871c07d031798826d5e880fdffd28e572464834a3f32b4939040a740be1795d0

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
20-07-2024 20:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

871c07d031798826d5e880fdffd28e572464834a3f32b4939040a740be1795d0.exe
Size

1.1MB
MD5

8e30ac29fd4bf3562bbd8792c2abda79
SHA1

6718f17a36f532e62ddb47f834ff410d8ec98d93
SHA256

871c07d031798826d5e880fdffd28e572464834a3f32b4939040a740be1795d0
SHA512

16c7e090927e6ed67df735e7ca03213d2a82483092b268e36174da66c9aeac95deac02e191b6e5d794e28e08b2c6b65ee5b33dfea0ca89f16e2dde128a355bb6
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q1:acallSllG4ZM7QzMO

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1600	svchcst.exe

Executes dropped EXE 25 IoCs

pid	Process
1600	svchcst.exe
756	svchcst.exe
328	svchcst.exe
2384	svchcst.exe
1544	svchcst.exe
2452	svchcst.exe
2264	svchcst.exe
2604	svchcst.exe
2024	svchcst.exe
1468	svchcst.exe
1636	svchcst.exe
2864	svchcst.exe
2528	svchcst.exe
2104	svchcst.exe
1436	svchcst.exe
2620	svchcst.exe
2496	svchcst.exe
1476	svchcst.exe
1616	svchcst.exe
2968	svchcst.exe
276	svchcst.exe
2424	svchcst.exe
2104	svchcst.exe
3036	svchcst.exe
2056	svchcst.exe

Loads dropped DLL 43 IoCs

pid	Process
2216	WScript.exe
2216	WScript.exe
2624	WScript.exe
2624	WScript.exe
588	WScript.exe
588	WScript.exe
1068	WScript.exe
1068	WScript.exe
1932	WScript.exe
1932	WScript.exe
2056	WScript.exe
1944	WScript.exe
3032	WScript.exe
3032	WScript.exe
2564	WScript.exe
2564	WScript.exe
2032	WScript.exe
2032	WScript.exe
328	WScript.exe
328	WScript.exe
1068	WScript.exe
1472	WScript.exe
1472	WScript.exe
1788	WScript.exe
1788	WScript.exe
1788	WScript.exe
1788	WScript.exe
2576	WScript.exe
2576	WScript.exe
2008	WScript.exe
2008	WScript.exe
1344	WScript.exe
1344	WScript.exe
2648	WScript.exe
2648	WScript.exe
3068	WScript.exe
3068	WScript.exe
1792	WScript.exe
1792	WScript.exe
1728	WScript.exe
1728	WScript.exe
348	WScript.exe
348	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2348	871c07d031798826d5e880fdffd28e572464834a3f32b4939040a740be1795d0.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2348	871c07d031798826d5e880fdffd28e572464834a3f32b4939040a740be1795d0.exe

Suspicious use of SetWindowsHookEx 52 IoCs

pid	Process
2348	871c07d031798826d5e880fdffd28e572464834a3f32b4939040a740be1795d0.exe
2348	871c07d031798826d5e880fdffd28e572464834a3f32b4939040a740be1795d0.exe
1600	svchcst.exe
1600	svchcst.exe
756	svchcst.exe
756	svchcst.exe
328	svchcst.exe
328	svchcst.exe
2384	svchcst.exe
2384	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
2452	svchcst.exe
2452	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2604	svchcst.exe
2604	svchcst.exe
2024	svchcst.exe
2024	svchcst.exe
1468	svchcst.exe
1468	svchcst.exe
1636	svchcst.exe
1636	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
2528	svchcst.exe
2528	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
1436	svchcst.exe
1436	svchcst.exe
2620	svchcst.exe
2620	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
1476	svchcst.exe
1476	svchcst.exe
1616	svchcst.exe
1616	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
276	svchcst.exe
276	svchcst.exe
2424	svchcst.exe
2424	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
3036	svchcst.exe
3036	svchcst.exe
2056	svchcst.exe
2056	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 2216	2348	871c07d031798826d5e880fdffd28e572464834a3f32b4939040a740be1795d0.exe	31
PID 2348 wrote to memory of 2216	2348	871c07d031798826d5e880fdffd28e572464834a3f32b4939040a740be1795d0.exe	31
PID 2348 wrote to memory of 2216	2348	871c07d031798826d5e880fdffd28e572464834a3f32b4939040a740be1795d0.exe	31
PID 2348 wrote to memory of 2216	2348	871c07d031798826d5e880fdffd28e572464834a3f32b4939040a740be1795d0.exe	31
PID 2216 wrote to memory of 1600	2216	WScript.exe	33
PID 2216 wrote to memory of 1600	2216	WScript.exe	33
PID 2216 wrote to memory of 1600	2216	WScript.exe	33
PID 2216 wrote to memory of 1600	2216	WScript.exe	33
PID 1600 wrote to memory of 2624	1600	svchcst.exe	34
PID 1600 wrote to memory of 2624	1600	svchcst.exe	34
PID 1600 wrote to memory of 2624	1600	svchcst.exe	34
PID 1600 wrote to memory of 2624	1600	svchcst.exe	34
PID 2624 wrote to memory of 756	2624	WScript.exe	35
PID 2624 wrote to memory of 756	2624	WScript.exe	35
PID 2624 wrote to memory of 756	2624	WScript.exe	35
PID 2624 wrote to memory of 756	2624	WScript.exe	35
PID 756 wrote to memory of 588	756	svchcst.exe	36
PID 756 wrote to memory of 588	756	svchcst.exe	36
PID 756 wrote to memory of 588	756	svchcst.exe	36
PID 756 wrote to memory of 588	756	svchcst.exe	36
PID 588 wrote to memory of 328	588	WScript.exe	37
PID 588 wrote to memory of 328	588	WScript.exe	37
PID 588 wrote to memory of 328	588	WScript.exe	37
PID 588 wrote to memory of 328	588	WScript.exe	37
PID 328 wrote to memory of 1068	328	svchcst.exe	38
PID 328 wrote to memory of 1068	328	svchcst.exe	38
PID 328 wrote to memory of 1068	328	svchcst.exe	38
PID 328 wrote to memory of 1068	328	svchcst.exe	38
PID 1068 wrote to memory of 2384	1068	WScript.exe	39
PID 1068 wrote to memory of 2384	1068	WScript.exe	39
PID 1068 wrote to memory of 2384	1068	WScript.exe	39
PID 1068 wrote to memory of 2384	1068	WScript.exe	39
PID 2384 wrote to memory of 1932	2384	svchcst.exe	40
PID 2384 wrote to memory of 1932	2384	svchcst.exe	40
PID 2384 wrote to memory of 1932	2384	svchcst.exe	40
PID 2384 wrote to memory of 1932	2384	svchcst.exe	40
PID 2384 wrote to memory of 944	2384	svchcst.exe	41
PID 2384 wrote to memory of 944	2384	svchcst.exe	41
PID 2384 wrote to memory of 944	2384	svchcst.exe	41
PID 2384 wrote to memory of 944	2384	svchcst.exe	41
PID 1932 wrote to memory of 1544	1932	WScript.exe	42
PID 1932 wrote to memory of 1544	1932	WScript.exe	42
PID 1932 wrote to memory of 1544	1932	WScript.exe	42
PID 1932 wrote to memory of 1544	1932	WScript.exe	42
PID 1544 wrote to memory of 2056	1544	svchcst.exe	43
PID 1544 wrote to memory of 2056	1544	svchcst.exe	43
PID 1544 wrote to memory of 2056	1544	svchcst.exe	43
PID 1544 wrote to memory of 2056	1544	svchcst.exe	43
PID 2056 wrote to memory of 2452	2056	WScript.exe	44
PID 2056 wrote to memory of 2452	2056	WScript.exe	44
PID 2056 wrote to memory of 2452	2056	WScript.exe	44
PID 2056 wrote to memory of 2452	2056	WScript.exe	44
PID 2452 wrote to memory of 1944	2452	svchcst.exe	45
PID 2452 wrote to memory of 1944	2452	svchcst.exe	45
PID 2452 wrote to memory of 1944	2452	svchcst.exe	45
PID 2452 wrote to memory of 1944	2452	svchcst.exe	45
PID 1944 wrote to memory of 2264	1944	WScript.exe	46
PID 1944 wrote to memory of 2264	1944	WScript.exe	46
PID 1944 wrote to memory of 2264	1944	WScript.exe	46
PID 1944 wrote to memory of 2264	1944	WScript.exe	46
PID 2264 wrote to memory of 3032	2264	svchcst.exe	47
PID 2264 wrote to memory of 3032	2264	svchcst.exe	47
PID 2264 wrote to memory of 3032	2264	svchcst.exe	47
PID 2264 wrote to memory of 3032	2264	svchcst.exe	47

C:\Users\Admin\AppData\Local\Temp\871c07d031798826d5e880fdffd28e572464834a3f32b4939040a740be1795d0.exe
"C:\Users\Admin\AppData\Local\Temp\871c07d031798826d5e880fdffd28e572464834a3f32b4939040a740be1795d0.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1600
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2624
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:756
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:588
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:328
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:3032
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2604
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2564
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2024
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2032
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1636
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2864
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:1068
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2104
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:1472
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1436
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:1788
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2620
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2496
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:2576
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1476
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:2008
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1616
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:1344
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2968
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:2648
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:276
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:3068
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2424
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:1792
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2104
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:1728
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3036
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:348
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2056
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1468
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:328
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2528
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        
        PID:944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
4ef2124d4a53811642a85ce0b954cbeb

SHA1
2aa51f304c49233c7383cec96a36dae47cc45a24

SHA256
50a7dda9ca4dc6e5c0f5083e93c3c5d310e5e8a40155ecb7c4fee2ca30b09221

SHA512
58bc167939402d4180f2452d9f9bc2fe03823fa4188b84f78beec037d72cdfd2d9e57f7e0d6d60da80f24aeb5e8c00bd94086bf37be6b74e425adffe233f6d3a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2af86d83545125b952334759f8554ae3

SHA1
ddfef7be6fbd8d8185c772a9a78eb18617a9637b

SHA256
7dd3660d7e87e64f451b4d1882d07c1733ce38d828770910453cc1b7f457d11d

SHA512
38d2854f941ff77a2fec871ba6513df9862fe4f86778b22053b4c3e25995b192f4ab943051a2c613cc3e78d275bc543b0dff09149cb4620e307809d20beae17b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
052d0351a5a2283ca385805bf30cc37b

SHA1
0f86c2c33b5641b89bcc430a98956447cb8f6f06

SHA256
643f8c0adfd63b72f9419f5b077829fa7f6d454b738cbcaeead63cd1feb4a9af

SHA512
6e4f1c407fa96a3ed03b416fcf4cb300f7ecefd2e67ddc0d45407b0f97f254ffa55cf34fac7c8ed1e69ece8704fae1d483612948dab8fb6d0c9d39e06bbb23ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
427acf0d31e4c051a5ecca486df18aaa

SHA1
66ed2e8e5533846366375ce855fb7b5d574d97fc

SHA256
397aa2536df328968f7006d3c5a2d0e7e53ab1e6d2deae8bb5bc7a242b4ba012

SHA512
aa2fe9a10550076d478762ed2043437460bfa1d81c3e6b793127d1235f8a6e75dc6002aad415f8086387faf7dc75a83f1790662cdfa58aa66596c640ed35b778

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7d2c3f227d42fae4a5b7fbcb491b74e3

SHA1
c1271bbd86747cc709b694ba9579a68b5e75a17c

SHA256
9353a2f27a61e571c5bc92ccc1046c1059c5fad8e1e2cafe63a9cc73e1169c33

SHA512
50330ad733975966b32fbedffb99a25cd13004d685e5788ef11f1f0fedfc62658e3e8f5ed0030fe60ecb02ba95ffa7d440c067a1e164cc3bc02ac5008b6a27d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
072a46f071251f08c67b3aba4c983435

SHA1
371837f885eac20c802901026d2e7aa1d4f6cd5c

SHA256
0d0a8daeceed64600e817a5a0437a39048c52e857868a35d9130d42fdfa896ed

SHA512
e3d35d428a29eec047b0cc43c87aa701eed81e9efe921b4ef13fa2e8e24ef11ce602bd67868b7ad1bdbd9f39eb681a8c95c715479238a2f17c17105ea4653c83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
08e59d2d672728796d1d263f61b8e693

SHA1
e2cf49b43ffba5735bf7d9aa4e1da8c5a1a4a243

SHA256
f0504a6142a9709ba8612a4e55816d410dc92778bedea66d34316e77edd2f923

SHA512
328bc5a9404388f3ef192bb0e4da20cc34b9eacd974299461b5cc2f37ce7d7f9bb494e933fe7e8bca0baa037b40778b06965e76ce258b596b60e88bd6b2f4253

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
85fa416be0b995c6e53ce5e2df106d8a

SHA1
bcffe6d0eb7594897fb6c1c1e6e409bacd04f009

SHA256
f08a191ea7850c2d2e0fa0cd1f40254eecb8dcb63a9dfa94cc8a97f609c49293

SHA512
5d92938d833d0555e94027148d0d9fc064274885bb4992f4e5840e7be03b629a3d2dc3703f9a7aa7614cb46ee19f9cfe26c69cc2e3a162f4be9045e5da18efbf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
df56efc5aa49720056952b653a76a0d1

SHA1
82823a83837e69b031a973238d78e0360d113ac7

SHA256
bd6fdd2db5dd3828baa84352f1c382304ce0481755f000a7445e3977c24d0a35

SHA512
ffd2ffc465dcd33cca7fdf4cce8711ce7a5cb6af0933fbf2885b7b4164ea2c19ec1a776f2422996599e28b05a3ff927dd76221b9b4dec49b942941b48962034c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8ff9269f0a87aaf29e707ac354505e61

SHA1
68c900e567a236096ac8c812cb14dec97e3e088c

SHA256
ed84c3ff01194f8f55c30fb4f5685d4f74c186732e01e20d9909fb7a63ebb7d1

SHA512
5980c8ca52c3c047380b9aabced91699a68228bf8e5d545ff3105bdc5c469f30f7e490f459e2e8bc57f088d904ae0fb3e3167dfa0cd84b83b3d8e78402e8ae9d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c0b5050d31a3c3086d56cf03dbf39e65

SHA1
2f16721133b7efffc3b7c495803a409b47223c1f

SHA256
4eed6a5c4f010b8604f822c91683ba0cf9c2c1f7fd803bcd9c05bfd36d84f37a

SHA512
be8a9ade498e5b54e7ca07bb3f9f114962847942d282e46e2b4f3e53704b27b47853c7bc60e5fdfc777b6e1fa2f8d34aa0d3321354c8a6b81d1640ce7780d9d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
6c62740cacc89fb4034529ed8a8e7e60

SHA1
80ea14396189e0e0bcca80ce4bd6ef9802656ded

SHA256
14b248f3e7d1fc12d886c7fc943d7957cbce0d674da98f786e7898463898d633

SHA512
f848de4779d91ebc50ac95e503dfea91e2689c60d7b4a14bf865a0dbfa2c3178312bd6106b095d43ebba89bd0460c19814a2138d2d847e78170276e473bf468f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9984c0d96f9fc26ca858d9a67e8dc395

SHA1
fb91dddbaf23202dc300cc0101d7a0cec21881cd

SHA256
d6d871cd0a30d0aa79ad675e86041b676fd5b0800e3c90c8ea8e622e1f5e99ba

SHA512
92c8b71ac948664e8ddf131ef3ef6faeb47c75e342a18493345a568c620ff2881617aace05dabafc2f75318e669cc086fd914295ace533cfb2d6e8e8d88d6c0e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
3ba016faa44a56580f9729243e5cbb13

SHA1
2108796565eaefaddc814b49f1658698b9289407

SHA256
bd75814125a4242748224522815e7e37f8b1d3d83b24be78e2bb7c63b8249745

SHA512
b92caab9e542820eb30da760beb2d4e5cd2d0e657c19b9dab1ff533d3a230e7546bc3627e69b80d049ab20510c253ae7465dfefcdc52fc53838d35c96779d30a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
18ae85a3f28ffff92782ceb89decf13e

SHA1
8ad67d1ed209f913a1ff98001d0c7ec6eff83c5c

SHA256
26069a05e0678af4d84bc929ecbd6bfa1cead18c0c9ae0c7250b8becf75f9919

SHA512
c612fbde24dce0f0e45e273998a409a31b3860bb722d3df9ee0eda1323229d26ada15c47d4f682ad55bee5cd53d038f372c139fc14a9612b4877dd010f50991c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1597e432868ed8a35fcb0428ad2c4eba

SHA1
6f08756c1fbe7bd4abb8059967b1635f83ca27b1

SHA256
f464eb9cb45cfd3c0d0d041aa0aed16509f595868cdd7110826f0a1000b74560

SHA512
f28d4610e75cac75e7910c11686c74e2b0b4c92c47ea60fa5a4eaa3300d81825d9a7439d9c5f626c936e38c212da808cb9d121fe2eea4855b37438143ef9ba9c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
5a86c6fc1321196fa0873292c76041c7

SHA1
772cb7ec7c10704da57f4d39a8fe944868bd3bfe

SHA256
60951d9c00675619fdd1cd5e54c2900078bc66c3ec1f0950dc3c7eea5b96ce97

SHA512
0c0829efada47c837f47a1709c785c129604ded5d4bc71ff51e96e97ede59461fc1b09848cb54157ff40749b8715433692049bf6ddced78c0184a09daaa62376

Download Submit
memory/276-224-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/276-221-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/328-46-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/328-54-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/328-155-0x0000000003D80000-0x0000000003EDF000-memory.dmp

Filesize
1.4MB

Download
memory/588-45-0x0000000004360000-0x00000000044BF000-memory.dmp

Filesize
1.4MB

Download
memory/588-43-0x0000000004360000-0x00000000044BF000-memory.dmp

Filesize
1.4MB

Download
memory/756-39-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/756-31-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1068-60-0x0000000005B40000-0x0000000005C9F000-memory.dmp

Filesize
1.4MB

Download
memory/1068-61-0x0000000005B40000-0x0000000005C9F000-memory.dmp

Filesize
1.4MB

Download
memory/1344-208-0x0000000004880000-0x00000000049DF000-memory.dmp

Filesize
1.4MB

Download
memory/1436-175-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1436-172-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1468-148-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1468-141-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1476-199-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1544-86-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1544-82-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1600-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1600-25-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1616-207-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1616-200-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1636-144-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1788-184-0x0000000004930000-0x0000000004A8F000-memory.dmp

Filesize
1.4MB

Download
memory/1932-77-0x0000000004590000-0x00000000046EF000-memory.dmp

Filesize
1.4MB

Download
memory/2024-133-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2024-126-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2032-149-0x0000000004620000-0x000000000477F000-memory.dmp

Filesize
1.4MB

Download
memory/2056-253-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2104-237-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2104-167-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2104-240-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2104-164-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2216-13-0x0000000005B00000-0x0000000005C5F000-memory.dmp

Filesize
1.4MB

Download
memory/2216-14-0x0000000005B00000-0x0000000005C5F000-memory.dmp

Filesize
1.4MB

Download
memory/2264-107-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2264-99-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2348-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2348-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2384-62-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2384-72-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2424-229-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2424-232-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2452-92-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2452-96-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2496-189-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2496-192-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2528-156-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2564-136-0x0000000003F00000-0x000000000405F000-memory.dmp

Filesize
1.4MB

Download
memory/2604-119-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2604-123-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2620-176-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2620-183-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2624-30-0x0000000005D30000-0x0000000005E8F000-memory.dmp

Filesize
1.4MB

Download
memory/2864-159-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2864-154-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2968-216-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2968-209-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3032-118-0x0000000004370000-0x00000000044CF000-memory.dmp

Filesize
1.4MB

Download
memory/3032-113-0x0000000004370000-0x00000000044CF000-memory.dmp

Filesize
1.4MB

Download
memory/3036-245-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3036-248-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download