344adcddd6097550f56ed6165ba26b805d012bf97317f35d47ece21caa8ad626

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
22/07/2024, 19:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

344adcddd6097550f56ed6165ba26b805d012bf97317f35d47ece21caa8ad626.exe
Size

1.1MB
MD5

3939095737a42bdb3bb0ad282b8ee884
SHA1

9f03eb7c26826f9efe38f4ded4203071539aeb27
SHA256

344adcddd6097550f56ed6165ba26b805d012bf97317f35d47ece21caa8ad626
SHA512

0b16001c752f9d3b7cbdadcacfb08e05246a5c78ca60280266e8c761cfe216a5c74bbfc765776e04057ecef28154fa550345d7d368d8ee6ec57b0dc8867ae592
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QD:acallSllG4ZM7QzM0

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2624	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2624	svchcst.exe
1164	svchcst.exe
448	svchcst.exe
2152	svchcst.exe
2476	svchcst.exe
2920	svchcst.exe
2436	svchcst.exe
2892	svchcst.exe
2760	svchcst.exe
1660	svchcst.exe
1476	svchcst.exe
3032	svchcst.exe
1560	svchcst.exe
896	svchcst.exe
2124	svchcst.exe
2504	svchcst.exe
2404	svchcst.exe
2080	svchcst.exe
1368	svchcst.exe
1932	svchcst.exe
2040	svchcst.exe
1036	svchcst.exe
2264	svchcst.exe

Loads dropped DLL 40 IoCs

pid	Process
2876	WScript.exe
2876	WScript.exe
2816	WScript.exe
748	WScript.exe
748	WScript.exe
748	WScript.exe
836	WScript.exe
836	WScript.exe
1780	WScript.exe
2380	WScript.exe
2880	WScript.exe
2880	WScript.exe
2880	WScript.exe
1928	WScript.exe
1620	WScript.exe
1620	WScript.exe
2152	WScript.exe
2152	WScript.exe
1540	WScript.exe
1540	WScript.exe
1756	WScript.exe
1756	WScript.exe
1592	WScript.exe
1592	WScript.exe
720	WScript.exe
720	WScript.exe
2416	WScript.exe
2416	WScript.exe
1772	WScript.exe
1772	WScript.exe
1680	WScript.exe
1680	WScript.exe
656	WScript.exe
656	WScript.exe
2788	WScript.exe
2788	WScript.exe
3032	WScript.exe
3032	WScript.exe
2160	WScript.exe
2160	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2208	344adcddd6097550f56ed6165ba26b805d012bf97317f35d47ece21caa8ad626.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2208	344adcddd6097550f56ed6165ba26b805d012bf97317f35d47ece21caa8ad626.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2208	344adcddd6097550f56ed6165ba26b805d012bf97317f35d47ece21caa8ad626.exe
2208	344adcddd6097550f56ed6165ba26b805d012bf97317f35d47ece21caa8ad626.exe
2624	svchcst.exe
2624	svchcst.exe
1164	svchcst.exe
1164	svchcst.exe
448	svchcst.exe
448	svchcst.exe
2152	svchcst.exe
2152	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2920	svchcst.exe
2920	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2760	svchcst.exe
2760	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
1476	svchcst.exe
1476	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
1560	svchcst.exe
1560	svchcst.exe
896	svchcst.exe
896	svchcst.exe
2124	svchcst.exe
2124	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2080	svchcst.exe
2080	svchcst.exe
1368	svchcst.exe
1368	svchcst.exe
1932	svchcst.exe
1932	svchcst.exe
2040	svchcst.exe
2040	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2876	2208	344adcddd6097550f56ed6165ba26b805d012bf97317f35d47ece21caa8ad626.exe	30
PID 2208 wrote to memory of 2876	2208	344adcddd6097550f56ed6165ba26b805d012bf97317f35d47ece21caa8ad626.exe	30
PID 2208 wrote to memory of 2876	2208	344adcddd6097550f56ed6165ba26b805d012bf97317f35d47ece21caa8ad626.exe	30
PID 2208 wrote to memory of 2876	2208	344adcddd6097550f56ed6165ba26b805d012bf97317f35d47ece21caa8ad626.exe	30
PID 2876 wrote to memory of 2624	2876	WScript.exe	32
PID 2876 wrote to memory of 2624	2876	WScript.exe	32
PID 2876 wrote to memory of 2624	2876	WScript.exe	32
PID 2876 wrote to memory of 2624	2876	WScript.exe	32
PID 2624 wrote to memory of 2816	2624	svchcst.exe	33
PID 2624 wrote to memory of 2816	2624	svchcst.exe	33
PID 2624 wrote to memory of 2816	2624	svchcst.exe	33
PID 2624 wrote to memory of 2816	2624	svchcst.exe	33
PID 2816 wrote to memory of 1164	2816	WScript.exe	34
PID 2816 wrote to memory of 1164	2816	WScript.exe	34
PID 2816 wrote to memory of 1164	2816	WScript.exe	34
PID 2816 wrote to memory of 1164	2816	WScript.exe	34
PID 1164 wrote to memory of 748	1164	svchcst.exe	35
PID 1164 wrote to memory of 748	1164	svchcst.exe	35
PID 1164 wrote to memory of 748	1164	svchcst.exe	35
PID 1164 wrote to memory of 748	1164	svchcst.exe	35
PID 748 wrote to memory of 448	748	WScript.exe	36
PID 748 wrote to memory of 448	748	WScript.exe	36
PID 748 wrote to memory of 448	748	WScript.exe	36
PID 748 wrote to memory of 448	748	WScript.exe	36
PID 448 wrote to memory of 2408	448	svchcst.exe	37
PID 448 wrote to memory of 2408	448	svchcst.exe	37
PID 448 wrote to memory of 2408	448	svchcst.exe	37
PID 448 wrote to memory of 2408	448	svchcst.exe	37
PID 748 wrote to memory of 2152	748	WScript.exe	38
PID 748 wrote to memory of 2152	748	WScript.exe	38
PID 748 wrote to memory of 2152	748	WScript.exe	38
PID 748 wrote to memory of 2152	748	WScript.exe	38
PID 2152 wrote to memory of 836	2152	svchcst.exe	39
PID 2152 wrote to memory of 836	2152	svchcst.exe	39
PID 2152 wrote to memory of 836	2152	svchcst.exe	39
PID 2152 wrote to memory of 836	2152	svchcst.exe	39
PID 836 wrote to memory of 2476	836	WScript.exe	40
PID 836 wrote to memory of 2476	836	WScript.exe	40
PID 836 wrote to memory of 2476	836	WScript.exe	40
PID 836 wrote to memory of 2476	836	WScript.exe	40
PID 2476 wrote to memory of 1780	2476	svchcst.exe	41
PID 2476 wrote to memory of 1780	2476	svchcst.exe	41
PID 2476 wrote to memory of 1780	2476	svchcst.exe	41
PID 2476 wrote to memory of 1780	2476	svchcst.exe	41
PID 2476 wrote to memory of 1736	2476	svchcst.exe	42
PID 2476 wrote to memory of 1736	2476	svchcst.exe	42
PID 2476 wrote to memory of 1736	2476	svchcst.exe	42
PID 2476 wrote to memory of 1736	2476	svchcst.exe	42
PID 1780 wrote to memory of 2920	1780	WScript.exe	43
PID 1780 wrote to memory of 2920	1780	WScript.exe	43
PID 1780 wrote to memory of 2920	1780	WScript.exe	43
PID 1780 wrote to memory of 2920	1780	WScript.exe	43
PID 2920 wrote to memory of 2380	2920	svchcst.exe	44
PID 2920 wrote to memory of 2380	2920	svchcst.exe	44
PID 2920 wrote to memory of 2380	2920	svchcst.exe	44
PID 2920 wrote to memory of 2380	2920	svchcst.exe	44
PID 2380 wrote to memory of 2436	2380	WScript.exe	45
PID 2380 wrote to memory of 2436	2380	WScript.exe	45
PID 2380 wrote to memory of 2436	2380	WScript.exe	45
PID 2380 wrote to memory of 2436	2380	WScript.exe	45
PID 2436 wrote to memory of 2880	2436	svchcst.exe	46
PID 2436 wrote to memory of 2880	2436	svchcst.exe	46
PID 2436 wrote to memory of 2880	2436	svchcst.exe	46
PID 2436 wrote to memory of 2880	2436	svchcst.exe	46

C:\Users\Admin\AppData\Local\Temp\344adcddd6097550f56ed6165ba26b805d012bf97317f35d47ece21caa8ad626.exe
"C:\Users\Admin\AppData\Local\Temp\344adcddd6097550f56ed6165ba26b805d012bf97317f35d47ece21caa8ad626.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2816
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1164
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:748
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:836
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        
        PID:2880
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2892
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2760
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:1928
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1660
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:1620
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1476
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2152
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3032
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:1540
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1560
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:1756
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:896
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:1592
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2124
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:720
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2504
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:2416
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2404
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:1772
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2080
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:1680
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1368
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:656
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1932
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:2788
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2040
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:3032
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1036
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:2160
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2264
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        
        PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
a98a0a0c833325c7b18a54872cbe6f42

SHA1
8fd3264a321123538d78eec3a196b38e2b46ca00

SHA256
4f2f083b6a94beef14b8f305e86dd5970368fb32e5a0f1c3374ab35cb20774c8

SHA512
3d52d5fe512a6de8601f3d125b1858b21702943167f5ecee5b3f920c652989813ff63b70b11ca1cfb0167b653deb15f46492bc3b539305cca08ceba1228650f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3f88ed4a802ff96db44e34ad53ac06c2

SHA1
446fe4e265af02ea012b5a8d5d0e7a0c9867f1ed

SHA256
04a5abb92c689fa7b9d768a067b1d9bd16c0a5d856c67c7f7881d62662ae0911

SHA512
f1afaf53ee96969d58902836b841ca7feed9769c81d9b2d63b72db5d7cf04d6a659b50869f8dba0d650aa6833d892261c0c3dd918e8bfbed13237e6333c47fdf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c94fda6716d92036e02a0e70b433735f

SHA1
eb4e57b1461e03a201dbfd20dd308ca88694e55d

SHA256
ca8d32856a5ad76e2bf41249ee83a498c238f51d9d3addbd5ca456ee6a6108ba

SHA512
bf4b3613a4d6d2854f7750a73f84579a3022c2aaae770c392c3d4b273cbb2b493028f8109856ba66ee4636bcfac53b61b7f9b689002858a040b62b47d097d24f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b43cc190210c9c6b2742cc52bd8296bc

SHA1
5476b0b4ca6b80be460b3e183f51d50599750324

SHA256
0081c1fe196153e4e7651f0c4a3888bda7623ba8f76218b8df10dc5147d778c0

SHA512
dee2b38b2222020a8fdf2bb241461b3e58978761cfa4c2099184badfc7a98d4acdd0f75d9417a94928a62da7f7c10e9cc04546636e88004897dd3c73cabeed27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
06a252a9516053e44ec8e64f1ebf0533

SHA1
29ac97e0cdade946c4feb81ad3f78d70953a2277

SHA256
6b8a799c3d4b977adb7220f6790b2ac09080ca3ccde5a2c33c83b33ea905928c

SHA512
0775aabeef7c910e03efc40f96143025a2ee3544dd656c78d09ef63c85d040037752aabe72fdf3b636ee31422ae8de01b73c85e27247203d5efc1635eaf15b2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
298f56408ef5bfe14b938d85e57c843d

SHA1
691d78c4c4887333b4679d3e340a7a04caad13a3

SHA256
b5738b726b24c9d220bd7256e4abb2e97215d50416bf67983cc82dc83b46298a

SHA512
227bf6d7e70568144112dc142ef60fa38f2b5f39196e3d3377a120b78fa86382726021f024bf5413548df0ce1734bb905d28e56de4dd80c6f21c05ab2a5ef83e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
66dec81d7f7dc4e36f9d8151fe38056a

SHA1
fc169994b2239eb407778d28d35025f7c9a1658e

SHA256
a09a3c722b494400011829c5645415020d39c8e6ec90f466fc3109a1ba49db2a

SHA512
3e8af1d301ba9228d5afcfaa1e1d3e6f931c5f0ba5e19c74f73b88ddf7c4baa7b24f13533679096f6c94871985de9e47d0f91362ec2ee9132b1e1b772d56fbcc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
024be950e07002e527b8dd1efbb0e4b4

SHA1
1a56034c6366027442be28a75bce7cdea55a8a98

SHA256
51f47375c2a87dc9fe8cc958432adcc166d0faf75f7d1da1322e238fb5d72893

SHA512
96864be4661feeef155d1816192852146e5d2aa3266ce5b732ec203d43a6098a5fa456a7decb9ab1bd66bc959ed85b485de32c11cea6ee6d1a48d0bea2349b6f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f988db0382571319f9b0af53097c2376

SHA1
fd83936b61f5d4256a899610d5c13c5a9b24e625

SHA256
8557443470cff4b30c533603a8e73dd9b9c55af2bae1ed0a7ce86d860fe4953c

SHA512
8f0df896cf7432ac5248f1149a79cc721e40e80dc1ced770f830725c00e64bb96944bbdd375aa25587e0574dba32375934cbf99bf99f33267296c1e605ac8703

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b80e64a84f22d05c1da6e47ce54973aa

SHA1
5cad9390328f2c7439c775fabb7a0456663085d9

SHA256
9dd0f5f176d3fad7c0eb3bdd6f14036a878cbce9fd50fb1a47318da147bfd82e

SHA512
983affb7f9189c1eb80982438c288ee607e7ee91675b6a6e854873c476961b39ddec66801e0a09bedd0f133a0132693a5fed5c8ff0f8c3d3aa4f470fdb8c39b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
632419f9e97777f0bcd1af67443cadae

SHA1
52edb2e30a2b1156ff9f77c0fe7435bc1a616ac8

SHA256
50e39163065b39c8cac4f381ff35c00972adde6c6fcd6d9cf555d1b0b8b68554

SHA512
b9b188d33cab5023dd410c0d6c01b5b200c003b432d44fe47da9b6ca1d4a5fa6fd3e869baeac6c8f5d7fae063e6128ee9c96b9258e10e550093e199cccaca2b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f8db619ebe2f315356d8a3c1cb7ce863

SHA1
6a7be253323ec01b077ec2632a10159e39c17b2b

SHA256
99940aede45164365f56d6948655491bf5e5eaf8cc50400fe99620b5d3cd29c8

SHA512
6abc38a731254105c4f336ef9954159d7711889c704002838872473450f9077a940b4817cf36ae7fa04f08439a2acb53c9ab37c85e21c2981eab353379bf431a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9df3e41486a84b749a768f2ec330034d

SHA1
689915f1e29da0774b71f847ca2f7392d129be67

SHA256
0c0ff5f056faba9f8314713aab52921691485a493d350acd684191a7cd160ab7

SHA512
d825c4e8c5b7ada091934552eec3a9557a60d506f05fa4cec7382614a1b38c60ceb048ef744333d9defe525eacacc96879b882cee4636b0dc1f425445b5c986d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
3b920efe4fac4ef51d408d11cbee5560

SHA1
fefd7157493b16a4cc404458352f84eefae0a9ae

SHA256
5dc48c8ac26d6ee71096cc9266876517ffbe47f472ba365a9e7b4238ea9141e6

SHA512
9f7d068c8242e110ef2e51b465c5501e13394ba44c28ea10d0462a93374f7982ebf1870734e7be28bd7d7dbdf346215439741af8d655d31062ea63d00ef25122

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a09e7ee5e4c3cc4ef03e4f06b5b68d42

SHA1
080f01da2e0e4a4f58d145e77ea753b1bbe30e92

SHA256
8a73ff70109663dc473682d481a951201ab04470d272f30f537f570addf004cf

SHA512
c4042b6fea00d190f4f46a82181a654f9cc805c6f1ef3f79f8550ea1a2fff321ace833027128cb01ef730cfefb6a3862d1a1556459aa52c59bfefb03f24b11eb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
493914c554c3d4ea3350e0c15bae4d8e

SHA1
b062420ab7a54f0e0c82a77bb49db217be799254

SHA256
4a5b41fddb9d5a98baa0e94ce832692e41e7385db33ef96218cdbcf1f9b2c947

SHA512
d769c3009e675907bd60487df303632b63dffefed539a49b8263fab2c48a20fb986b68a7e80eefbb3ec425ac1832e2c3d8c6c741812f7f2cfa8b08acf27f7b3f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
655a983cf404397c5b83ae4c2f4efc59

SHA1
ca748f68db6c6cc9adf89a4dc8d05cda193e09b0

SHA256
3a52cc97098a1f7dc3d0c87b51755630d215bb5bbe9c90cec151e0d3f247d18e

SHA512
dbb3a122f92d3176c12510287b261b7b5e1e5d8b820fd8b0b1d2f6f11553cc60b020cff067822e7fe243cb39a1e35b3e958bea6d8dacf2c60046c32f32456c08

Download Submit
memory/448-49-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/448-40-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/720-221-0x00000000047A0000-0x00000000048FF000-memory.dmp

Filesize
1.4MB

Download
memory/836-67-0x00000000045A0000-0x00000000046FF000-memory.dmp

Filesize
1.4MB

Download
memory/896-179-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/896-176-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1036-245-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1036-248-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1164-37-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1164-29-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1368-218-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1368-222-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1476-151-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1476-143-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1540-162-0x0000000005AD0000-0x0000000005C2F000-memory.dmp

Filesize
1.4MB

Download
memory/1560-163-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1560-170-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1592-180-0x0000000005B70000-0x0000000005CCF000-memory.dmp

Filesize
1.4MB

Download
memory/1660-128-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1660-137-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1756-175-0x0000000004610000-0x000000000476F000-memory.dmp

Filesize
1.4MB

Download
memory/1780-80-0x0000000005B90000-0x0000000005CEF000-memory.dmp

Filesize
1.4MB

Download
memory/1932-224-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1932-231-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2040-239-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2040-236-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2080-206-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2080-213-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2124-188-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2124-185-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2152-54-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2152-62-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2152-152-0x0000000005C60000-0x0000000005DBF000-memory.dmp

Filesize
1.4MB

Download
memory/2152-157-0x0000000005C60000-0x0000000005DBF000-memory.dmp

Filesize
1.4MB

Download
memory/2208-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2208-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2264-249-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2404-202-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2404-205-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2416-201-0x00000000046F0000-0x000000000484F000-memory.dmp

Filesize
1.4MB

Download
memory/2416-223-0x00000000046F0000-0x000000000484F000-memory.dmp

Filesize
1.4MB

Download
memory/2436-99-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2436-91-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2476-69-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2476-77-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2504-193-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2504-196-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2624-26-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2624-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2760-121-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2760-125-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2876-15-0x0000000005A30000-0x0000000005B8F000-memory.dmp

Filesize
1.4MB

Download
memory/2876-14-0x0000000005A30000-0x0000000005B8F000-memory.dmp

Filesize
1.4MB

Download
memory/2880-116-0x0000000005CD0000-0x0000000005E2F000-memory.dmp

Filesize
1.4MB

Download
memory/2892-103-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2892-111-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2920-82-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2920-88-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3032-244-0x0000000005DF0000-0x0000000005F4F000-memory.dmp

Filesize
1.4MB

Download
memory/3032-158-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3032-161-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download