c15da86753f441cdb812268270b94d8392f6ed78d7fd918dbea87cb60728a7fe

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/05/2024, 06:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c15da86753f441cdb812268270b94d8392f6ed78d7fd918dbea87cb60728a7fe.exe
Size

1.1MB
MD5

a9dcafae76cc09c9a2a53f4b1d864ead
SHA1

36dbdf388a1215c46d8bd49c8e7d6ac4843bc9d4
SHA256

c15da86753f441cdb812268270b94d8392f6ed78d7fd918dbea87cb60728a7fe
SHA512

741089c23b8311356aa2f5cf860aaa284e50957a343e7d09a0d624610186b8299a34d3bda2bb79994d2fd961a53a019a04de1591d0127d6aaba8326ad9798f67
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QR:acallSllG4ZM7QzMC

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2632	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2632	svchcst.exe
2804	svchcst.exe
1260	svchcst.exe
2500	svchcst.exe
608	svchcst.exe
768	svchcst.exe
1516	svchcst.exe
1940	svchcst.exe
2948	svchcst.exe
2696	svchcst.exe
324	svchcst.exe
1560	svchcst.exe
780	svchcst.exe
456	svchcst.exe
1628	svchcst.exe
1996	svchcst.exe
1624	svchcst.exe
3048	svchcst.exe
2912	svchcst.exe
1304	svchcst.exe
2280	svchcst.exe
2976	svchcst.exe
1748	svchcst.exe

Loads dropped DLL 38 IoCs

pid	Process
2116	WScript.exe
2116	WScript.exe
2952	WScript.exe
2952	WScript.exe
2908	WScript.exe
544	WScript.exe
544	WScript.exe
544	WScript.exe
696	WScript.exe
1624	WScript.exe
1624	WScript.exe
2800	WScript.exe
2536	WScript.exe
2536	WScript.exe
2536	WScript.exe
2680	WScript.exe
2680	WScript.exe
2680	WScript.exe
620	WScript.exe
620	WScript.exe
1404	WScript.exe
1404	WScript.exe
1308	WScript.exe
1308	WScript.exe
2368	WScript.exe
2368	WScript.exe
2480	WScript.exe
2480	WScript.exe
2436	WScript.exe
2436	WScript.exe
340	WScript.exe
340	WScript.exe
1640	WScript.exe
1640	WScript.exe
1484	WScript.exe
1484	WScript.exe
2528	WScript.exe
2528	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1952	c15da86753f441cdb812268270b94d8392f6ed78d7fd918dbea87cb60728a7fe.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1952	c15da86753f441cdb812268270b94d8392f6ed78d7fd918dbea87cb60728a7fe.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
1952	c15da86753f441cdb812268270b94d8392f6ed78d7fd918dbea87cb60728a7fe.exe
1952	c15da86753f441cdb812268270b94d8392f6ed78d7fd918dbea87cb60728a7fe.exe
2632	svchcst.exe
2632	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
1260	svchcst.exe
1260	svchcst.exe
2500	svchcst.exe
2500	svchcst.exe
608	svchcst.exe
608	svchcst.exe
768	svchcst.exe
768	svchcst.exe
1516	svchcst.exe
1516	svchcst.exe
1940	svchcst.exe
1940	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
324	svchcst.exe
324	svchcst.exe
1560	svchcst.exe
1560	svchcst.exe
780	svchcst.exe
780	svchcst.exe
456	svchcst.exe
456	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1996	svchcst.exe
1996	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
1304	svchcst.exe
1304	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
1748	svchcst.exe
1748	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 2116	1952	c15da86753f441cdb812268270b94d8392f6ed78d7fd918dbea87cb60728a7fe.exe	28
PID 1952 wrote to memory of 2116	1952	c15da86753f441cdb812268270b94d8392f6ed78d7fd918dbea87cb60728a7fe.exe	28
PID 1952 wrote to memory of 2116	1952	c15da86753f441cdb812268270b94d8392f6ed78d7fd918dbea87cb60728a7fe.exe	28
PID 1952 wrote to memory of 2116	1952	c15da86753f441cdb812268270b94d8392f6ed78d7fd918dbea87cb60728a7fe.exe	28
PID 2116 wrote to memory of 2632	2116	WScript.exe	30
PID 2116 wrote to memory of 2632	2116	WScript.exe	30
PID 2116 wrote to memory of 2632	2116	WScript.exe	30
PID 2116 wrote to memory of 2632	2116	WScript.exe	30
PID 2632 wrote to memory of 2952	2632	svchcst.exe	31
PID 2632 wrote to memory of 2952	2632	svchcst.exe	31
PID 2632 wrote to memory of 2952	2632	svchcst.exe	31
PID 2632 wrote to memory of 2952	2632	svchcst.exe	31
PID 2952 wrote to memory of 2804	2952	WScript.exe	32
PID 2952 wrote to memory of 2804	2952	WScript.exe	32
PID 2952 wrote to memory of 2804	2952	WScript.exe	32
PID 2952 wrote to memory of 2804	2952	WScript.exe	32
PID 2804 wrote to memory of 2908	2804	svchcst.exe	33
PID 2804 wrote to memory of 2908	2804	svchcst.exe	33
PID 2804 wrote to memory of 2908	2804	svchcst.exe	33
PID 2804 wrote to memory of 2908	2804	svchcst.exe	33
PID 2908 wrote to memory of 1260	2908	WScript.exe	34
PID 2908 wrote to memory of 1260	2908	WScript.exe	34
PID 2908 wrote to memory of 1260	2908	WScript.exe	34
PID 2908 wrote to memory of 1260	2908	WScript.exe	34
PID 1260 wrote to memory of 544	1260	svchcst.exe	35
PID 1260 wrote to memory of 544	1260	svchcst.exe	35
PID 1260 wrote to memory of 544	1260	svchcst.exe	35
PID 1260 wrote to memory of 544	1260	svchcst.exe	35
PID 1260 wrote to memory of 492	1260	svchcst.exe	36
PID 1260 wrote to memory of 492	1260	svchcst.exe	36
PID 1260 wrote to memory of 492	1260	svchcst.exe	36
PID 1260 wrote to memory of 492	1260	svchcst.exe	36
PID 544 wrote to memory of 2500	544	WScript.exe	37
PID 544 wrote to memory of 2500	544	WScript.exe	37
PID 544 wrote to memory of 2500	544	WScript.exe	37
PID 544 wrote to memory of 2500	544	WScript.exe	37
PID 2500 wrote to memory of 2320	2500	svchcst.exe	38
PID 2500 wrote to memory of 2320	2500	svchcst.exe	38
PID 2500 wrote to memory of 2320	2500	svchcst.exe	38
PID 2500 wrote to memory of 2320	2500	svchcst.exe	38
PID 544 wrote to memory of 608	544	WScript.exe	39
PID 544 wrote to memory of 608	544	WScript.exe	39
PID 544 wrote to memory of 608	544	WScript.exe	39
PID 544 wrote to memory of 608	544	WScript.exe	39
PID 608 wrote to memory of 696	608	svchcst.exe	40
PID 608 wrote to memory of 696	608	svchcst.exe	40
PID 608 wrote to memory of 696	608	svchcst.exe	40
PID 608 wrote to memory of 696	608	svchcst.exe	40
PID 696 wrote to memory of 768	696	WScript.exe	41
PID 696 wrote to memory of 768	696	WScript.exe	41
PID 696 wrote to memory of 768	696	WScript.exe	41
PID 696 wrote to memory of 768	696	WScript.exe	41
PID 768 wrote to memory of 1624	768	svchcst.exe	42
PID 768 wrote to memory of 1624	768	svchcst.exe	42
PID 768 wrote to memory of 1624	768	svchcst.exe	42
PID 768 wrote to memory of 1624	768	svchcst.exe	42
PID 1624 wrote to memory of 1516	1624	WScript.exe	45
PID 1624 wrote to memory of 1516	1624	WScript.exe	45
PID 1624 wrote to memory of 1516	1624	WScript.exe	45
PID 1624 wrote to memory of 1516	1624	WScript.exe	45
PID 1516 wrote to memory of 1752	1516	svchcst.exe	46
PID 1516 wrote to memory of 1752	1516	svchcst.exe	46
PID 1516 wrote to memory of 1752	1516	svchcst.exe	46
PID 1516 wrote to memory of 1752	1516	svchcst.exe	46

C:\Users\Admin\AppData\Local\Temp\c15da86753f441cdb812268270b94d8392f6ed78d7fd918dbea87cb60728a7fe.exe
"C:\Users\Admin\AppData\Local\Temp\c15da86753f441cdb812268270b94d8392f6ed78d7fd918dbea87cb60728a7fe.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2952
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2804
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:608
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:696
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1940
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        
        PID:2800
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2948
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:2536
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2696
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:324
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2680
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1560
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:780
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:620
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:456
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:1404
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1628
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:1308
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1996
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:2368
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1624
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:2480
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3048
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:2436
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2912
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:340
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1304
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:1640
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2280
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:1484
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2976
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:2528
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1748
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        
        PID:492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c91530bbaec9815f2db19bd6645b8729

SHA1
ea901a28f06bfbfc1dc9c3391910a87bfaf07020

SHA256
7924a95b4fb309a069dcb92b65632f01f9db2560b224d4812ebb84130994ab8d

SHA512
7ebce2d0627561189c27073f3e43e84e6164c3c4a63fe4172d2c1214fe799795393573038fb3dd75359327e7cca4eec17889749411e289480580f568b02e6588

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c1f667683c1809dc2fa81d863ea10a4e

SHA1
dc9fdbeca32f2afbcfdc5363769ebb594fc93e44

SHA256
a0afd04975f7f5cf26533640020a9533d4dcf1b152143e69196f93bd5b49fa1e

SHA512
e4c894530934444cb97392b0180e5b6040b84ab5c639412c6b9e5355a13152412da8d881403832c2f3c601624465b16242ebd8710f6e6a4666a27e15ce759b2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
bdd788ca6fcf15c39558ee33593c58b7

SHA1
4a3593c582e87de867286f8e045285ea1f04db70

SHA256
4af2dcd8e50ecbf5959fee775912325bd468b6cec656e09e623ddc8fad9f80de

SHA512
526e351a74360aacc7a27bef101f4641a943264aac337eea414ff43420e08e5ee1ad64d08dae9e6352ba788d7ff35fec33760e41635d92fe61d314d6eba96b87

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1ac4421f71447c6f92ce3ac17a3d9d38

SHA1
97f4ebc5875af7ee54f93ba70089361ca88da8af

SHA256
615df52b00308d2a7f8aed927fd28d1e40b5ac6cf5e6da78ec69acd149618d59

SHA512
3d7d6a0124324731462a5e71d797c77e9942371fbdda8b870cb9d035db293ef1765e1890737fd89fd1b9d56941bd04745f93c95c844057830605365367ea410e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d32955f30e8aad52247ece470e41d5ad

SHA1
ac6775ee1d2cccafe3baeb722ca57bf16953f173

SHA256
bbd8749995b7f218975a3955fac72a16d1f5a3fd3826f7bb98d0b4fe537d6697

SHA512
1a00595cdfca51c9c95101a1d04a15089aded3fc687de721d882c6ef57697a943c0a99d917167e76d55040c5d8607e01fe5a206054112635a642f6364d3fdcaf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3ed43de1cee96aaf1d64189d4482a672

SHA1
a346f6b3eca7b8442021d9878288d91084d00d79

SHA256
b2905e040a668759a3fbdc7f07ff57b3e197bbeec24099b65734e884c1e0bd98

SHA512
8f8536a36603c14a567034f0119212a6b3bf9dd52afcbe213b4e26c737394fe838baf0743440f62cd5d61d8d9c694279679e155920a9af3c2cac1549d43040dc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f2d2f31794455ef80ea8a41b0b218045

SHA1
926c4e45922f43c6afc2cb31d96b5b35d4db3cae

SHA256
698e3bc7681704e68728030dcceb12377aae02f71e91a5fd15c12b686ba00141

SHA512
36cc2c9bd29c6bd97c2bd7eef7b9bffc512ebabf43d089a2866a66efc4f4f3f7d92b2d0719ae61ad07c38b89b1c0a4b59df57f84beef76c88bd376125048d714

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
41bdc303960afcda8ebae4f3e29f0b52

SHA1
4cbf649fb04c836614138308a06ecd48dcb2882d

SHA256
da674cdbd4dd762cc32ce0bd2ec36929a626e0e87f7ab7a4a1b1e1ce0123d999

SHA512
800b5b01cc41e7633f203579e7f6ec0a9f6408f7af79dcfa74596be9264dbb8baade6b1439dedb5194496aa27b8b0e2680ce65ad91032138ea0ac2c8a0872cf1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
38a699d07d8879db6356427ad5568cde

SHA1
a13f87e47243e126c2ea20018877fbeac913a320

SHA256
33039fb8b50833ea2836de980992405e10426ad862007f2fef2a96147dccc7bb

SHA512
b5373577a397c0eb493b1173f0fa5a583fe10b986eced439f39997707622fdb54dad7f39311c0148da02b9f0eda2c097d6d9e98b6a7c7d4aa5996e7cc5f4791d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
dabf4e9d32908d961aaffdd1c77d4879

SHA1
e41572d98b7452016fb004c843236377364ab1d3

SHA256
3488c64a6d2da3c00e50e954c495ac354ee504e54f3ed6dda6a991c5b9d33e19

SHA512
911d46aca8005857c86eddbb3cbbc4301ee5e173b2358a717053cf12727c06cc3b2d757ddf513f969dafe61c6b88d03b1478d8c483495f153e30bf64585195aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
9627e3850f4f7495f6d36ebae56aa594

SHA1
001694633bc632a7ae2812ed74828335bec77531

SHA256
0aeaf02fb74a0799c8eccaa37e1586435318608e7945b8084fe87f956822cb25

SHA512
03986ee3b4faf96fdb2bdeb1c41e216c81e1c0f7d4403b69c7e7e39baa45e2806d57fad32904bdf04728eb9db7570d94341e73bf8a1f6ba1964072a65de4e894

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ebf405e49dade13da94f737cdc03dba1

SHA1
8a0c39e59beed0deb4e726566b235c42c70942bb

SHA256
d15af3885670c4fea9dd97da21025faa5fd2b42bddc310bad2893e23a3ed2bef

SHA512
bbdef781757a387898665650d8f951e7fc495770d34595d9badbe5a39d46ec49a06ec00cbe28ed5e2677e5eeea518241fb638580668baca8d7728c44f2069ea2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1c0ff223574a58a062d6e26c4b0bb7cd

SHA1
b61341ae86f6fd2a2e76592a2fc693479b62f37c

SHA256
b9baaa35fb2544dd650a875b31c12ae5393b345528009fc8c438296ac71da48b

SHA512
b89b388955e99d95ea0a6be87df42a49823ca71ab65505e19689b8ecc56484246bc36abaac9b7b76874b8c287a33645932573b90786886e0289dff05a6874cc5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
5568fcc572b1954e64b34e0636a4b0e7

SHA1
a72d8aa367d2db622dbc150bb20e28b38ff4ca1f

SHA256
73bdf43df6a64e46b35f4e3e4bbec6fa49a7358b3ac0fac5e153a04f202712bc

SHA512
effd668139ac5c53d3a5ea9b88eeb6d10fe61c7638b3ff930e9b0771dcdd9cda6e91241908c9345faf41d1d29513da14c175b77963ba0f40b367ac7ba71ac751

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
47c32b35b1d685234338992844e9f3a7

SHA1
0f7ffe78d1c038302d38568bd4c4a12a1617a6f6

SHA256
5868214c1203a48db77da0da263bb705b7f02b2d851dc6b0ee7657c82079bd4d

SHA512
702cddd7d34f19dac98bb4f2e6e7982a052d901744b715c034dafc24f4625d9586d11fd26fb2ec1f0b2fef471c2c0dbd5e2fa1b192b967a8a443da0f484a18c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1c1c70ef296f5c3b809586cff55200c5

SHA1
c14b2be4fba5da0efc93d3d1140a52980f2b81ee

SHA256
93cd6f41b57e94076cc95bf28d467c6bc3d8ee6565f364d601d4594bd5f123b9

SHA512
357596c2df0f082707368467422538afce2d596c106fe00b8cb1430187a5304ab44539bf2b0aa8885fe57263ede59897d1baf4ae96eca67d329b7f9bf0e2b10c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
11537aed0837e1d76992101bd5f2f577

SHA1
be8ca47e1289c7b6afa1b2427ebd98e167c8ce5e

SHA256
fd7903f8712cb710320a1a614df2b0337a70215b20433e4e0a02eb5c5db0787e

SHA512
f3882dbccaa2775c90ae24fb950b138e6dd3f55009d292229824e3fedc5b8e5edad487f3b3056b5bcdb3cdfa2b4b3a33f178580d93e4570eaa876db5ea5b95e8

Download Submit
memory/324-142-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/324-136-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/456-168-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/544-57-0x00000000047C0000-0x000000000491F000-memory.dmp

Filesize
1.4MB

Download
memory/544-68-0x0000000005EA0000-0x0000000005FFF000-memory.dmp

Filesize
1.4MB

Download
memory/544-67-0x0000000005EA0000-0x0000000005FFF000-memory.dmp

Filesize
1.4MB

Download
memory/608-77-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/696-80-0x0000000005DF0000-0x0000000005F4F000-memory.dmp

Filesize
1.4MB

Download
memory/768-88-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/780-161-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/780-154-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1260-50-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1304-217-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1304-210-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1308-177-0x00000000045C0000-0x000000000471F000-memory.dmp

Filesize
1.4MB

Download
memory/1516-99-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1516-91-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1560-146-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1560-153-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1624-193-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1628-176-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1628-169-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1748-235-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1940-108-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1952-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1952-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1996-178-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1996-185-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2280-225-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2280-222-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2368-186-0x0000000005B40000-0x0000000005C9F000-memory.dmp

Filesize
1.4MB

Download
memory/2500-58-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2500-63-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2528-234-0x0000000004800000-0x000000000495F000-memory.dmp

Filesize
1.4MB

Download
memory/2632-14-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2632-23-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2696-132-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2696-124-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2804-29-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2804-37-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2908-40-0x0000000005AD0000-0x0000000005C2F000-memory.dmp

Filesize
1.4MB

Download
memory/2912-209-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2912-202-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2948-111-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2948-119-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2952-28-0x0000000004630000-0x000000000478F000-memory.dmp

Filesize
1.4MB

Download
memory/2976-226-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2976-233-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3048-201-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3048-198-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download