Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 18:36
Static task
static1
Behavioral task
behavioral1
Sample
dc4506cdc1b3bec674fdfd83efeea695907bb85664b4ff1ead14a6af3f84564c.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
dc4506cdc1b3bec674fdfd83efeea695907bb85664b4ff1ead14a6af3f84564c.exe
Resource
win10v2004-20240508-en
General
-
Target
dc4506cdc1b3bec674fdfd83efeea695907bb85664b4ff1ead14a6af3f84564c.exe
-
Size
1.1MB
-
MD5
c136d52566d04a9c10626bff3fcb2886
-
SHA1
44f394c5d9ab3d50b7dc0de6987e84c2ad0db4f5
-
SHA256
dc4506cdc1b3bec674fdfd83efeea695907bb85664b4ff1ead14a6af3f84564c
-
SHA512
5ee80cdbdb8f63c81722f96a5815f05c8d4b23c6e7c48f72673d64cf1a4db56958e7d40a17b862316d24b548068db04a52cc5d67e01d101a04f8921c57d2a7d7
-
SSDEEP
24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qr:acallSllG4ZM7QzMM
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
svchcst.exepid process 2456 svchcst.exe -
Executes dropped EXE 23 IoCs
Processes:
svchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exepid process 2456 svchcst.exe 2960 svchcst.exe 2608 svchcst.exe 2052 svchcst.exe 1480 svchcst.exe 1548 svchcst.exe 2212 svchcst.exe 2536 svchcst.exe 2504 svchcst.exe 2604 svchcst.exe 2844 svchcst.exe 324 svchcst.exe 400 svchcst.exe 1032 svchcst.exe 2360 svchcst.exe 1620 svchcst.exe 1504 svchcst.exe 3020 svchcst.exe 2964 svchcst.exe 2664 svchcst.exe 1692 svchcst.exe 2916 svchcst.exe 2236 svchcst.exe -
Loads dropped DLL 40 IoCs
Processes:
WScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exepid process 2512 WScript.exe 2512 WScript.exe 2548 WScript.exe 2548 WScript.exe 2144 WScript.exe 2144 WScript.exe 2816 WScript.exe 2816 WScript.exe 2908 WScript.exe 2908 WScript.exe 1780 WScript.exe 1056 WScript.exe 1056 WScript.exe 1056 WScript.exe 2216 WScript.exe 1812 WScript.exe 3036 WScript.exe 1396 WScript.exe 2100 WScript.exe 2100 WScript.exe 2908 WScript.exe 2908 WScript.exe 2112 WScript.exe 2112 WScript.exe 2036 WScript.exe 2036 WScript.exe 2648 WScript.exe 2648 WScript.exe 1912 WScript.exe 1912 WScript.exe 1100 WScript.exe 1100 WScript.exe 2676 WScript.exe 2676 WScript.exe 1760 WScript.exe 1760 WScript.exe 288 WScript.exe 288 WScript.exe 1960 WScript.exe 1960 WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
dc4506cdc1b3bec674fdfd83efeea695907bb85664b4ff1ead14a6af3f84564c.exesvchcst.exesvchcst.exepid process 2880 dc4506cdc1b3bec674fdfd83efeea695907bb85664b4ff1ead14a6af3f84564c.exe 2456 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 2456 svchcst.exe 2960 svchcst.exe 2960 svchcst.exe 2960 svchcst.exe 2960 svchcst.exe 2960 svchcst.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
dc4506cdc1b3bec674fdfd83efeea695907bb85664b4ff1ead14a6af3f84564c.exepid process 2880 dc4506cdc1b3bec674fdfd83efeea695907bb85664b4ff1ead14a6af3f84564c.exe -
Suspicious use of SetWindowsHookEx 48 IoCs
Processes:
dc4506cdc1b3bec674fdfd83efeea695907bb85664b4ff1ead14a6af3f84564c.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exepid process 2880 dc4506cdc1b3bec674fdfd83efeea695907bb85664b4ff1ead14a6af3f84564c.exe 2880 dc4506cdc1b3bec674fdfd83efeea695907bb85664b4ff1ead14a6af3f84564c.exe 2456 svchcst.exe 2456 svchcst.exe 2960 svchcst.exe 2960 svchcst.exe 2608 svchcst.exe 2608 svchcst.exe 2052 svchcst.exe 2052 svchcst.exe 1480 svchcst.exe 1480 svchcst.exe 1548 svchcst.exe 1548 svchcst.exe 2212 svchcst.exe 2212 svchcst.exe 2536 svchcst.exe 2536 svchcst.exe 2504 svchcst.exe 2504 svchcst.exe 2604 svchcst.exe 2604 svchcst.exe 2844 svchcst.exe 2844 svchcst.exe 324 svchcst.exe 324 svchcst.exe 400 svchcst.exe 400 svchcst.exe 1032 svchcst.exe 1032 svchcst.exe 2360 svchcst.exe 2360 svchcst.exe 1620 svchcst.exe 1620 svchcst.exe 1504 svchcst.exe 1504 svchcst.exe 3020 svchcst.exe 3020 svchcst.exe 2964 svchcst.exe 2964 svchcst.exe 2664 svchcst.exe 2664 svchcst.exe 1692 svchcst.exe 1692 svchcst.exe 2916 svchcst.exe 2916 svchcst.exe 2236 svchcst.exe 2236 svchcst.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
dc4506cdc1b3bec674fdfd83efeea695907bb85664b4ff1ead14a6af3f84564c.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exedescription pid process target process PID 2880 wrote to memory of 2512 2880 dc4506cdc1b3bec674fdfd83efeea695907bb85664b4ff1ead14a6af3f84564c.exe WScript.exe PID 2880 wrote to memory of 2512 2880 dc4506cdc1b3bec674fdfd83efeea695907bb85664b4ff1ead14a6af3f84564c.exe WScript.exe PID 2880 wrote to memory of 2512 2880 dc4506cdc1b3bec674fdfd83efeea695907bb85664b4ff1ead14a6af3f84564c.exe WScript.exe PID 2880 wrote to memory of 2512 2880 dc4506cdc1b3bec674fdfd83efeea695907bb85664b4ff1ead14a6af3f84564c.exe WScript.exe PID 2512 wrote to memory of 2456 2512 WScript.exe svchcst.exe PID 2512 wrote to memory of 2456 2512 WScript.exe svchcst.exe PID 2512 wrote to memory of 2456 2512 WScript.exe svchcst.exe PID 2512 wrote to memory of 2456 2512 WScript.exe svchcst.exe PID 2456 wrote to memory of 2548 2456 svchcst.exe WScript.exe PID 2456 wrote to memory of 2548 2456 svchcst.exe WScript.exe PID 2456 wrote to memory of 2548 2456 svchcst.exe WScript.exe PID 2456 wrote to memory of 2548 2456 svchcst.exe WScript.exe PID 2548 wrote to memory of 2960 2548 WScript.exe svchcst.exe PID 2548 wrote to memory of 2960 2548 WScript.exe svchcst.exe PID 2548 wrote to memory of 2960 2548 WScript.exe svchcst.exe PID 2548 wrote to memory of 2960 2548 WScript.exe svchcst.exe PID 2960 wrote to memory of 2144 2960 svchcst.exe WScript.exe PID 2960 wrote to memory of 2144 2960 svchcst.exe WScript.exe PID 2960 wrote to memory of 2144 2960 svchcst.exe WScript.exe PID 2960 wrote to memory of 2144 2960 svchcst.exe WScript.exe PID 2144 wrote to memory of 2608 2144 WScript.exe svchcst.exe PID 2144 wrote to memory of 2608 2144 WScript.exe svchcst.exe PID 2144 wrote to memory of 2608 2144 WScript.exe svchcst.exe PID 2144 wrote to memory of 2608 2144 WScript.exe svchcst.exe PID 2608 wrote to memory of 2816 2608 svchcst.exe WScript.exe PID 2608 wrote to memory of 2816 2608 svchcst.exe WScript.exe PID 2608 wrote to memory of 2816 2608 svchcst.exe WScript.exe PID 2608 wrote to memory of 2816 2608 svchcst.exe WScript.exe PID 2816 wrote to memory of 2052 2816 WScript.exe svchcst.exe PID 2816 wrote to memory of 2052 2816 WScript.exe svchcst.exe PID 2816 wrote to memory of 2052 2816 WScript.exe svchcst.exe PID 2816 wrote to memory of 2052 2816 WScript.exe svchcst.exe PID 2052 wrote to memory of 2908 2052 svchcst.exe WScript.exe PID 2052 wrote to memory of 2908 2052 svchcst.exe WScript.exe PID 2052 wrote to memory of 2908 2052 svchcst.exe WScript.exe PID 2052 wrote to memory of 2908 2052 svchcst.exe WScript.exe PID 2908 wrote to memory of 1480 2908 WScript.exe svchcst.exe PID 2908 wrote to memory of 1480 2908 WScript.exe svchcst.exe PID 2908 wrote to memory of 1480 2908 WScript.exe svchcst.exe PID 2908 wrote to memory of 1480 2908 WScript.exe svchcst.exe PID 1480 wrote to memory of 1780 1480 svchcst.exe WScript.exe PID 1480 wrote to memory of 1780 1480 svchcst.exe WScript.exe PID 1480 wrote to memory of 1780 1480 svchcst.exe WScript.exe PID 1480 wrote to memory of 1780 1480 svchcst.exe WScript.exe PID 1780 wrote to memory of 1548 1780 WScript.exe svchcst.exe PID 1780 wrote to memory of 1548 1780 WScript.exe svchcst.exe PID 1780 wrote to memory of 1548 1780 WScript.exe svchcst.exe PID 1780 wrote to memory of 1548 1780 WScript.exe svchcst.exe PID 1548 wrote to memory of 1056 1548 svchcst.exe WScript.exe PID 1548 wrote to memory of 1056 1548 svchcst.exe WScript.exe PID 1548 wrote to memory of 1056 1548 svchcst.exe WScript.exe PID 1548 wrote to memory of 1056 1548 svchcst.exe WScript.exe PID 1056 wrote to memory of 2212 1056 WScript.exe svchcst.exe PID 1056 wrote to memory of 2212 1056 WScript.exe svchcst.exe PID 1056 wrote to memory of 2212 1056 WScript.exe svchcst.exe PID 1056 wrote to memory of 2212 1056 WScript.exe svchcst.exe PID 2212 wrote to memory of 2216 2212 svchcst.exe WScript.exe PID 2212 wrote to memory of 2216 2212 svchcst.exe WScript.exe PID 2212 wrote to memory of 2216 2212 svchcst.exe WScript.exe PID 2212 wrote to memory of 2216 2212 svchcst.exe WScript.exe PID 1056 wrote to memory of 2536 1056 WScript.exe svchcst.exe PID 1056 wrote to memory of 2536 1056 WScript.exe svchcst.exe PID 1056 wrote to memory of 2536 1056 WScript.exe svchcst.exe PID 1056 wrote to memory of 2536 1056 WScript.exe svchcst.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc4506cdc1b3bec674fdfd83efeea695907bb85664b4ff1ead14a6af3f84564c.exe"C:\Users\Admin\AppData\Local\Temp\dc4506cdc1b3bec674fdfd83efeea695907bb85664b4ff1ead14a6af3f84564c.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"8⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"10⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"12⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"14⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"15⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"16⤵
- Loads dropped DLL
PID:2216 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2504 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"18⤵PID:2448
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"15⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2536 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"16⤵
- Loads dropped DLL
PID:1812 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2604 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"18⤵
- Loads dropped DLL
PID:3036 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2844 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"20⤵
- Loads dropped DLL
PID:1396 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"21⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:324 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"22⤵
- Loads dropped DLL
PID:2100 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"23⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:400 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"24⤵
- Loads dropped DLL
PID:2908 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"25⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1032 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"26⤵
- Loads dropped DLL
PID:2112 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"27⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2360 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"28⤵
- Loads dropped DLL
PID:2036 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"29⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1620 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"30⤵
- Loads dropped DLL
PID:2648 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"31⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1504 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"32⤵
- Loads dropped DLL
PID:1912 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"33⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3020 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"34⤵
- Loads dropped DLL
PID:1100 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"35⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2964 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"36⤵
- Loads dropped DLL
PID:2676 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"37⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2664 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"38⤵
- Loads dropped DLL
PID:1760 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"39⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1692 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"40⤵
- Loads dropped DLL
PID:288 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"41⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2916 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"42⤵
- Loads dropped DLL
PID:1960 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"43⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2236 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"44⤵PID:636
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92B
MD567b9b3e2ded7086f393ebbc36c5e7bca
SHA1e6299d0450b9a92a18cc23b5704a2b475652c790
SHA25644063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d
SHA512826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09
-
Filesize
696B
MD59e8dca236ce949019c46b94428612ac9
SHA10917050afcbb7b94fce6fbb9827fb57de7432b0b
SHA256bd9f06dbb8f2165c3b75da289ad7983f0c57328d236b2c68a2b5798188874fb3
SHA51223ce9deba9286cbb24c1725503542b63d7e44ea7ada302e5aba6595f84398e2162008d7431f842cccfb2b8fae126216d85c566931d5fcc8c8c5625e2c05f44d6
-
Filesize
696B
MD54433cc23fc280ad8dcff9966bac19fe4
SHA162cc2abfe6e2ee0fd6b5cbce20daff4ba787bff0
SHA256ca7cfd972b03d0b30404c8233125adda1dacc81a2e43e919d70bf1c2700af55b
SHA5126a5e7454dde98251a987bedc21e628550c469480cbe41f3b3644789da38e782c8b94660d4a076697cc7abf3fcc767650d00ac3639b11cfeba96ece8110920b4f
-
Filesize
696B
MD5d44632a3e4cce7689f6de0096ea7b712
SHA162726ae2641d71b6a218793f1ca8c00c81443eda
SHA256013ba01f27689a865f4497bdab298b8914e8c235beac2311020fa928649a7603
SHA512ed9934194e0211fca3d30bb16802ae080086a71d4b8b065afecea339f06f4d5dc43f51786059d6ccaf7718a54dde8b050268068ed6a416dacfa6c79a8ba0881a
-
Filesize
696B
MD5463784728a0ab2b8cc52ee1ed0e5258e
SHA1620a618c31439d36e8539e50359713befcc28e92
SHA256a34e1ed304dca4f58275bdd5daaf071d1767db7bb7ccc6bf2aea2df5e2be023b
SHA51252f9736297fbaf65179d35e01c7a15d516d2ff8b5c949a45046bc668bbe94b5da63aea4d5920ebfc1a884721f16fdcae75ea08ca9a6aa78297a44051ed979c7f
-
Filesize
753B
MD54921a6d4e706155e88ef83d84b5c9bac
SHA15b622eda004a81eeac42c820a35c04e81594cd6a
SHA256fdb22eb852ea0224376c7569b5de860f61a6db1b966004e81f95ff7578d0610d
SHA5122f5f142292874f838ae8f2a61baf2d29fa64933fc8a73a662e7b7e92bf04c97af0581bc022042dcec79bbec85a917bea8518436c235c1cbdec6a342ed207bd83
-
Filesize
696B
MD524e4a44b907089d788280d647e33c77e
SHA1ac5a4e397dea243c0022c55319e7c7035d013905
SHA2567fcd076a55f0b7c8e9407217aee7e68893461d15cb8d2946ac5250af35137211
SHA512c4a8dac1c1d5dfa976cc3e8fd299e423ab620463983b8c602be8a83ecc6598eb3f1d60a7370806e1f85a52dd91e4f1337a6dff2e99459f9a1e429a1ffb65a00b
-
Filesize
696B
MD58cb32754e88999ece2a392d94875313e
SHA1da0ef4e297872b82db206ebdc4cafefeed2a4e3d
SHA2563dc5ae697f3f5a3ffe053412e05a646883c49be29b179039ceadf5f71a595f9d
SHA512a331a2472d0ef04f4d6a9b41a147020a688c96977feec8d61878f31382af8c27b8e990dc404137475d48f0155d600cc0d6ebe0a5d1cbb60b1fecf364301ebaa7
-
Filesize
696B
MD581911744d71ed066085116eec2026095
SHA147cfe383cd90c80f367d20667fa26cd160507a8f
SHA2563154f7fe0c77b8441733285f257a444605ca5badb1148288aa7275033f75d3f5
SHA512e64925ee682737251c7d5f42a378a4f6c23a50a07a6811882547567725b59c172da356b235afc977d4c1e8209f5c1ba696b9dd54e7739f67a71c099c031d7396
-
Filesize
696B
MD593bffb400f506fbd69421b6075802c65
SHA1b9d8c4ea6a8fd739f6cf167e1f58412525f15784
SHA2562e455d4d9ba6db3056e273b33c3cc67d60d76c4a750b98b2d4d0e2bcc6aa57b1
SHA512e00a5d4ad19c488dc18e50150fcd50505133666e333f12f9e0cb3a894162951e4195886798de3531561ff99b4a3fbca6fb351f1ff0bcd0e1ac20cd685962ec23
-
Filesize
696B
MD503f68343f5906993640e0b9e3f9c7964
SHA1699e9c3fda1aa89e7a47ac8b77b41178c99cc8e2
SHA256dd2d5bf380874e81adc5e05b667047dcf1b6c8a8953068fb177053e20c35f727
SHA51276de9e035c0ad6ee3237006749fd28ee93a6fcd09700e265aaea432f7d2292aac87f0799221559caacd6dd58ff72af17d67627aace77bd2a36a802bbdc88b99c
-
Filesize
696B
MD5423a0fabd3a9fd2cbedc3aba67c69650
SHA1880097557ac6718e93822ac7efc9a3e2986c51de
SHA256d77f549afde3b88ac747c3d0dee3069f914fac77b572ae08737ffc05f696491b
SHA512c65d3db8250c7885b05075ebc3485db4506dde6c435247ad6a86e9085d59b039f4629583b327662a2eb40c79bc135d5d17b5bfb01f63ee02726aa57ecd7ed139
-
Filesize
696B
MD52caa2e102cde23b48c1d5a47d901c3ff
SHA1715fcb390ad3d9016885ab48ea99b2e204d1989b
SHA2568e1f14065ac316ee2fcefab057390fe8b1ec88d9c35536f0755204ddf0d84ada
SHA5129f6b298b5becff9b0af67c3181177876366db57d8d48ad3974dffa4f61fe7512b68d770e518d08d59c58d2707c52bd78930d2e36f00ef06f0a26d208e5372ae3
-
Filesize
1.1MB
MD58b95ab2f3e7a7db850bbaafc29e4579e
SHA1d5b09efa21115f65dd1415549b7d69cbbfd18ad7
SHA256fbc49f25dd5abde865fef71ae97d7d5d5b7c1d4c405312f5bd41ca53d9abec35
SHA512e21ea17048fe77b13d70b8340f4f9c4016d41577b5249516a257c8d9e6475c0eda95e4fa58e7228ecae25ae0a547ec7ee92fe66fa36c09a12bb4d26a1441bbe6
-
Filesize
1.1MB
MD5134ee0cfc792227ee37b7980a57d59c9
SHA115a2cf25bf5fdc237f1d7fa57f0f980348b79e8a
SHA256d0e6b8c2c0200222759391c0c894bf14b4dfd4155c1470e5a3b2dea91b95e6f1
SHA512de7aa16651e4d0ba8161cfe0e4c2111775da231dacc2fa54f9b259e83d68112e7c5d96e2b1a13f7e32693a188aaa3161571ee354e742fbdc5671662eac4b0ffe
-
Filesize
1.1MB
MD5dfc67a4179ed05fc25648f3141498936
SHA15b377700a7ff3bd10fce8f0d228d1c3b0a47e004
SHA256c6ffac125ea6fe1f92b6a19e8c765649248d63eced1938a1daad71c341448707
SHA5124be2da08c80fbbafdbbee85748a0bf88d50764cbafb574b530ad0a60057fbbcafb70ee1c08e72c2def38c77932e0d13a880759ab08502fe1351b20a1aacf68f8
-
Filesize
1.1MB
MD55537fc0d500becad2d0e7cc2a78753e4
SHA1bb319ae8b581f611c5f392404bbc63b0e9ab1e71
SHA25632dd022654a7648de4550e072ecf22aa78dbd5f96ea3711eb1060dc847990556
SHA512315ef86c076c5d6e391b943a887ff450ced3be68d7b18e0defb513b89d2bae11e7701706739ca38324ffa6040fe4ae7fa8ac6857f91bba9f1383b190d422301a
-
Filesize
1.1MB
MD5725beaa7b202aa6aea3212a6a1376bc9
SHA1e805dbb7212be2e328464bfc23b49b023d4ef019
SHA256aec790250e9b5688d69e11c867335f2dad6a9b62ad05b372311a0e0a7e117ea7
SHA51204a593f550800416bf7d587b5f85d89d0c8d7708f6f7f7841e7aacf2dfc95ea7e86e8860b32ceb21d56cbe83a588b94ce73e79f205f01e06451c9353c0228000
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
1.1MB
MD5160e344039fa5cb4235b5a869da648ed
SHA11eef677a79c32309643885bf36b48f815942d76c
SHA256d3567567352b8c63d6e16ac25687e3d5fcb1d0222bd7312639162f090d21dd39
SHA512aab980f746c269da7f92844578c9085fa1c48b467a350ed11ff555309d87b9459827f60a80e4effccac5f4b5745b263b81ab990e2c3b19ddff40f08ae4ffa43f