82e

SHA512
983affb7f9189c1eb80982438c288ee607e7ee91675b6a6e854873c476961b39ddec66801e0a09bedd0f133a0132693a5fed5c8ff0f8c3d3aa4f470fdb8c39b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
93bffb400f506fbd69421b6075802c65

SHA1
b9d8c4ea6a8fd739f6cf167e1f58412525f15784

SHA256
2e455d4d9ba6db3056e273b33c3cc67d60d76c4a750b98b2d4d0e2bcc6aa57b1

SHA512
e00a5d4ad19c488dc18e50150fcd50505133666e333f12f9e0cb3a894162951e4195886798de3531561ff99b4a3fbca6fb351f1ff0bcd0e1ac20cd685962ec23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
bf77c4c5bf8fd461d72ebfdddb312079

SHA1
0e8eb3c9d7d6903834cd03f3f1795a83d70963ec

SHA256
1392c5ced43633093272684fca410e66e144382f17aa8497c18073b8942f22fc

SHA512
5b525e3f72a01d77665c88755762e3815728ae593518cc6193f52ae3227be8517bb8c7a1d1febfd7e6b508074ddf5756d9e1161247f64aff64963de00f2805bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a1852e508373626d5fdfdf2cc93f95fe

SHA1
e3bf39eeca652b6267f1e64c11fa16dd1991cc21

SHA256
48659227d25089b0413eccad044e48225390a16c5d7bd97aab4918e22f506090

SHA512
9a7985e45341fe7bc81368a222557b0fdfb9898f485cc1e5d3374bbafb428e6176cba8c10d9d5b50e49c3ebc028007d3c1400c30e612b26fb42aa45d4c3b261b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f0242e5ae58549bfc85d2ea0aa060c97

SHA1
e9d6dd13cf857795760d221bf1babcfe6d15ca5d

SHA256
e37baabfe4973fac8e9edce6c7eccf1ebffb75ffe9fb73d7f9d2302e5bbaf806

SHA512
02f4a882c5f4c52d3ae13e49278f58264a52d3c66864f645831f3d4d8233fce7dbfe58499e818f1cff4a6bbba7c50c07d44e72c6213409b28d2c07b875064585

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
3466d76e5af77146c4c82850d55a7a16

SHA1
89d977816f8e947bd9d58fcab83d63627af17aa0

SHA256
0913ef250c4fe2eadafd027185b3de183ef52947bf33c15e3d299d9c5bd44aa9

SHA512
689a99f7307fb71029529db48c7d2cd474f16b6b5cd5abe8f4c5fe4667cd7e00dd39b4a0f54540c1552c2e6a60ab692128a8d2055c4a8c2126df67eb01898e87

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
8f419bf66c20fa71e430188bafa115b7

SHA1
cd34d314791a6f5da2fca344d6b2c40d3bcb207f

SHA256
c286a662d27c2630fa5b9a5f8df6030c3ac8bc7859e8af8e76dfb01aad28b1bc

SHA512
0e77a2b39a8843af498d2a5b5876ed7a84e742d1002fae0292f461dd993d47bdce9afacc8e0a3d179f9881b817a08a36f91d0660864b4b47b6297d17a7a7bd7a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c2ccb2322c24f2d1b2b78f8920734ad0

SHA1
6d5e6ae62895bcc82b167aad35cd50ea6666e348

SHA256
b57f47c5ea5781f436fa5180ef880606fb094c68900f34752e6f590c542b0195

SHA512
3a2b3d8be4fd15e416022cde89a6ead6f77d14a60b76ae2823211f351456676cd0abe5ca8520012bffcf7b8dd8978f927972912e084f18858b84455f3f3c1be1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b6029150874a445b0eeb949e039cbd01

SHA1
b98e9bf8d42a58ec5558cbb718f4818a8cdc60f6

SHA256
140bbac0e6d0d95e9e39237e8db0e3f17163a9aa2d245444eb9a68314fda821b

SHA512
e6bc0e5058e7e1aad061bf7f81992c12ed9728764229ac68f3a6888d68df816198ca57d70c2ce441764b9a705f35e182d1ef95afdda482d88ce9465b65bccfe0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d1cad9dc96a5c40da2d86955d8d1546f

SHA1
4b402e28f35acb281027aee03b6831e999963d8d

SHA256
c8aedcf19f4690ece2af1736cd4f143603a4463df845fb20dd1de55e9846e9bc

SHA512
3bff12e695639b94a3e63e6493aaadd0623c1f07e0300b1969b01cb9f5a04f82629fb490e144c36a88bb9af444ce004f07b0fe859bd3bd9944023a2393b16afc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0b3d7128fa000b987090268acbdc0b4c

SHA1
648bfc6505c358660dacbff9707ca7325288acef

SHA256
893d102d84331205a28cf596159c32326b5e7054d5497066cbeeb4827b4f46de

SHA512
5a666f69c39d39cdbc22b6f2128e1cbcc164b90e5c7fbaa2e111d9054002258efef68bf661af0e07ce7a76112aa3e97690c9316fe007eea47d39e7d5db75b3de

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
8fd2fc45778d252798089a15a7a54435

SHA1
5057c5839766db76d367f9be823c678135406c93

SHA256
347de93ae8face5b73562396c9153769f734b25dd39082637a132984dc4b1f92

SHA512
b01ec2ff8940670bd15417901b90320147475d1882d713e08584ad39a3ceda905f179f8b9da52cb0df8c0a74ecb6b2b774a4dd5c333fcad43797602df2b73b4d

Download Submit
memory/2632-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download