d11fbabb7433f02e9affcae1882fcdfbb90cfeff6545d607d75ee194ec2e6d8c

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22-07-2024 02:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d11fbabb7433f02e9affcae1882fcdfbb90cfeff6545d607d75ee194ec2e6d8c.exe
Size

1.1MB
MD5

8e651777e0bc60e6ac0c50482ff7e4fa
SHA1

a0cb7b8577d95ddd1a520804109674d3fab696a0
SHA256

d11fbabb7433f02e9affcae1882fcdfbb90cfeff6545d607d75ee194ec2e6d8c
SHA512

d125e9903d65199cebaa7efe61159f1aeaf329baeb6395638556b3bd68577817677d4067d3da097d4ddc51789fe437a67838e4fe2f5d6d664ece5535d43ccb0d
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qe:CcaClSFlG4ZM7QzMV

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2916	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2916	svchcst.exe
2332	svchcst.exe
1212	svchcst.exe
2984	svchcst.exe
2592	svchcst.exe
1564	svchcst.exe
2376	svchcst.exe
2108	svchcst.exe
2968	svchcst.exe
2368	svchcst.exe
1908	svchcst.exe
1008	svchcst.exe
1996	svchcst.exe
564	svchcst.exe
852	svchcst.exe
2568	svchcst.exe
772	svchcst.exe
2624	svchcst.exe
3064	svchcst.exe
1920	svchcst.exe
1760	svchcst.exe
2492	svchcst.exe
2124	svchcst.exe

Loads dropped DLL 46 IoCs

pid	Process
1984	WScript.exe
1984	WScript.exe
2668	WScript.exe
2668	WScript.exe
848	WScript.exe
848	WScript.exe
2972	WScript.exe
2972	WScript.exe
2096	WScript.exe
2096	WScript.exe
1632	WScript.exe
1632	WScript.exe
1276	WScript.exe
1276	WScript.exe
1608	WScript.exe
1608	WScript.exe
2268	WScript.exe
2268	WScript.exe
2628	WScript.exe
2628	WScript.exe
2880	WScript.exe
2880	WScript.exe
784	WScript.exe
784	WScript.exe
708	WScript.exe
708	WScript.exe
3024	WScript.exe
3024	WScript.exe
2468	WScript.exe
2468	WScript.exe
1944	WScript.exe
1944	WScript.exe
2792	WScript.exe
2792	WScript.exe
2916	WScript.exe
2916	WScript.exe
1852	WScript.exe
1852	WScript.exe
2828	WScript.exe
2828	WScript.exe
2196	WScript.exe
2196	WScript.exe
3028	WScript.exe
3028	WScript.exe
1440	WScript.exe
1440	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
328	d11fbabb7433f02e9affcae1882fcdfbb90cfeff6545d607d75ee194ec2e6d8c.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
328	d11fbabb7433f02e9affcae1882fcdfbb90cfeff6545d607d75ee194ec2e6d8c.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
328	d11fbabb7433f02e9affcae1882fcdfbb90cfeff6545d607d75ee194ec2e6d8c.exe
328	d11fbabb7433f02e9affcae1882fcdfbb90cfeff6545d607d75ee194ec2e6d8c.exe
2916	svchcst.exe
2916	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
1212	svchcst.exe
1212	svchcst.exe
2984	svchcst.exe
2984	svchcst.exe
2592	svchcst.exe
2592	svchcst.exe
1564	svchcst.exe
1564	svchcst.exe
2376	svchcst.exe
2376	svchcst.exe
2108	svchcst.exe
2108	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2368	svchcst.exe
2368	svchcst.exe
1908	svchcst.exe
1908	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1996	svchcst.exe
1996	svchcst.exe
564	svchcst.exe
564	svchcst.exe
852	svchcst.exe
852	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
772	svchcst.exe
772	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
3064	svchcst.exe
3064	svchcst.exe
1920	svchcst.exe
1920	svchcst.exe
1760	svchcst.exe
1760	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2124	svchcst.exe
2124	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 328 wrote to memory of 1984	328	d11fbabb7433f02e9affcae1882fcdfbb90cfeff6545d607d75ee194ec2e6d8c.exe	30
PID 328 wrote to memory of 1984	328	d11fbabb7433f02e9affcae1882fcdfbb90cfeff6545d607d75ee194ec2e6d8c.exe	30
PID 328 wrote to memory of 1984	328	d11fbabb7433f02e9affcae1882fcdfbb90cfeff6545d607d75ee194ec2e6d8c.exe	30
PID 328 wrote to memory of 1984	328	d11fbabb7433f02e9affcae1882fcdfbb90cfeff6545d607d75ee194ec2e6d8c.exe	30
PID 1984 wrote to memory of 2916	1984	WScript.exe	33
PID 1984 wrote to memory of 2916	1984	WScript.exe	33
PID 1984 wrote to memory of 2916	1984	WScript.exe	33
PID 1984 wrote to memory of 2916	1984	WScript.exe	33
PID 2916 wrote to memory of 2668	2916	svchcst.exe	34
PID 2916 wrote to memory of 2668	2916	svchcst.exe	34
PID 2916 wrote to memory of 2668	2916	svchcst.exe	34
PID 2916 wrote to memory of 2668	2916	svchcst.exe	34
PID 2668 wrote to memory of 2332	2668	WScript.exe	35
PID 2668 wrote to memory of 2332	2668	WScript.exe	35
PID 2668 wrote to memory of 2332	2668	WScript.exe	35
PID 2668 wrote to memory of 2332	2668	WScript.exe	35
PID 2332 wrote to memory of 848	2332	svchcst.exe	36
PID 2332 wrote to memory of 848	2332	svchcst.exe	36
PID 2332 wrote to memory of 848	2332	svchcst.exe	36
PID 2332 wrote to memory of 848	2332	svchcst.exe	36
PID 848 wrote to memory of 1212	848	WScript.exe	37
PID 848 wrote to memory of 1212	848	WScript.exe	37
PID 848 wrote to memory of 1212	848	WScript.exe	37
PID 848 wrote to memory of 1212	848	WScript.exe	37
PID 1212 wrote to memory of 2972	1212	svchcst.exe	38
PID 1212 wrote to memory of 2972	1212	svchcst.exe	38
PID 1212 wrote to memory of 2972	1212	svchcst.exe	38
PID 1212 wrote to memory of 2972	1212	svchcst.exe	38
PID 2972 wrote to memory of 2984	2972	WScript.exe	39
PID 2972 wrote to memory of 2984	2972	WScript.exe	39
PID 2972 wrote to memory of 2984	2972	WScript.exe	39
PID 2972 wrote to memory of 2984	2972	WScript.exe	39
PID 2984 wrote to memory of 2096	2984	svchcst.exe	40
PID 2984 wrote to memory of 2096	2984	svchcst.exe	40
PID 2984 wrote to memory of 2096	2984	svchcst.exe	40
PID 2984 wrote to memory of 2096	2984	svchcst.exe	40
PID 2096 wrote to memory of 2592	2096	WScript.exe	41
PID 2096 wrote to memory of 2592	2096	WScript.exe	41
PID 2096 wrote to memory of 2592	2096	WScript.exe	41
PID 2096 wrote to memory of 2592	2096	WScript.exe	41
PID 2592 wrote to memory of 1632	2592	svchcst.exe	42
PID 2592 wrote to memory of 1632	2592	svchcst.exe	42
PID 2592 wrote to memory of 1632	2592	svchcst.exe	42
PID 2592 wrote to memory of 1632	2592	svchcst.exe	42
PID 1632 wrote to memory of 1564	1632	WScript.exe	43
PID 1632 wrote to memory of 1564	1632	WScript.exe	43
PID 1632 wrote to memory of 1564	1632	WScript.exe	43
PID 1632 wrote to memory of 1564	1632	WScript.exe	43
PID 1564 wrote to memory of 1276	1564	svchcst.exe	44
PID 1564 wrote to memory of 1276	1564	svchcst.exe	44
PID 1564 wrote to memory of 1276	1564	svchcst.exe	44
PID 1564 wrote to memory of 1276	1564	svchcst.exe	44
PID 1276 wrote to memory of 2376	1276	WScript.exe	45
PID 1276 wrote to memory of 2376	1276	WScript.exe	45
PID 1276 wrote to memory of 2376	1276	WScript.exe	45
PID 1276 wrote to memory of 2376	1276	WScript.exe	45
PID 2376 wrote to memory of 1608	2376	svchcst.exe	46
PID 2376 wrote to memory of 1608	2376	svchcst.exe	46
PID 2376 wrote to memory of 1608	2376	svchcst.exe	46
PID 2376 wrote to memory of 1608	2376	svchcst.exe	46
PID 1608 wrote to memory of 2108	1608	WScript.exe	47
PID 1608 wrote to memory of 2108	1608	WScript.exe	47
PID 1608 wrote to memory of 2108	1608	WScript.exe	47
PID 1608 wrote to memory of 2108	1608	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\d11fbabb7433f02e9affcae1882fcdfbb90cfeff6545d607d75ee194ec2e6d8c.exe
"C:\Users\Admin\AppData\Local\Temp\d11fbabb7433f02e9affcae1882fcdfbb90cfeff6545d607d75ee194ec2e6d8c.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:328
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2668
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2332
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:848
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2108
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2268
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2968
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2628
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2368
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:2880
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1908
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:784
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1008
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:708
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1996
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:3024
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:564
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:2468
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:852
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:1944
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2568
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:2792
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:772
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:2916
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2624
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:1852
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3064
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:2828
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1920
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:2196
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1760
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        
        PID:3028
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2492
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        
        PID:1440
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2124
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        
        PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
7b31f84b7e0882841c240b58cf075639

SHA1
dfcfd8f671948ec551a41afc1e3f6cc0238f5de9

SHA256
7aa61e1b5a8a50e79da5dbee03e2f3961515c8fe4bc3e612612e4dd958b6bc46

SHA512
cf04bd1845aac147982da4e9cfe361d9bc39e1e3ca45bca4345d47af4b29ab56a5eb98b06abebdbf2725c88b65b94cad92ae3b5278a2b39487dcd04ba860d2c1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c4e7c6e63669b7ac19a2abc4d482e577

SHA1
0b715c1b8c52526a168c5972ce10621deb7454cb

SHA256
44ce88ac30afb018736ddeb48d6592af936aa52a424f3630ed07f9ff016b3a58

SHA512
f95b66230ceb77d9ce412c472376233324766a3b31adcfe85797f5628b933811c970a7c538ebb06e5c66418656766704206c178745f71bec63bbbabab46af747

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
66073a2944d79129b28645fed6bc1286

SHA1
2cbba938ab66f7f5c9b0cb2a5c58940e2e14599b

SHA256
87d79920ed0fb49971153bdcb8a8ca003a247e5937d8cc3dc3b871e91ef79042

SHA512
95b8dffed82c126394ce16db0af1874ade41cca2b096d9ffe388e9c6a462c86e21723f811c0fb8c8445047906b0dfe035f5a421b5d406b8e8d3e6a1ad5d4351b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c85adfb789ee03eba0d843b08042e4db

SHA1
263793011d11bd0dd1daf4b55215a8802f9bf6e2

SHA256
8cc7784dcb4efa452913063eacec257cd1b6577c80bb3540f7cfcc48320dbf59

SHA512
b52184fa3c8a36d8e9293921a40820991247bbd203aa991678dafcd5cc96af20bf2df3e0b876b77a0d6a91f5b43aa2768137f88fca28357f883410d3b9f77539

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b43cc190210c9c6b2742cc52bd8296bc

SHA1
5476b0b4ca6b80be460b3e183f51d50599750324

SHA256
0081c1fe196153e4e7651f0c4a3888bda7623ba8f76218b8df10dc5147d778c0

SHA512
dee2b38b2222020a8fdf2bb241461b3e58978761cfa4c2099184badfc7a98d4acdd0f75d9417a94928a62da7f7c10e9cc04546636e88004897dd3c73cabeed27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
03f68343f5906993640e0b9e3f9c7964

SHA1
699e9c3fda1aa89e7a47ac8b77b41178c99cc8e2

SHA256
dd2d5bf380874e81adc5e05b667047dcf1b6c8a8953068fb177053e20c35f727

SHA512
76de9e035c0ad6ee3237006749fd28ee93a6fcd09700e265aaea432f7d2292aac87f0799221559caacd6dd58ff72af17d67627aace77bd2a36a802bbdc88b99c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d6aef0b19d7d8dc2eda464cf358007b7

SHA1
c271fa23eee2c534cc862f7575df47f660c94d27

SHA256
70965d19e9afccec497ac21e98bfea9be46cf5df938982b3d19e6295aab3bb1d

SHA512
c547f50069f9f97dd9877bdb529f4ed49f9761d5cab1ff703e5185a6071e7591b98237834c6bd386b68b9c6504b76bdc581bf17a6fcef94e74b1483d47cf764a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
344b0286b823cd492e5ca9c83c00ba11

SHA1
b76dbac9b5724f5b1e11a10ed7a2125edb16259b

SHA256
04ea89515062031f99eb08fad07de798532e0adea7ff18c0c9a8b1e3a1d4dbbd

SHA512
9aba17235e4f1bd62f45545cfa0e4f302c0471732b33a8398b462e334126c5a3e74fdcbe17db70029184cc1207f558efc46b868475fb607ad536288b0796bb80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
632419f9e97777f0bcd1af67443cadae

SHA1
52edb2e30a2b1156ff9f77c0fe7435bc1a616ac8

SHA256
50e39163065b39c8cac4f381ff35c00972adde6c6fcd6d9cf555d1b0b8b68554

SHA512
b9b188d33cab5023dd410c0d6c01b5b200c003b432d44fe47da9b6ca1d4a5fa6fd3e869baeac6c8f5d7fae063e6128ee9c96b9258e10e550093e199cccaca2b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5d0d203da02edb604545d3d826c88b42

SHA1
9be0cfd40b48d4e6041e00827047a8b0d877d4a1

SHA256
5f341c2f1ff381eecedbf6fcbe549724323c30c05728132a98ea55f607bc3e81

SHA512
a3e01552a9576ba8dd9aa9f65211f74a69588a316d984b8887e740c6c174e19df2056dc0138d5af26bd927e192ec2c7d355fc8b4092e30d55de910e932fbd49f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
037fbe12c78b7cda329760cf56fb6233

SHA1
5810e902acb7a34c3f1eea7526cfd46dc8fde308

SHA256
1ab27afd4aee7838600cbc3ed7b7d88007d8d79b9376d787c77e175220e12ff8

SHA512
0899503c91db1a0b1a9878dcbb54a98468a6e3e442f7d269310d120706f1dd1eaadcd4fa0f3ba8b1a5b0d011f9f9a27ec9b77ff4bf50270e0e964a7aa6e8bb36

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
25cb34ba33521bf593620e4ca2076be0

SHA1
40e98fd8d304604dd9747432dc2928ad17989ee3

SHA256
7587c6365a8a5f6a072c212b50a0d6e3e0f63bbc5857b70d27b60978c0829986

SHA512
e68cf122e6421417a300c6a416d91546381ed29ed0d678fa89fca3251aaf1aa281c94401bd98b4a1638724f5da1d67ce5ea41902ec98bd96c1beb25dd7601754

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c932df77c630feebe4c992ac961514dd

SHA1
2a69ca8a9d12b99ee6a006676f227eeee7c01156

SHA256
bd706e82637258c35e68bd0b8c94ab242808d7f65d36d64e40ca6a0985f48395

SHA512
6a2a7f0a43873706231f5ecbf917e09e1371fe3cb54d8f86700cc355dc6b974d776e26b9d8fc0d49a68b13c3ab1bcdb1afb7e4d20e4bc1800ec51fe110f40e61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1c5cc60143f3250ee6699536c78947b4

SHA1
84d1bf4667ddb4203097970bd27582580b28ac59

SHA256
2d55bf78e4901a7113792662d69034fd460a1bad4890ec93fc5eac13baa31854

SHA512
05a11c336ed35f35eed1dc2349dd502b1e8255a587177ecac8d299b4d57b60a9fed978dad2f7a5b90c768d8e6adb1e2ff543f03bb6cfe9d617e529dbdfa55c94

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ba33353692bf04db0123447ef0ea6677

SHA1
e9757db336af19768f33816c53a4f984638f5ed5

SHA256
d0d485cd560cf1660bbea0f3c0bf78898608b196d390a9de1c9279219f14ed3c

SHA512
ca0d5a6e9092feab9a8c964a6a80c08d54c33559188f5869bb5fdd5bb18243ecf5128c51ecfef1a3e886a6ec6c850110b7eaa11cae73a8ea12c624dc21e092aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
15ae86805a7c8c8d0d0c9ff23ee0f531

SHA1
4e7e32e139e3029d1ba31f7c2dc6476d01ec37d8

SHA256
cbab61fa1030898e999c15c0dc0404155397b5684b37fd20c8bffad6ef0eb5c4

SHA512
1b4e3d21e6fe3079e98b107ec1f4e98c48fb4ba5b1d171254762feeb3f7d220203c2ea7429ae5cb1d77a5ffb6b64100779c0c89e239f1e98644a6eb56800568a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
48515e12e86fa31fef7ec6ef002a10d4

SHA1
ae0fc8ec2ec22d91a063ffceac44bda71e2e3033

SHA256
640b03371a44a07c6b26d6bf7d2f1a40b96b9c4d53dc62bb241c800555494801

SHA512
557ee43cc7ee82cfd46c48cfc4d9ea2d6c6f91a9652f9b51aa6f6152d827e4cd1aae5ee57f27075d048c9c4bb5cf5084ca010dbeb34c730475c58e462a98a7aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7da8b66b8dcd7f80df58237b5c4a7ad0

SHA1
d7c52cf37e583fb4719daf0f182f2f1480677f4b

SHA256
709f58d1bb1709a45e323ebab852270a97cbe9415855abd009920cffb1f01df0

SHA512
694afe97923d89aad00b6c57bde6feb1e5c21a35e07f473ba84c966b4f8920a40f7dda9d31bb516d48fb4ea97f9dc118765a60033c27ff13a6489cdfbc63da92

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ff6c57261329fdb5b07a3f904362fb21

SHA1
9c9c2ee1d0ebb6bcebdf5c8f44c7842320f7c178

SHA256
01201dd525a3038a06977b7a20857b212e8834c446e17e08b01cbde0427105cb

SHA512
c48abde3adaafa73e7adfe0420258b6779e374798c7ec22a0145790573e4d79887e4a8d1e435677d255c4af419d6a5a8a4b4c60fb5a293c4b6e1637d7467b19d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ee7f5fe6436d6cbebf6145395c463e42

SHA1
83a731b1f702092c6310d4d26ed6f6dd235be47a

SHA256
2f8112b8b32531d1c7a5ab08c6c8c43299db5b5c6c21d0f3ab55e4ae7d0916ae

SHA512
a0ccce20a17b35ac55e48dd8abdec5673e25a98233609e76305fee7ae32386cd5ab867a201c4bc3e5b5d35d8a44613787a28794f204c56f73e4368b8c79b23d1

Download Submit
memory/328-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download