cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
31/05/2024, 20:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
Size

1.1MB
MD5

0fda798077c2b16bd9942b9fb55d19fa
SHA1

be8619e79b34b4e3842734e59c62417afa71fa94
SHA256

cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490
SHA512

df0f079948f565228b1ef3bcba540ab53d785f2fdaf35f9d6ce76d21ee42fe36a54b95b3b637362edb916f398e8af7993d961e0737e31984a437f2b9564a447c
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qp:CcaClSFlG4ZM7QzMa

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2776	svchcst.exe

Executes dropped EXE 22 IoCs

pid	Process
2776	svchcst.exe
2516	svchcst.exe
1692	svchcst.exe
1500	svchcst.exe
688	svchcst.exe
2392	svchcst.exe
1720	svchcst.exe
2368	svchcst.exe
2696	svchcst.exe
2508	svchcst.exe
1224	svchcst.exe
860	svchcst.exe
2052	svchcst.exe
596	svchcst.exe
1780	svchcst.exe
1820	svchcst.exe
1036	svchcst.exe
2512	svchcst.exe
2728	svchcst.exe
2328	svchcst.exe
1536	svchcst.exe
2428	svchcst.exe

Loads dropped DLL 38 IoCs

pid	Process
2796	WScript.exe
2796	WScript.exe
2496	WScript.exe
2496	WScript.exe
2900	WScript.exe
1576	WScript.exe
1576	WScript.exe
2424	WScript.exe
2424	WScript.exe
1480	WScript.exe
1480	WScript.exe
1044	WScript.exe
1044	WScript.exe
1668	WScript.exe
3064	WScript.exe
3064	WScript.exe
1028	WScript.exe
1028	WScript.exe
2276	WScript.exe
2276	WScript.exe
848	WScript.exe
848	WScript.exe
3016	WScript.exe
3016	WScript.exe
956	WScript.exe
956	WScript.exe
2212	WScript.exe
2212	WScript.exe
2628	WScript.exe
2628	WScript.exe
1052	WScript.exe
1052	WScript.exe
2296	WScript.exe
2296	WScript.exe
2220	WScript.exe
2220	WScript.exe
2288	WScript.exe
2288	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2876	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2516	svchcst.exe
2516	svchcst.exe
2516	svchcst.exe
2516	svchcst.exe
2516	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2876	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe

Suspicious use of SetWindowsHookEx 46 IoCs

pid	Process
2876	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
2876	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
2776	svchcst.exe
2776	svchcst.exe
2516	svchcst.exe
2516	svchcst.exe
1692	svchcst.exe
1692	svchcst.exe
1500	svchcst.exe
1500	svchcst.exe
688	svchcst.exe
688	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
2368	svchcst.exe
2368	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2508	svchcst.exe
2508	svchcst.exe
1224	svchcst.exe
1224	svchcst.exe
860	svchcst.exe
860	svchcst.exe
2052	svchcst.exe
2052	svchcst.exe
596	svchcst.exe
596	svchcst.exe
1780	svchcst.exe
1780	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
1536	svchcst.exe
1536	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2796	2876	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	28
PID 2876 wrote to memory of 2796	2876	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	28
PID 2876 wrote to memory of 2796	2876	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	28
PID 2876 wrote to memory of 2796	2876	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	28
PID 2796 wrote to memory of 2776	2796	WScript.exe	30
PID 2796 wrote to memory of 2776	2796	WScript.exe	30
PID 2796 wrote to memory of 2776	2796	WScript.exe	30
PID 2796 wrote to memory of 2776	2796	WScript.exe	30
PID 2776 wrote to memory of 2496	2776	svchcst.exe	31
PID 2776 wrote to memory of 2496	2776	svchcst.exe	31
PID 2776 wrote to memory of 2496	2776	svchcst.exe	31
PID 2776 wrote to memory of 2496	2776	svchcst.exe	31
PID 2496 wrote to memory of 2516	2496	WScript.exe	32
PID 2496 wrote to memory of 2516	2496	WScript.exe	32
PID 2496 wrote to memory of 2516	2496	WScript.exe	32
PID 2496 wrote to memory of 2516	2496	WScript.exe	32
PID 2516 wrote to memory of 2900	2516	svchcst.exe	33
PID 2516 wrote to memory of 2900	2516	svchcst.exe	33
PID 2516 wrote to memory of 2900	2516	svchcst.exe	33
PID 2516 wrote to memory of 2900	2516	svchcst.exe	33
PID 2900 wrote to memory of 1692	2900	WScript.exe	34
PID 2900 wrote to memory of 1692	2900	WScript.exe	34
PID 2900 wrote to memory of 1692	2900	WScript.exe	34
PID 2900 wrote to memory of 1692	2900	WScript.exe	34
PID 1692 wrote to memory of 1576	1692	svchcst.exe	35
PID 1692 wrote to memory of 1576	1692	svchcst.exe	35
PID 1692 wrote to memory of 1576	1692	svchcst.exe	35
PID 1692 wrote to memory of 1576	1692	svchcst.exe	35
PID 1576 wrote to memory of 1500	1576	WScript.exe	36
PID 1576 wrote to memory of 1500	1576	WScript.exe	36
PID 1576 wrote to memory of 1500	1576	WScript.exe	36
PID 1576 wrote to memory of 1500	1576	WScript.exe	36
PID 1500 wrote to memory of 2424	1500	svchcst.exe	37
PID 1500 wrote to memory of 2424	1500	svchcst.exe	37
PID 1500 wrote to memory of 2424	1500	svchcst.exe	37
PID 1500 wrote to memory of 2424	1500	svchcst.exe	37
PID 2424 wrote to memory of 688	2424	WScript.exe	38
PID 2424 wrote to memory of 688	2424	WScript.exe	38
PID 2424 wrote to memory of 688	2424	WScript.exe	38
PID 2424 wrote to memory of 688	2424	WScript.exe	38
PID 688 wrote to memory of 1480	688	svchcst.exe	39
PID 688 wrote to memory of 1480	688	svchcst.exe	39
PID 688 wrote to memory of 1480	688	svchcst.exe	39
PID 688 wrote to memory of 1480	688	svchcst.exe	39
PID 1480 wrote to memory of 2392	1480	WScript.exe	40
PID 1480 wrote to memory of 2392	1480	WScript.exe	40
PID 1480 wrote to memory of 2392	1480	WScript.exe	40
PID 1480 wrote to memory of 2392	1480	WScript.exe	40
PID 2392 wrote to memory of 1044	2392	svchcst.exe	41
PID 2392 wrote to memory of 1044	2392	svchcst.exe	41
PID 2392 wrote to memory of 1044	2392	svchcst.exe	41
PID 2392 wrote to memory of 1044	2392	svchcst.exe	41
PID 1044 wrote to memory of 1720	1044	WScript.exe	44
PID 1044 wrote to memory of 1720	1044	WScript.exe	44
PID 1044 wrote to memory of 1720	1044	WScript.exe	44
PID 1044 wrote to memory of 1720	1044	WScript.exe	44
PID 1720 wrote to memory of 1668	1720	svchcst.exe	45
PID 1720 wrote to memory of 1668	1720	svchcst.exe	45
PID 1720 wrote to memory of 1668	1720	svchcst.exe	45
PID 1720 wrote to memory of 1668	1720	svchcst.exe	45
PID 1668 wrote to memory of 2368	1668	WScript.exe	46
PID 1668 wrote to memory of 2368	1668	WScript.exe	46
PID 1668 wrote to memory of 2368	1668	WScript.exe	46
PID 1668 wrote to memory of 2368	1668	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
"C:\Users\Admin\AppData\Local\Temp\cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2496
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2516
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:688
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2368
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:3064
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2696
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2508
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:1028
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1224
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:860
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:2276
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2052
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:848
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:596
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:3016
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1780
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:956
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        
        PID:1820
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2864
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:2212
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1036
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:2628
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2512
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:1052
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2728
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:2296
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2328
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:2220
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1536
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:2288
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2428
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        
        PID:564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
57e51d7e4374cd875109b11b9b8deb29

SHA1
aa5554bdcf8417f4b5fc9242f1de625e2fb820bf

SHA256
054ccb4671ec5693715c290f0bed875878cda62addcb38ef21257c59037fe30a

SHA512
6f58d52a71466d92d7da68e1bfdd91db03619d810eae2622b4e5623d2ad4e30e294d885c8c5405b775aa3256e3acbd0442a3bb2a4b6eb50001ee5f8848d66da3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c91530bbaec9815f2db19bd6645b8729

SHA1
ea901a28f06bfbfc1dc9c3391910a87bfaf07020

SHA256
7924a95b4fb309a069dcb92b65632f01f9db2560b224d4812ebb84130994ab8d

SHA512
7ebce2d0627561189c27073f3e43e84e6164c3c4a63fe4172d2c1214fe799795393573038fb3dd75359327e7cca4eec17889749411e289480580f568b02e6588

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
234d3bd7d4c79c9f8515c4e3812a1c9b

SHA1
f0add1f9e02bad7016d7b183f6d64d4800df4e12

SHA256
c9ba84b70031261f15918f7e74bd45b7b889b8e8427efa4ff19537e3d27633d0

SHA512
3d42cb367d8ba46cff006692c69f88ab165b9b326000c0bf187e682ce181413dd6f8eb083972765f332dc4309996b3621018ce3cf22d4d944c2b3c0e51f4aea0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ab52ce62f84a24d48d9cebec5331b1c6

SHA1
6fcb810a46e83020e55af419752f5583f9dcb9ba

SHA256
908bec6021a78b90a02c6123db4ac62b590ea738e97fa35aac7c4dce624f3244

SHA512
8823f3f60863692a8fd2be8610670b06077ea7c948b7c46f9a1ab712276b27e48c19d0a394e7f51c0fbdf753f989af4cac5dab078e4f04ee5ee6a50427368cd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
03bf5372c9a8521265929c62a61edb53

SHA1
284cd46f27466d93b1854dd6d7e819d46c127774

SHA256
a9cfc15bc801e9ca7e569473e72551e3c23347bd9073bb871aee4a3dfd0cd012

SHA512
3f7b4b68d422789628e5b6f4d4c06546a3313acf09c7d841e869efeede1d26123cfdc242f1d6ad52cb105ab7f919d61507ba96fbdc7f0e68ffa91e1f9272c330

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c4e7c6e63669b7ac19a2abc4d482e577

SHA1
0b715c1b8c52526a168c5972ce10621deb7454cb

SHA256
44ce88ac30afb018736ddeb48d6592af936aa52a424f3630ed07f9ff016b3a58

SHA512
f95b66230ceb77d9ce412c472376233324766a3b31adcfe85797f5628b933811c970a7c538ebb06e5c66418656766704206c178745f71bec63bbbabab46af747

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0deab118abcf8e078322ee46edd4cfd3

SHA1
b0f46f2ca33e8ea264812838f6c7a98d0c55a0bf

SHA256
344ce7e23c768177547510b0627c60667804530f220048e11f21e1cda521c502

SHA512
e7e4c041addbecf42ec91877dac6c89a207a3c1eb0247d56c6e4844852a3c7a3a716809d5040d01b03ab332bd155a4f4fb014abc896b9598ac52218c74a1f3c0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
53586000e76ee6942df430b8716b4616

SHA1
97afd48071b6043c0a04b823875956b98a8d33bd

SHA256
486e66f5aafdb179f41e1d1f39c8fb5662bfad43d5d53dfa89405a04b0d42d69

SHA512
3a9a94289a667899d5ba7db41486854b9234929ecaa9d9aaff3188740cc084c0a633702be218f4b1a8afbfbd8a4e1a892eebbdfde1a7d3fb9c27c3482aa03bd7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
608aea68519434d685c413b31a12c6ce

SHA1
7a62e13cab985d0588a0faea63751fd0355da7fc

SHA256
5ed3aa382febd7a4e6c3a921a5add055f6e2bbea7558b21da46752f037d52b1a

SHA512
6ddca4b85fc1b6ecb6c1081b32067eb438ed5167b48565ea449e6babb1f27a01c75599c6b0f10b29ac9278e619891588d654466ce882d8080f4d2435f450d198

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
bf8c66bc238068346f8bc94f6763b894

SHA1
43019b1b9d3d7e90719747856103a1af12d024ef

SHA256
de7fa3ae16d70f789b4d0aa427b017215cdb51f141038688ca5ba2cbb4060b5d

SHA512
a5d2d1662be29ceebb5d9441b537804722646c7ee3974d89d87bb37d1563bdbcac709f29e3251cf9d45845bdedd518bca99e203102b5c7f0e3657eca406277c6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8cb32754e88999ece2a392d94875313e

SHA1
da0ef4e297872b82db206ebdc4cafefeed2a4e3d

SHA256
3dc5ae697f3f5a3ffe053412e05a646883c49be29b179039ceadf5f71a595f9d

SHA512
a331a2472d0ef04f4d6a9b41a147020a688c96977feec8d61878f31382af8c27b8e990dc404137475d48f0155d600cc0d6ebe0a5d1cbb60b1fecf364301ebaa7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
632419f9e97777f0bcd1af67443cadae

SHA1
52edb2e30a2b1156ff9f77c0fe7435bc1a616ac8

SHA256
50e39163065b39c8cac4f381ff35c00972adde6c6fcd6d9cf555d1b0b8b68554

SHA512
b9b188d33cab5023dd410c0d6c01b5b200c003b432d44fe47da9b6ca1d4a5fa6fd3e869baeac6c8f5d7fae063e6128ee9c96b9258e10e550093e199cccaca2b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
56b27213ef66e581e0126adab02dc317

SHA1
30fa2eea57b2cc924f5b1bd2b8c6d585ffd29898

SHA256
b82a900f864805c4aacbb6e896f1f8e9fad6cb398325377fdc1e4f96e9db6298

SHA512
865d0b3bd378b05469d83dcdb544879a5fd4324e9e4b2b1f27082e5261700f1b14ddd0c17eb911596eae4bec5fa31289ac33b9317cfb87b393cceb9de02cf9f5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
8c38a470b806776e5b853fe04417c382

SHA1
369d2bf17b41b4b1fa972886f735532b1bc7bc26

SHA256
35097a8ca6bd35e0fe85193f6a6331ac98bee799c8a9ca0d27ed5a8a27d641d6

SHA512
4bf49119937076a861c3930a54e2190e2bec159cc272bde84816afe4110eefcffeb9aa62bf262a9affcea5100373ece72a7aa82ef8b4de822076ce385cdd1b42

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1ea95d9e01bbcd12ee2a432dee5cfb9b

SHA1
84304a33b375a28f2feca338bea114081c2ec103

SHA256
66382a5781c1244b59c9240ef5bdfb109a398a645011b9859f1bd12d2fc28495

SHA512
d4286a95265fdf83a3682941db6d41acbd07dc3cf9c292b8248cd6e086b79f2ba6bf35d561c2b994f99d8f3cd819526c00f3458b8a51c40b37000ff421b60d2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
8f62a75b39a6e0b462355998298a2efb

SHA1
35da56e236cc21572b1f758b89aef5ec33a83e08

SHA256
30fb8673b0febec3c881690d2966197b05d1b5cfd7608170480c6b8d1fa8a070

SHA512
6f6d6a948f7ec673deb80eeea74a186a66394799042903dcdd9892482b6ec99b18376aae6c72d769c656a7ab282a7edfd73528b68efb42bb0d4f701d58efe600

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b27c802fcd3837d2dec8b1a427924bb1

SHA1
a13eea6c07832c68bf9f7a8c07018e662399224c

SHA256
f998e5991aeebfe3446d0123266c7abb71b53c7b006931bc604b2b3890c49a14

SHA512
24708a48d7ebea82689368c4ad58749409978550dc7fd3d220e6b89fb5748a82920c43932b34cf5bbb28d69366fd4aa5f24e6c35ffbbd6990e674a884b974324

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1ec7838a7a5f638e98bb11cc90daec90

SHA1
99ca2a8785ebb75cd23e36676747914fdc935dcf

SHA256
d0a8de488a42bca8ef17168a213156bf4c8afe8cb973c1d8bb03d3c03ef6d6bf

SHA512
d472ca0d372ee63d13a738c02320d3e3201de0cfcc4c9385864f2cb3c54079b4f7bad6a0c26dc031ceede9d3c49037a67b7e2bee9cbebd2b52045665899762e8

Download Submit
memory/2876-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download