a4bb741d54fffdd78831d9886702507b484409e5d8e4573d826d4a418c8df087

Analysis

max time kernel
149s
max time network
126s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
15/06/2024, 21:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a4bb741d54fffdd78831d9886702507b484409e5d8e4573d826d4a418c8df087.exe
Size

1.1MB
MD5

90f07e2716cedfeb4cb0421076d8b0b4
SHA1

3f14394cdfb084841cf756f4808a01b70b460e2f
SHA256

a4bb741d54fffdd78831d9886702507b484409e5d8e4573d826d4a418c8df087
SHA512

6a7884e06176ac138d90f98c62ab4bbc644128387d9f9143824b6eaf3fb7812c5d5d75c8f5dfe3843e4d121e0d840948964b360176c304f56c525783852671ca
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q0:acallSllG4ZM7QzMT

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2868	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2868	svchcst.exe
2380	svchcst.exe
1860	svchcst.exe
2568	svchcst.exe
1112	svchcst.exe
1524	svchcst.exe
628	svchcst.exe
1312	svchcst.exe
2528	svchcst.exe
2212	svchcst.exe
2708	svchcst.exe
764	svchcst.exe
2944	svchcst.exe
2384	svchcst.exe
848	svchcst.exe
3032	svchcst.exe
2072	svchcst.exe
2416	svchcst.exe
2788	svchcst.exe
1952	svchcst.exe
552	svchcst.exe
1800	svchcst.exe
272	svchcst.exe

Loads dropped DLL 42 IoCs

pid	Process
1944	WScript.exe
1944	WScript.exe
2584	WScript.exe
2584	WScript.exe
2876	WScript.exe
2876	WScript.exe
2768	WScript.exe
2768	WScript.exe
1748	WScript.exe
860	WScript.exe
860	WScript.exe
860	WScript.exe
892	WScript.exe
892	WScript.exe
2808	WScript.exe
3000	WScript.exe
3000	WScript.exe
3000	WScript.exe
1868	WScript.exe
1868	WScript.exe
2768	WScript.exe
2768	WScript.exe
1972	WScript.exe
1972	WScript.exe
2224	WScript.exe
2224	WScript.exe
1684	WScript.exe
1684	WScript.exe
2672	WScript.exe
2672	WScript.exe
2192	WScript.exe
2192	WScript.exe
2964	WScript.exe
2964	WScript.exe
2436	WScript.exe
2436	WScript.exe
300	WScript.exe
300	WScript.exe
532	WScript.exe
532	WScript.exe
1364	WScript.exe
1364	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
352	a4bb741d54fffdd78831d9886702507b484409e5d8e4573d826d4a418c8df087.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2380	svchcst.exe
2380	svchcst.exe
2380	svchcst.exe
2380	svchcst.exe
2380	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
352	a4bb741d54fffdd78831d9886702507b484409e5d8e4573d826d4a418c8df087.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
352	a4bb741d54fffdd78831d9886702507b484409e5d8e4573d826d4a418c8df087.exe
352	a4bb741d54fffdd78831d9886702507b484409e5d8e4573d826d4a418c8df087.exe
2868	svchcst.exe
2868	svchcst.exe
2380	svchcst.exe
2380	svchcst.exe
1860	svchcst.exe
1860	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
1112	svchcst.exe
1112	svchcst.exe
1524	svchcst.exe
1524	svchcst.exe
628	svchcst.exe
628	svchcst.exe
1312	svchcst.exe
1312	svchcst.exe
2528	svchcst.exe
2528	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
764	svchcst.exe
764	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2384	svchcst.exe
2384	svchcst.exe
848	svchcst.exe
848	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
2072	svchcst.exe
2072	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
1952	svchcst.exe
1952	svchcst.exe
552	svchcst.exe
552	svchcst.exe
1800	svchcst.exe
1800	svchcst.exe
272	svchcst.exe
272	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 352 wrote to memory of 1944	352	a4bb741d54fffdd78831d9886702507b484409e5d8e4573d826d4a418c8df087.exe	28
PID 352 wrote to memory of 1944	352	a4bb741d54fffdd78831d9886702507b484409e5d8e4573d826d4a418c8df087.exe	28
PID 352 wrote to memory of 1944	352	a4bb741d54fffdd78831d9886702507b484409e5d8e4573d826d4a418c8df087.exe	28
PID 352 wrote to memory of 1944	352	a4bb741d54fffdd78831d9886702507b484409e5d8e4573d826d4a418c8df087.exe	28
PID 1944 wrote to memory of 2868	1944	WScript.exe	30
PID 1944 wrote to memory of 2868	1944	WScript.exe	30
PID 1944 wrote to memory of 2868	1944	WScript.exe	30
PID 1944 wrote to memory of 2868	1944	WScript.exe	30
PID 2868 wrote to memory of 2584	2868	svchcst.exe	31
PID 2868 wrote to memory of 2584	2868	svchcst.exe	31
PID 2868 wrote to memory of 2584	2868	svchcst.exe	31
PID 2868 wrote to memory of 2584	2868	svchcst.exe	31
PID 2584 wrote to memory of 2380	2584	WScript.exe	32
PID 2584 wrote to memory of 2380	2584	WScript.exe	32
PID 2584 wrote to memory of 2380	2584	WScript.exe	32
PID 2584 wrote to memory of 2380	2584	WScript.exe	32
PID 2380 wrote to memory of 2876	2380	svchcst.exe	33
PID 2380 wrote to memory of 2876	2380	svchcst.exe	33
PID 2380 wrote to memory of 2876	2380	svchcst.exe	33
PID 2380 wrote to memory of 2876	2380	svchcst.exe	33
PID 2876 wrote to memory of 1860	2876	WScript.exe	34
PID 2876 wrote to memory of 1860	2876	WScript.exe	34
PID 2876 wrote to memory of 1860	2876	WScript.exe	34
PID 2876 wrote to memory of 1860	2876	WScript.exe	34
PID 1860 wrote to memory of 2768	1860	svchcst.exe	35
PID 1860 wrote to memory of 2768	1860	svchcst.exe	35
PID 1860 wrote to memory of 2768	1860	svchcst.exe	35
PID 1860 wrote to memory of 2768	1860	svchcst.exe	35
PID 2768 wrote to memory of 2568	2768	WScript.exe	36
PID 2768 wrote to memory of 2568	2768	WScript.exe	36
PID 2768 wrote to memory of 2568	2768	WScript.exe	36
PID 2768 wrote to memory of 2568	2768	WScript.exe	36
PID 2568 wrote to memory of 1748	2568	svchcst.exe	37
PID 2568 wrote to memory of 1748	2568	svchcst.exe	37
PID 2568 wrote to memory of 1748	2568	svchcst.exe	37
PID 2568 wrote to memory of 1748	2568	svchcst.exe	37
PID 1748 wrote to memory of 1112	1748	WScript.exe	38
PID 1748 wrote to memory of 1112	1748	WScript.exe	38
PID 1748 wrote to memory of 1112	1748	WScript.exe	38
PID 1748 wrote to memory of 1112	1748	WScript.exe	38
PID 1112 wrote to memory of 860	1112	svchcst.exe	39
PID 1112 wrote to memory of 860	1112	svchcst.exe	39
PID 1112 wrote to memory of 860	1112	svchcst.exe	39
PID 1112 wrote to memory of 860	1112	svchcst.exe	39
PID 860 wrote to memory of 1524	860	WScript.exe	40
PID 860 wrote to memory of 1524	860	WScript.exe	40
PID 860 wrote to memory of 1524	860	WScript.exe	40
PID 860 wrote to memory of 1524	860	WScript.exe	40
PID 1524 wrote to memory of 2140	1524	svchcst.exe	41
PID 1524 wrote to memory of 2140	1524	svchcst.exe	41
PID 1524 wrote to memory of 2140	1524	svchcst.exe	41
PID 1524 wrote to memory of 2140	1524	svchcst.exe	41
PID 860 wrote to memory of 628	860	WScript.exe	42
PID 860 wrote to memory of 628	860	WScript.exe	42
PID 860 wrote to memory of 628	860	WScript.exe	42
PID 860 wrote to memory of 628	860	WScript.exe	42
PID 628 wrote to memory of 892	628	svchcst.exe	43
PID 628 wrote to memory of 892	628	svchcst.exe	43
PID 628 wrote to memory of 892	628	svchcst.exe	43
PID 628 wrote to memory of 892	628	svchcst.exe	43
PID 892 wrote to memory of 1312	892	WScript.exe	46
PID 892 wrote to memory of 1312	892	WScript.exe	46
PID 892 wrote to memory of 1312	892	WScript.exe	46
PID 892 wrote to memory of 1312	892	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\a4bb741d54fffdd78831d9886702507b484409e5d8e4573d826d4a418c8df087.exe
"C:\Users\Admin\AppData\Local\Temp\a4bb741d54fffdd78831d9886702507b484409e5d8e4573d826d4a418c8df087.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:352
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2380
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1112
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:892
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1312
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:2808
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2528
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:3000
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2212
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2708
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:1868
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:764
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:2768
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2944
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:1972
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2384
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:2224
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:848
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:1684
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3032
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:2672
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2072
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:2192
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2416
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:2964
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2788
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:2436
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1952
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:300
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:552
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:532
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1800
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:1364
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:272
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        
        PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8cb32754e88999ece2a392d94875313e

SHA1
da0ef4e297872b82db206ebdc4cafefeed2a4e3d

SHA256
3dc5ae697f3f5a3ffe053412e05a646883c49be29b179039ceadf5f71a595f9d

SHA512
a331a2472d0ef04f4d6a9b41a147020a688c96977feec8d61878f31382af8c27b8e990dc404137475d48f0155d600cc0d6ebe0a5d1cbb60b1fecf364301ebaa7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5465e98b54b47d65941e5d12deb27c9d

SHA1
50e5e6ced6e5e332b303de4fa146482fbdf782d5

SHA256
38f339c2f4c0d7ea1ba1500460c63bc626a2465b3ca48c4d63ee2b0f3eafb82a

SHA512
50c6bc8c7da8c036c909672ade71b08aea49bc58474c40e660d7dc23c3a9869cfad82b4dc96335057ecd5bd1011f3db712f667b4085555e3dc6fb90de56b1c3a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
951aaea1269f2a203f3dd7cd181c5d34

SHA1
3623d216764b24aa0b02cbc136287252bf5b412a

SHA256
228b66ed4c4a1270fe5a6655cdd849de937351e95974b96acafa59b8107b7dd4

SHA512
cd84967ad43a13c3cd57cc80f6533a9e9fd93a5eddf4807825b8d19883da4acda3e7b4ff963f23209c579050fedf834382d8e718386c852ceaf350b2b0f91816

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
bb73f45ba0ab8d0e25bc6dcd5900a0f1

SHA1
18dd20b311cabf033725cb71f00e22449f559963

SHA256
c5b311f8ce95c93ed51768b74c6765874352e5fc61641ab54034281a5206c3b5

SHA512
f2adbb4978b02ce150fc2f4a8f6d7734ca465351c502e5a425a9dc0f751be9a048df54dfff086b4b049a80cdc8127863ea704a3b6e1855f9d4406e5778b82e04

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d9ab21af2046aedc3484d569036c3ef7

SHA1
ade5e9eb5b1180a77a2164e61f74beb411cdfb56

SHA256
90b8f17e573879b63c512e7c0dd6ff9454d177163e2d95d0090b2ef22ae5ec79

SHA512
cb8c202cd3d66ee897982e42257320dfef0a23eb96b9a3189869e9a0ce030d4baaa8c0a6fc5e197d2d19d742b0d7b3f34adb12933192dd6e4b1388433755d1ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1a9d2727f5157f704f57fb2f0e0a7939

SHA1
4085542ccb9a53b29208916307ee515880d6410f

SHA256
46c5d3b8a158fe319dfd325df66634b1bdef724bab79b7007f565e44beb34f31

SHA512
7ec52df630965769dae3e05a1b9fd489c7d5413ea77b28cbe2435e839f80d7eabdbbcc74af4cf544b9f0f57403a505501b08753ffeaec8cf6c32972fc3e72d68

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ab52ce62f84a24d48d9cebec5331b1c6

SHA1
6fcb810a46e83020e55af419752f5583f9dcb9ba

SHA256
908bec6021a78b90a02c6123db4ac62b590ea738e97fa35aac7c4dce624f3244

SHA512
8823f3f60863692a8fd2be8610670b06077ea7c948b7c46f9a1ab712276b27e48c19d0a394e7f51c0fbdf753f989af4cac5dab078e4f04ee5ee6a50427368cd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
99c82369839776d3d954a85361e76565

SHA1
fe01d71a20a80f468e5fa4df991eacca97e650a1

SHA256
ecfe1904a389f25b460a8eec64349498fde06733fa12cd5ae8e0c49a9699154f

SHA512
5deb6fd1534298cbc80f4653e60b9dcaba6cfd4af1f3b1e5369929472ab4f8cba7d50d3f63d7154170b5ea84f40f7511f1839f2e89340c6942fede255c93b69f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0746413c017663c2889cbadf684741eb

SHA1
6a61f92238e17b83adba719b52d2f3d9cd205b8a

SHA256
5e9eb3cc7e536ea1249b6bdb65b934565018fa760198e2b2c8f5537de84b86bd

SHA512
e222a18584aadd15f5c4706601acc6fa30d6a08325f2679724eba4b2952e56d4d7e1a97c42ae88aefacfa59b87723118d2dd28c1541204715dc1e11b4867b05c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d04e4fa1d3c8ba67f98c8e40c157ed97

SHA1
c0d95df53f8a804370ce7230fd02b9e58f75ec22

SHA256
b0544b1226f7cfd08fbffa33537e742cae314ef9ebc6a146d9aae7ead895ae1f

SHA512
7436211ec14314df3689406a0b828f28a337929922fe1d381569b3eedc40dd9639764a73adfb033ede68ff760c5c0429de44a865e96f105cd0a2b6ec80269890

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
a196595c7f012ec3ddb1f0e0818a7ec7

SHA1
0e42a534cf307f7e3d82acefadbcd46fa47068ff

SHA256
09b6c2c4ec43b849aa516593caf8895f1b1d0a8df434acf547827ed7267ef254

SHA512
db4cce171db72242bbad0ffd61305caab37bf5d6152389d5a26170154a7e5f5e3eb423214e8166d893851bfdfd5708f1bb4df90acf65b47bb1958c147a912412

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
251a70f0c55d02e74e34c409c5795274

SHA1
b0eb587b5e8d597ef801848722b790692d804be2

SHA256
f5397f02a6c8c59bc9869c0e5c726c096a69c84ad7f0934608fdbd8bc7e5b9f3

SHA512
023cca65a97265961790183f43605fb3dd47426049f2152e5ed90d2daed98607d1e215cb8cabf54d7d2068f7a86d3b01b1d101823e8ed1acfb09076e69b67c71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
70e226fbd8b4b3f2ddf8a8753a77586a

SHA1
a81a39d08f77479d0ee65599dd2749031c32fc19

SHA256
3eb2bfca11e83ada63c9e426764e07267c058964f959ca5e0c3f0f8933e40026

SHA512
f8c3f2f4172e8cabb856cbc2527dae48cba6d740a8ad9844bb32013ccba200b4c03dfdbe3713d9caa5f7416b8729cba4d516a73989b388c952ab08205b3cd4b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
4772c4bc86532c51e936504227231d0c

SHA1
2282090c4290be6e5da0d39a6f6ab5f99e854f8b

SHA256
7a293a1316ccff7b540204593a134b7d9c3893b8d853d9b8f6a36015f34d396e

SHA512
1c5b193d8a3000364c3b185ddb0d9ed72f59988108af010d015cc594515501bd8b198827c6f357a6760e7dc8383245a784ebf3a47c1a50b70b5ed256b10bbec7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
daf2eea2af6a3f9694f449485b855b9f

SHA1
d2b62b5a05f960e0e5c52aa733c2ca75e26a12f4

SHA256
55decd5fd6c41a751def0c181bc815e97542bbaec108924e328be6482bfa8781

SHA512
1d3e07fb0d5d14431635d01c7532ce9e26b9b00285b2cb9e3a96ab670f01741cbeec12e5acf310d31a322436f9e165491c80975cd34d6d3513a31d1c53b5aa6c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
3c23501eaabb216d427122e2f49011fb

SHA1
493fd0673ec6fb68c664b74890a9a3a8665114fd

SHA256
699cbd2a56f6c498547a0852e66a6ce0bfa5fc5f95850448b2ebcfca16466e43

SHA512
4c5245f1acca7ec4bc5ad06865f066f855197b7f88a0f4c4a1cc2a5ac3a806e6acc1c307af45d016861ba1af895e7668d6cacedb3407e77af3a2a344e4deda33

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
21afb1daf7d9570f17cc70198057705f

SHA1
4636c37bc7a7801f1204a42426cfed9e9ca34d90

SHA256
bfe844345892dbb4e01191210356fc365da5fb8b1a5c684edd798d372d894783

SHA512
874ecb8069a921369d2389d08f84c7b4058f9dd32ca11751d916fc4e37f0d00f1bc3491db539ecd1762aa1462c607a4f72dc1d90e23cc46c35bc533b63007033

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
62667f4cf3d297b4d474ebc6f63e2b8f

SHA1
55d61f2a8b965004d725a5eddb84d252425c673f

SHA256
574df7e2ac3328a4aaaa3e6c672963b12dd304e5a2e74f778937e59976bebff4

SHA512
bf357147b12f664ddb24daa04ddeb0d53ce65676dd65c9b00f582c0d9f0045beac2e81234d1062d48b092ec4cae0cec49913c80f25589ee4ee4f362c622fe7ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ab0be599527fbf17b645416617ecf24d

SHA1
ed7de6e9030c9ff1b65a59631a1745ca3c891be0

SHA256
17eea2d8a65b02258b547e395267dbf7085ef75d937135f75322a03d4cd4f163

SHA512
08d124f98eabcd8f9972d75b3188152d02706c6b1b495f15af6b1b94ef15274cea8832d349207c2311187bba7728a041dc45d1deb59396294c2d9b4a42a73378

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c73b6253e7a489ca4ebb62ac6bc2a03c

SHA1
1d17bd81effff1a0cde28c2e53d6d853d64acab7

SHA256
163eb8ba20b0a370e2b74c445df1d889373663fa4f2346c350566c3e5a655841

SHA512
893b87cd1fe8a8dcaf7750254350143f30740b88cb782801951638aa36319a45dd763d3fdb00b6141652ff549517aee9312068378ad98d02da8acf860302443f

Download Submit
memory/272-262-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/352-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/352-10-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/552-253-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/552-246-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/628-106-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/628-98-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/764-169-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/764-162-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/848-197-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/848-190-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/860-97-0x0000000005DF0000-0x0000000005F4F000-memory.dmp

Filesize
1.4MB

Download
memory/860-96-0x0000000005DF0000-0x0000000005F4F000-memory.dmp

Filesize
1.4MB

Download
memory/892-111-0x00000000047C0000-0x000000000491F000-memory.dmp

Filesize
1.4MB

Download
memory/892-110-0x00000000047C0000-0x000000000491F000-memory.dmp

Filesize
1.4MB

Download
memory/1112-79-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1312-113-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1312-121-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1524-82-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1524-91-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1684-198-0x0000000005C50000-0x0000000005DAF000-memory.dmp

Filesize
1.4MB

Download
memory/1800-261-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1800-254-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1860-45-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1860-54-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1868-161-0x0000000004550000-0x00000000046AF000-memory.dmp

Filesize
1.4MB

Download
memory/1952-238-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1952-245-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1972-209-0x00000000043C0000-0x000000000451F000-memory.dmp

Filesize
1.4MB

Download
memory/2072-210-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2072-217-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2192-219-0x0000000004650000-0x00000000047AF000-memory.dmp

Filesize
1.4MB

Download
memory/2212-136-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2212-145-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2224-189-0x0000000004860000-0x00000000049BF000-memory.dmp

Filesize
1.4MB

Download
memory/2224-188-0x0000000004860000-0x00000000049BF000-memory.dmp

Filesize
1.4MB

Download
memory/2224-218-0x0000000004860000-0x00000000049BF000-memory.dmp

Filesize
1.4MB

Download
memory/2380-30-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2380-39-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2384-184-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2384-187-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2416-224-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2416-227-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2436-237-0x0000000004510000-0x000000000466F000-memory.dmp

Filesize
1.4MB

Download
memory/2528-124-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2528-132-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2568-69-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2568-60-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2672-207-0x0000000005B90000-0x0000000005CEF000-memory.dmp

Filesize
1.4MB

Download
memory/2672-208-0x0000000005B90000-0x0000000005CEF000-memory.dmp

Filesize
1.4MB

Download
memory/2708-160-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2708-152-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2768-171-0x0000000005BB0000-0x0000000005D0F000-memory.dmp

Filesize
1.4MB

Download
memory/2768-58-0x0000000004660000-0x00000000047BF000-memory.dmp

Filesize
1.4MB

Download
memory/2768-170-0x0000000005BB0000-0x0000000005D0F000-memory.dmp

Filesize
1.4MB

Download
memory/2788-229-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2788-236-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2868-25-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2868-15-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2876-44-0x0000000005C50000-0x0000000005DAF000-memory.dmp

Filesize
1.4MB

Download
memory/2944-179-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2944-172-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2964-228-0x00000000046B0000-0x000000000480F000-memory.dmp

Filesize
1.4MB

Download
memory/3000-151-0x0000000005D60000-0x0000000005EBF000-memory.dmp

Filesize
1.4MB

Download
memory/3000-149-0x0000000005D60000-0x0000000005EBF000-memory.dmp

Filesize
1.4MB

Download
memory/3032-199-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3032-206-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download