0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/06/2024, 21:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456.exe
Size

1.1MB
MD5

2a58969cbd444a5d8dcfbd3f93019c83
SHA1

ca6f5198678af921cd7c089566b1b1f7f48c09db
SHA256

0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456
SHA512

4b210820fcee0e29e412f7a12d69760169b910d7be14d63679334a3af020235fd61a560e8081a3ec47a2e1e23847392eda5c3a5a8a2e3cef811184a7cde50ac2
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qa:CcaClSFlG4ZM7QzMp

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2520	svchcst.exe

Executes dropped EXE 24 IoCs

pid	Process
2520	svchcst.exe
632	svchcst.exe
2132	svchcst.exe
2848	svchcst.exe
1248	svchcst.exe
840	svchcst.exe
2000	svchcst.exe
2300	svchcst.exe
1880	svchcst.exe
1564	svchcst.exe
2456	svchcst.exe
2128	svchcst.exe
2720	svchcst.exe
484	svchcst.exe
768	svchcst.exe
3020	svchcst.exe
1884	svchcst.exe
1508	svchcst.exe
2928	svchcst.exe
2636	svchcst.exe
1264	svchcst.exe
2704	svchcst.exe
2872	svchcst.exe
2104	svchcst.exe

Loads dropped DLL 34 IoCs

pid	Process
1624	WScript.exe
1624	WScript.exe
2552	WScript.exe
1568	WScript.exe
1912	WScript.exe
1960	WScript.exe
1720	WScript.exe
1720	WScript.exe
1720	WScript.exe
2088	WScript.exe
2556	WScript.exe
2556	WScript.exe
108	WScript.exe
2864	WScript.exe
108	WScript.exe
2740	WScript.exe
1544	WScript.exe
1544	WScript.exe
612	WScript.exe
612	WScript.exe
1664	WScript.exe
1664	WScript.exe
1708	WScript.exe
1708	WScript.exe
856	WScript.exe
856	WScript.exe
2552	WScript.exe
2552	WScript.exe
2684	WScript.exe
2684	WScript.exe
1572	WScript.exe
1572	WScript.exe
2148	WScript.exe
2148	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1948	0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
632	svchcst.exe
632	svchcst.exe
632	svchcst.exe
632	svchcst.exe
632	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1948	0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456.exe

Suspicious use of SetWindowsHookEx 50 IoCs

pid	Process
1948	0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456.exe
1948	0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456.exe
2520	svchcst.exe
2520	svchcst.exe
632	svchcst.exe
632	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
840	svchcst.exe
840	svchcst.exe
2000	svchcst.exe
2000	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
1880	svchcst.exe
1880	svchcst.exe
1564	svchcst.exe
1564	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2128	svchcst.exe
2128	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
484	svchcst.exe
484	svchcst.exe
768	svchcst.exe
768	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
1884	svchcst.exe
1884	svchcst.exe
1508	svchcst.exe
1508	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
1264	svchcst.exe
1264	svchcst.exe
2704	svchcst.exe
2704	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 1624	1948	0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456.exe	28
PID 1948 wrote to memory of 1624	1948	0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456.exe	28
PID 1948 wrote to memory of 1624	1948	0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456.exe	28
PID 1948 wrote to memory of 1624	1948	0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456.exe	28
PID 1624 wrote to memory of 2520	1624	WScript.exe	30
PID 1624 wrote to memory of 2520	1624	WScript.exe	30
PID 1624 wrote to memory of 2520	1624	WScript.exe	30
PID 1624 wrote to memory of 2520	1624	WScript.exe	30
PID 2520 wrote to memory of 2552	2520	svchcst.exe	31
PID 2520 wrote to memory of 2552	2520	svchcst.exe	31
PID 2520 wrote to memory of 2552	2520	svchcst.exe	31
PID 2520 wrote to memory of 2552	2520	svchcst.exe	31
PID 2552 wrote to memory of 632	2552	WScript.exe	32
PID 2552 wrote to memory of 632	2552	WScript.exe	32
PID 2552 wrote to memory of 632	2552	WScript.exe	32
PID 2552 wrote to memory of 632	2552	WScript.exe	32
PID 632 wrote to memory of 1568	632	svchcst.exe	33
PID 632 wrote to memory of 1568	632	svchcst.exe	33
PID 632 wrote to memory of 1568	632	svchcst.exe	33
PID 632 wrote to memory of 1568	632	svchcst.exe	33
PID 1568 wrote to memory of 2132	1568	WScript.exe	34
PID 1568 wrote to memory of 2132	1568	WScript.exe	34
PID 1568 wrote to memory of 2132	1568	WScript.exe	34
PID 1568 wrote to memory of 2132	1568	WScript.exe	34
PID 2132 wrote to memory of 1912	2132	svchcst.exe	35
PID 2132 wrote to memory of 1912	2132	svchcst.exe	35
PID 2132 wrote to memory of 1912	2132	svchcst.exe	35
PID 2132 wrote to memory of 1912	2132	svchcst.exe	35
PID 1912 wrote to memory of 2848	1912	WScript.exe	36
PID 1912 wrote to memory of 2848	1912	WScript.exe	36
PID 1912 wrote to memory of 2848	1912	WScript.exe	36
PID 1912 wrote to memory of 2848	1912	WScript.exe	36
PID 2848 wrote to memory of 1960	2848	svchcst.exe	37
PID 2848 wrote to memory of 1960	2848	svchcst.exe	37
PID 2848 wrote to memory of 1960	2848	svchcst.exe	37
PID 2848 wrote to memory of 1960	2848	svchcst.exe	37
PID 1960 wrote to memory of 1248	1960	WScript.exe	38
PID 1960 wrote to memory of 1248	1960	WScript.exe	38
PID 1960 wrote to memory of 1248	1960	WScript.exe	38
PID 1960 wrote to memory of 1248	1960	WScript.exe	38
PID 1248 wrote to memory of 1720	1248	svchcst.exe	39
PID 1248 wrote to memory of 1720	1248	svchcst.exe	39
PID 1248 wrote to memory of 1720	1248	svchcst.exe	39
PID 1248 wrote to memory of 1720	1248	svchcst.exe	39
PID 1720 wrote to memory of 840	1720	WScript.exe	40
PID 1720 wrote to memory of 840	1720	WScript.exe	40
PID 1720 wrote to memory of 840	1720	WScript.exe	40
PID 1720 wrote to memory of 840	1720	WScript.exe	40
PID 840 wrote to memory of 844	840	svchcst.exe	41
PID 840 wrote to memory of 844	840	svchcst.exe	41
PID 840 wrote to memory of 844	840	svchcst.exe	41
PID 840 wrote to memory of 844	840	svchcst.exe	41
PID 1720 wrote to memory of 2000	1720	WScript.exe	42
PID 1720 wrote to memory of 2000	1720	WScript.exe	42
PID 1720 wrote to memory of 2000	1720	WScript.exe	42
PID 1720 wrote to memory of 2000	1720	WScript.exe	42
PID 2000 wrote to memory of 1704	2000	svchcst.exe	43
PID 2000 wrote to memory of 1704	2000	svchcst.exe	43
PID 2000 wrote to memory of 1704	2000	svchcst.exe	43
PID 2000 wrote to memory of 1704	2000	svchcst.exe	43
PID 1720 wrote to memory of 2300	1720	WScript.exe	46
PID 1720 wrote to memory of 2300	1720	WScript.exe	46
PID 1720 wrote to memory of 2300	1720	WScript.exe	46
PID 1720 wrote to memory of 2300	1720	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456.exe
"C:\Users\Admin\AppData\Local\Temp\0c5ca06061a4a3b7bc30f6d189acbb22e195f2157fddbd95e1dafe11d3bc3456.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2552
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:632
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2300
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        
        PID:2088
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1880
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:2556
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1564
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2864
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2720
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2456
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:108
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2128
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2740
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:768
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:1544
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3020
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:612
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1884
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:1664
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1508
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:1708
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2928
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:856
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2636
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:2552
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1264
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:2684
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2704
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:1572
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2872
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:2148
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2104
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:484
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        
        PID:1416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8cb32754e88999ece2a392d94875313e

SHA1
da0ef4e297872b82db206ebdc4cafefeed2a4e3d

SHA256
3dc5ae697f3f5a3ffe053412e05a646883c49be29b179039ceadf5f71a595f9d

SHA512
a331a2472d0ef04f4d6a9b41a147020a688c96977feec8d61878f31382af8c27b8e990dc404137475d48f0155d600cc0d6ebe0a5d1cbb60b1fecf364301ebaa7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
99190cc32e9995c46b8a5b9b268a5bbe

SHA1
4ad00bc8655bced61776b40f2cc5bf0180a175d4

SHA256
308f79dad8498e1020104d40c992a2a6b9d4841f2c9c705e4b4401c48764a096

SHA512
f6447cdd779f7e95f6e84469388e55d7c18249f434aadf7cb7d4ec18cded20161a1cd8bb8830186c55ce8a945ab7c7cff08f85787c2616d447a90cb6f4622571

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
463784728a0ab2b8cc52ee1ed0e5258e

SHA1
620a618c31439d36e8539e50359713befcc28e92

SHA256
a34e1ed304dca4f58275bdd5daaf071d1767db7bb7ccc6bf2aea2df5e2be023b

SHA512
52f9736297fbaf65179d35e01c7a15d516d2ff8b5c949a45046bc668bbe94b5da63aea4d5920ebfc1a884721f16fdcae75ea08ca9a6aa78297a44051ed979c7f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
297aff64991480fd92a4ce9fb4d40807

SHA1
c586f7003f854f442db26448516e59826dfe41e9

SHA256
5137a62e031c71093a7d6c2684519614bb5eed80fd8daa92912f085a6ab82b8a

SHA512
f7a2fae80f26e6fb846ec9675c5a03932c8bd842d75f68cdb05c2f18e9397ed32774ce0a1f495e5618a5ce1b37e088c8991a69fb999559d1e2b0dd360cc96b4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6cefcde7a292edfc29b3882cdeb23dba

SHA1
3588db649319258acc78049555e0c587aae5dcf1

SHA256
4fc01d17db5185ecf506bb8ad2665dc04fbc85d9b55282b364687c5c82689251

SHA512
14f7f31813f271f8ab4c58ad06504769900ae075915db76882bce80dfaa82bb76bc6c40fa76f6eae4f3c65d2311a702d5581510ea5ade452ea8b6f957da1684c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ae75c3a96c26ddc15e3c678434b18374

SHA1
7abb4cd173f5c8565c891bc5305922439e880fed

SHA256
1b84f073d7c021672b1951a420b183f570b94f4d7c14c86698b22bbd353bf965

SHA512
e817ab91d4d73840a290ff2e999a5136328b315afa16ec831b6ddabea08cf07d8dd61b332cbeded13bde712e7c87538228ff8d163c0f659da84134f04e5a3b7e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e74576d29f1c1a7185cdf1e12b96a260

SHA1
f76ee203cb56b7dda62a2947ff1e2fc954efa777

SHA256
e31ecb9dcf31c19fbd131b31e5191375f7aeb708ffa678363de99e118715eb65

SHA512
934e3a9171de8fe03c9b398b4e79b3eee77845750ba2b0d16c3a38bc8299d3d72643cedfbb025df848f4c5ab302f5d4b145da13c2ac3ed96bdc1658791d4f5bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
dabf4e9d32908d961aaffdd1c77d4879

SHA1
e41572d98b7452016fb004c843236377364ab1d3

SHA256
3488c64a6d2da3c00e50e954c495ac354ee504e54f3ed6dda6a991c5b9d33e19

SHA512
911d46aca8005857c86eddbb3cbbc4301ee5e173b2358a717053cf12727c06cc3b2d757ddf513f969dafe61c6b88d03b1478d8c483495f153e30bf64585195aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
6f174bf2fd5ff56dcf5c9222128baa1e

SHA1
29d3f871c3ca249f24f7dc66837d970d60582405

SHA256
5c393032c6c3df82a01909291c7a8df65031af431a2636423a27b534116255ee

SHA512
95b7057f746d23810692e31c46a6d0ec8228aac90888eb1aa65052053e88269a4f6af6a36d84d5d94ead9e0801c15fd5dc35467617c111adfcffad6e82d6a5d9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5ba8c208c5700f7f25c2e24e00d50ac8

SHA1
9838a0ab093ed94bc85a80b1feee14b68e4df8d1

SHA256
213371c33e19f6f9e28f089e3206fe50c39b190548b0500f7ba8aff869a68cd6

SHA512
065e45ebe4197cdf7e13b799928dfb29e17d4a1741e3e103000b147288b34f16300b72874ec85aefa2c04cc939df115a9fb383d5c95982c1371e75605d1a9b17

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d44632a3e4cce7689f6de0096ea7b712

SHA1
62726ae2641d71b6a218793f1ca8c00c81443eda

SHA256
013ba01f27689a865f4497bdab298b8914e8c235beac2311020fa928649a7603

SHA512
ed9934194e0211fca3d30bb16802ae080086a71d4b8b065afecea339f06f4d5dc43f51786059d6ccaf7718a54dde8b050268068ed6a416dacfa6c79a8ba0881a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d9ab21af2046aedc3484d569036c3ef7

SHA1
ade5e9eb5b1180a77a2164e61f74beb411cdfb56

SHA256
90b8f17e573879b63c512e7c0dd6ff9454d177163e2d95d0090b2ef22ae5ec79

SHA512
cb8c202cd3d66ee897982e42257320dfef0a23eb96b9a3189869e9a0ce030d4baaa8c0a6fc5e197d2d19d742b0d7b3f34adb12933192dd6e4b1388433755d1ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5d0d203da02edb604545d3d826c88b42

SHA1
9be0cfd40b48d4e6041e00827047a8b0d877d4a1

SHA256
5f341c2f1ff381eecedbf6fcbe549724323c30c05728132a98ea55f607bc3e81

SHA512
a3e01552a9576ba8dd9aa9f65211f74a69588a316d984b8887e740c6c174e19df2056dc0138d5af26bd927e192ec2c7d355fc8b4092e30d55de910e932fbd49f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f02b234115a56496bcd6642d1de04e5d

SHA1
d383b9d3c82fe145f25a9a6e7e4333151fd4ecc6

SHA256
9eca0120263ab4947d38369d9a4986744e61189382c1d313eb464ad449ea2651

SHA512
c446eccd822729a81d49321c88ecc0fba4e4f7b6f6277d2660c7f3a18a67614915ae24a96353bf93b039eb441f0c260c1961a1363f16524dbeaf2554626c1b4e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
dbb25b1722acadefee24eb9ce99966ad

SHA1
fade15bf2857dc13404c2e7389a2409ab0559630

SHA256
6d37d7bc8c644b6dfe6bb25c6ce8a0d70efc14f12d45eb4a0d56ae2c2636b808

SHA512
e0294573469dbaeb9f7443ea3a8840071a4bd6bc7cdc7b5d981d1aabb58130a9cb6f77308d3b18c19b5e728bcb1f688c02f200ab37cf9937a901e6a00528152a

Download Submit
memory/1948-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download