8f0526488f3c0702880a0a4b20fecdedb1823d88f1725c771de920a9db90964c

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 21:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f0526488f3c0702880a0a4b20fecdedb1823d88f1725c771de920a9db90964c.exe
Size

1.1MB
MD5

771b0347766a8f4e56f9283bff5f70fe
SHA1

da1be6f86e02a455e4462329caf27df83333667e
SHA256

8f0526488f3c0702880a0a4b20fecdedb1823d88f1725c771de920a9db90964c
SHA512

a7fb778a25e65561f1d1b030ed5e27b6575d76c90d0821c0ebb1729d26bd153f045042ba3a6255ad39eff4c1b301248d451724ec203e625743e0b40807027c6f
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qv:acallSllG4ZM7QzMo

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2652	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2652	svchcst.exe
2688	svchcst.exe
852	svchcst.exe
2508	svchcst.exe
536	svchcst.exe
2500	svchcst.exe
592	svchcst.exe
2084	svchcst.exe
2760	svchcst.exe
2552	svchcst.exe
1968	svchcst.exe
996	svchcst.exe
1692	svchcst.exe
2240	svchcst.exe
828	svchcst.exe
2232	svchcst.exe
980	svchcst.exe
2524	svchcst.exe
2992	svchcst.exe
2800	svchcst.exe
1472	svchcst.exe
2336	svchcst.exe
2028	svchcst.exe

Loads dropped DLL 34 IoCs

pid	Process
2896	WScript.exe
2896	WScript.exe
1956	WScript.exe
1860	WScript.exe
1860	WScript.exe
2808	WScript.exe
1844	WScript.exe
960	WScript.exe
2128	WScript.exe
2128	WScript.exe
2720	WScript.exe
2564	WScript.exe
1216	WScript.exe
1424	WScript.exe
1216	WScript.exe
2616	WScript.exe
1544	WScript.exe
1544	WScript.exe
1496	WScript.exe
1496	WScript.exe
2912	WScript.exe
2912	WScript.exe
1284	WScript.exe
1284	WScript.exe
2172	WScript.exe
2172	WScript.exe
2584	WScript.exe
2584	WScript.exe
2064	WScript.exe
2064	WScript.exe
2688	WScript.exe
2688	WScript.exe
2156	WScript.exe
2156	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2104	8f0526488f3c0702880a0a4b20fecdedb1823d88f1725c771de920a9db90964c.exe
2652	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2104	8f0526488f3c0702880a0a4b20fecdedb1823d88f1725c771de920a9db90964c.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2104	8f0526488f3c0702880a0a4b20fecdedb1823d88f1725c771de920a9db90964c.exe
2104	8f0526488f3c0702880a0a4b20fecdedb1823d88f1725c771de920a9db90964c.exe
2652	svchcst.exe
2652	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
852	svchcst.exe
852	svchcst.exe
2508	svchcst.exe
2508	svchcst.exe
536	svchcst.exe
536	svchcst.exe
2500	svchcst.exe
2500	svchcst.exe
592	svchcst.exe
592	svchcst.exe
2084	svchcst.exe
2084	svchcst.exe
2760	svchcst.exe
2760	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
996	svchcst.exe
996	svchcst.exe
1692	svchcst.exe
1692	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
828	svchcst.exe
828	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
980	svchcst.exe
980	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2992	svchcst.exe
2992	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
1472	svchcst.exe
1472	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2028	svchcst.exe
2028	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2896	2104	8f0526488f3c0702880a0a4b20fecdedb1823d88f1725c771de920a9db90964c.exe	28
PID 2104 wrote to memory of 2896	2104	8f0526488f3c0702880a0a4b20fecdedb1823d88f1725c771de920a9db90964c.exe	28
PID 2104 wrote to memory of 2896	2104	8f0526488f3c0702880a0a4b20fecdedb1823d88f1725c771de920a9db90964c.exe	28
PID 2104 wrote to memory of 2896	2104	8f0526488f3c0702880a0a4b20fecdedb1823d88f1725c771de920a9db90964c.exe	28
PID 2896 wrote to memory of 2652	2896	WScript.exe	30
PID 2896 wrote to memory of 2652	2896	WScript.exe	30
PID 2896 wrote to memory of 2652	2896	WScript.exe	30
PID 2896 wrote to memory of 2652	2896	WScript.exe	30
PID 2652 wrote to memory of 1956	2652	svchcst.exe	31
PID 2652 wrote to memory of 1956	2652	svchcst.exe	31
PID 2652 wrote to memory of 1956	2652	svchcst.exe	31
PID 2652 wrote to memory of 1956	2652	svchcst.exe	31
PID 1956 wrote to memory of 2688	1956	WScript.exe	32
PID 1956 wrote to memory of 2688	1956	WScript.exe	32
PID 1956 wrote to memory of 2688	1956	WScript.exe	32
PID 1956 wrote to memory of 2688	1956	WScript.exe	32
PID 2688 wrote to memory of 1860	2688	svchcst.exe	33
PID 2688 wrote to memory of 1860	2688	svchcst.exe	33
PID 2688 wrote to memory of 1860	2688	svchcst.exe	33
PID 2688 wrote to memory of 1860	2688	svchcst.exe	33
PID 1860 wrote to memory of 852	1860	WScript.exe	34
PID 1860 wrote to memory of 852	1860	WScript.exe	34
PID 1860 wrote to memory of 852	1860	WScript.exe	34
PID 1860 wrote to memory of 852	1860	WScript.exe	34
PID 852 wrote to memory of 2192	852	svchcst.exe	35
PID 852 wrote to memory of 2192	852	svchcst.exe	35
PID 852 wrote to memory of 2192	852	svchcst.exe	35
PID 852 wrote to memory of 2192	852	svchcst.exe	35
PID 1860 wrote to memory of 2508	1860	WScript.exe	36
PID 1860 wrote to memory of 2508	1860	WScript.exe	36
PID 1860 wrote to memory of 2508	1860	WScript.exe	36
PID 1860 wrote to memory of 2508	1860	WScript.exe	36
PID 2508 wrote to memory of 2808	2508	svchcst.exe	37
PID 2508 wrote to memory of 2808	2508	svchcst.exe	37
PID 2508 wrote to memory of 2808	2508	svchcst.exe	37
PID 2508 wrote to memory of 2808	2508	svchcst.exe	37
PID 2808 wrote to memory of 536	2808	WScript.exe	38
PID 2808 wrote to memory of 536	2808	WScript.exe	38
PID 2808 wrote to memory of 536	2808	WScript.exe	38
PID 2808 wrote to memory of 536	2808	WScript.exe	38
PID 536 wrote to memory of 1844	536	svchcst.exe	39
PID 536 wrote to memory of 1844	536	svchcst.exe	39
PID 536 wrote to memory of 1844	536	svchcst.exe	39
PID 536 wrote to memory of 1844	536	svchcst.exe	39
PID 1844 wrote to memory of 2500	1844	WScript.exe	40
PID 1844 wrote to memory of 2500	1844	WScript.exe	40
PID 1844 wrote to memory of 2500	1844	WScript.exe	40
PID 1844 wrote to memory of 2500	1844	WScript.exe	40
PID 2500 wrote to memory of 960	2500	svchcst.exe	41
PID 2500 wrote to memory of 960	2500	svchcst.exe	41
PID 2500 wrote to memory of 960	2500	svchcst.exe	41
PID 2500 wrote to memory of 960	2500	svchcst.exe	41
PID 960 wrote to memory of 592	960	WScript.exe	42
PID 960 wrote to memory of 592	960	WScript.exe	42
PID 960 wrote to memory of 592	960	WScript.exe	42
PID 960 wrote to memory of 592	960	WScript.exe	42
PID 592 wrote to memory of 2128	592	svchcst.exe	43
PID 592 wrote to memory of 2128	592	svchcst.exe	43
PID 592 wrote to memory of 2128	592	svchcst.exe	43
PID 592 wrote to memory of 2128	592	svchcst.exe	43
PID 2128 wrote to memory of 2084	2128	WScript.exe	46
PID 2128 wrote to memory of 2084	2128	WScript.exe	46
PID 2128 wrote to memory of 2084	2128	WScript.exe	46
PID 2128 wrote to memory of 2084	2128	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\8f0526488f3c0702880a0a4b20fecdedb1823d88f1725c771de920a9db90964c.exe
"C:\Users\Admin\AppData\Local\Temp\8f0526488f3c0702880a0a4b20fecdedb1823d88f1725c771de920a9db90964c.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1956
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2688
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:960
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:592
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2084
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:2720
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2760
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2564
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2552
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:1216
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1968
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:1424
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:996
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1692
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:2616
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2240
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:1544
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:828
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:1496
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2232
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:2912
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:980
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:1284
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2524
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:2172
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2992
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:2584
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2800
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:2064
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1472
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:2688
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2336
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:2156
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2028
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        
        PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d04e4fa1d3c8ba67f98c8e40c157ed97

SHA1
c0d95df53f8a804370ce7230fd02b9e58f75ec22

SHA256
b0544b1226f7cfd08fbffa33537e742cae314ef9ebc6a146d9aae7ead895ae1f

SHA512
7436211ec14314df3689406a0b828f28a337929922fe1d381569b3eedc40dd9639764a73adfb033ede68ff760c5c0429de44a865e96f105cd0a2b6ec80269890

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c91530bbaec9815f2db19bd6645b8729

SHA1
ea901a28f06bfbfc1dc9c3391910a87bfaf07020

SHA256
7924a95b4fb309a069dcb92b65632f01f9db2560b224d4812ebb84130994ab8d

SHA512
7ebce2d0627561189c27073f3e43e84e6164c3c4a63fe4172d2c1214fe799795393573038fb3dd75359327e7cca4eec17889749411e289480580f568b02e6588

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f02b234115a56496bcd6642d1de04e5d

SHA1
d383b9d3c82fe145f25a9a6e7e4333151fd4ecc6

SHA256
9eca0120263ab4947d38369d9a4986744e61189382c1d313eb464ad449ea2651

SHA512
c446eccd822729a81d49321c88ecc0fba4e4f7b6f6277d2660c7f3a18a67614915ae24a96353bf93b039eb441f0c260c1961a1363f16524dbeaf2554626c1b4e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
81da78e4c29b5abf222c1425d1b8da16

SHA1
c68fae858982c6217d14f0a94f1e424dc47e5abb

SHA256
e1c0bac8ec1a6de7acf76dbaae7862a630d01697c06843f75330f8be29261f38

SHA512
859ff4f8d8119e4a12c83c8aa7a7c392b9bde66358d189f67f0d44ae6777f75dd7f994536d812cb00f0612a9c4444a3775ff729512d50c1a6173f23b5866fdb0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f2d2f31794455ef80ea8a41b0b218045

SHA1
926c4e45922f43c6afc2cb31d96b5b35d4db3cae

SHA256
698e3bc7681704e68728030dcceb12377aae02f71e91a5fd15c12b686ba00141

SHA512
36cc2c9bd29c6bd97c2bd7eef7b9bffc512ebabf43d089a2866a66efc4f4f3f7d92b2d0719ae61ad07c38b89b1c0a4b59df57f84beef76c88bd376125048d714

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
1e654d42f9fa8d0ec853e0b1bd172238

SHA1
689287abd5b8a13cf7f8872a5d5849bcdb193d49

SHA256
2065704d74e93638802177650020e37af0e9f889ca5bc27475772ec1b8aa99d3

SHA512
26217a0ad7d4ac15335dd31342c49cf1b82e470a7e4745e90b969353c9d89511a85e03076186c8d7cae0778846954d98bd74b589c66656f88e5d06026775192f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
06a252a9516053e44ec8e64f1ebf0533

SHA1
29ac97e0cdade946c4feb81ad3f78d70953a2277

SHA256
6b8a799c3d4b977adb7220f6790b2ac09080ca3ccde5a2c33c83b33ea905928c

SHA512
0775aabeef7c910e03efc40f96143025a2ee3544dd656c78d09ef63c85d040037752aabe72fdf3b636ee31422ae8de01b73c85e27247203d5efc1635eaf15b2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7d2c3f227d42fae4a5b7fbcb491b74e3

SHA1
c1271bbd86747cc709b694ba9579a68b5e75a17c

SHA256
9353a2f27a61e571c5bc92ccc1046c1059c5fad8e1e2cafe63a9cc73e1169c33

SHA512
50330ad733975966b32fbedffb99a25cd13004d685e5788ef11f1f0fedfc62658e3e8f5ed0030fe60ecb02ba95ffa7d440c067a1e164cc3bc02ac5008b6a27d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5c256ba320c7487a2c3cdb62bea97bb5

SHA1
2a28e5d7bd4483a40fb6035f1ec6fcf1d66cb2fc

SHA256
854aeaf6ba44537fc01088f8c336552a1aab4c6df84938d241c8616b6f0802e4

SHA512
bb55f293471dda9b074664d4cf2dad094f8f0c2479c1fd754dd85199d1d1b1012cfa3b050711ac0b59368d6bf1756cfcadcaff1e47d4f103a093a0b77782fdc0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1c0ff223574a58a062d6e26c4b0bb7cd

SHA1
b61341ae86f6fd2a2e76592a2fc693479b62f37c

SHA256
b9baaa35fb2544dd650a875b31c12ae5393b345528009fc8c438296ac71da48b

SHA512
b89b388955e99d95ea0a6be87df42a49823ca71ab65505e19689b8ecc56484246bc36abaac9b7b76874b8c287a33645932573b90786886e0289dff05a6874cc5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0d7287608e57c918d75f595179c5fa29

SHA1
d16c5add83d14855a0d674ca2d287ef0233e7062

SHA256
539b077eb4ef610403f7c3cdec3fd11482b2a0c4f3c254c2e8f6f2a51905c9d1

SHA512
0050624a5937e196a1e7d08318d9a499ea706cf8023bf7c6b1ba42a671e98e202ab83723740e9aab99bd6c17c3895ca1f2b17f6e94dd81d1d01c064b997c8bff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
16b9011648a577741b7fb4a55f1eeaac

SHA1
b0d86d1cf62b882bf28f0897ddb610e41cc6814c

SHA256
7bf3fbb9962c054e651caf4e49fa468d5892cb0bf88f4bbf3fd85b372a7d173c

SHA512
1d8631904aa2df5a90aef858d4369ed53d0075f97b42361a8e05c9a64f8e6a786897b625b1230d20415f3923db8aa5d8f5f619b7b9084202fecf4e7cead4366d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d32955f30e8aad52247ece470e41d5ad

SHA1
ac6775ee1d2cccafe3baeb722ca57bf16953f173

SHA256
bbd8749995b7f218975a3955fac72a16d1f5a3fd3826f7bb98d0b4fe537d6697

SHA512
1a00595cdfca51c9c95101a1d04a15089aded3fc687de721d882c6ef57697a943c0a99d917167e76d55040c5d8607e01fe5a206054112635a642f6364d3fdcaf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b5e11596fa3b5ec67af0232750a3cadb

SHA1
80cb25f5250390b6b2130c8b4eefc9872cc4939d

SHA256
d6429bbb3e3d5c86f30efdb3aa599d47eb8f130c1d0f2a6345e3e9387f7670b3

SHA512
06c71dd481c8936cb5c8a259111986a31b94e7bf73267a081e2162e16b3bffc633a257b5dcf2fd64c7bcc95a20ee841d5d07ca2ea5a16b7f862aec9cde5f17f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a28791ebea83786bb5889ef857a9e493

SHA1
0c7cc3d05c844d5edd4535fbd48d2c73b2764630

SHA256
ad8607d9518b14cf6e9f567194700afa64c424bbe7da5b1819babbc7678a98bf

SHA512
d357643579f32de1c3f28b9d717d4d82a91d2ae25014a2ab52c0b6340ea577c31386cfa7901694f47889e5966ab11ff6888ae19a8602f812d2484827295d12ce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
bb9395587cc14c766416490141458d90

SHA1
c2eb344a496636642bfe53c1bf53677bcd2242b8

SHA256
27af8524969c76b88a2dacf15c29145082c3fc0e507197a0630c177d286da3c0

SHA512
2407b8108e900dc2b0ea46453c5b6b1c7320cede967aded9be599c43c5a75408bd3a3adc74d21991b2210d66d369cbd86ffd6e9b07dde5ba03a28c05fcb9bf55

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c2117d403ba4eafa118ea801fb187d25

SHA1
d8ea12ca8e40d4701e93be0a4190326bcd31802a

SHA256
c8192a2d73efb4836d9503abc8de9905b948f22aab949a020684d006af06f51d

SHA512
0844d4321a0d431eabb9d89337e5fe74403d9256b950e6b83e74a8026eb5f95d8f3dc242886582f127c4e51fc79e9ac90f9a3d12aae5d0b3a2738e37a2b8cd12

Download Submit
memory/536-61-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/536-70-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/592-93-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/592-85-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/828-179-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/852-41-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/852-46-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/960-84-0x0000000005A30000-0x0000000005B8F000-memory.dmp

Filesize
1.4MB

Download
memory/980-189-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/980-196-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/996-155-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/996-146-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1216-134-0x0000000005D60000-0x0000000005EBF000-memory.dmp

Filesize
1.4MB

Download
memory/1472-221-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1472-228-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1496-180-0x0000000004700000-0x000000000485F000-memory.dmp

Filesize
1.4MB

Download
memory/1692-164-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1968-143-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1968-135-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2028-237-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2084-108-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2084-99-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2104-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2104-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2128-97-0x0000000004670000-0x00000000047CF000-memory.dmp

Filesize
1.4MB

Download
memory/2232-188-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2232-181-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2240-172-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2240-165-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2336-236-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2336-229-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2500-80-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2500-73-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2508-56-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2508-49-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2524-204-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2524-197-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2552-131-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2552-123-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2652-24-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2688-34-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2760-112-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2760-119-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2800-213-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2800-220-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2808-60-0x0000000005E30000-0x0000000005F8F000-memory.dmp

Filesize
1.4MB

Download
memory/2896-14-0x00000000045A0000-0x00000000046FF000-memory.dmp

Filesize
1.4MB

Download
memory/2896-15-0x00000000045A0000-0x00000000046FF000-memory.dmp

Filesize
1.4MB

Download
memory/2992-205-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2992-212-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download