9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 17:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe
Size

1.1MB
MD5

3cb1210ca16b02ff71866835040bda3c
SHA1

9107c0c91a73ee5b45b560abaedd06594e9f94d2
SHA256

9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e
SHA512

f328ed0540efbfb22bf88fcafc0ee974a31a2d33556fec96ab9b7a0e74d0a59c4075a913bd7f68ad62802d62c02991c0eab30e5b9a9ef94109ae7edc98752601
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qf:CcaClSFlG4ZM7QzMo

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

svchcst.exe

pid process

2764 svchcst.exe

Executes dropped EXE 23 IoCs

Processes:

svchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exe

pid	process
2764	svchcst.exe
1676	svchcst.exe
1096	svchcst.exe
2284	svchcst.exe
976	svchcst.exe
2368	svchcst.exe
1872	svchcst.exe
1460	svchcst.exe
2856	svchcst.exe
3040	svchcst.exe
2176	svchcst.exe
1160	svchcst.exe
2108	svchcst.exe
2744	svchcst.exe
1464	svchcst.exe
1148	svchcst.exe
2796	svchcst.exe
1440	svchcst.exe
2472	svchcst.exe
2532	svchcst.exe
1800	svchcst.exe
2976	svchcst.exe
604	svchcst.exe

Loads dropped DLL 33 IoCs

Processes:

WScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exe

pid	process
3040	WScript.exe
3040	WScript.exe
2516	WScript.exe
1932	WScript.exe
2236	WScript.exe
2292	WScript.exe
2004	WScript.exe
1584	WScript.exe
1584	WScript.exe
2588	WScript.exe
2588	WScript.exe
2180	WScript.exe
2180	WScript.exe
1192	WScript.exe
1100	WScript.exe
1100	WScript.exe
1100	WScript.exe
3060	WScript.exe
3060	WScript.exe
1128	WScript.exe
1128	WScript.exe
2572	WScript.exe
2572	WScript.exe
1648	WScript.exe
1648	WScript.exe
2656	WScript.exe
2656	WScript.exe
1096	WScript.exe
1096	WScript.exe
2116	WScript.exe
2116	WScript.exe
528	WScript.exe
528	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exesvchcst.exesvchcst.exe

pid	process
2856	9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
1676	svchcst.exe
1676	svchcst.exe
1676	svchcst.exe
1676	svchcst.exe
1676	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe

pid process

2856 9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe

Suspicious use of SetWindowsHookEx 48 IoCs

Processes:

9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exe

pid	process
2856	9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe
2856	9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe
2764	svchcst.exe
2764	svchcst.exe
1676	svchcst.exe
1676	svchcst.exe
1096	svchcst.exe
1096	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
976	svchcst.exe
976	svchcst.exe
2368	svchcst.exe
2368	svchcst.exe
1872	svchcst.exe
1872	svchcst.exe
1460	svchcst.exe
1460	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
1160	svchcst.exe
1160	svchcst.exe
2108	svchcst.exe
2108	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
1464	svchcst.exe
1464	svchcst.exe
1148	svchcst.exe
1148	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
1440	svchcst.exe
1440	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
1800	svchcst.exe
1800	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
604	svchcst.exe
604	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exe

description	pid	process	target process
PID 2856 wrote to memory of 3040	2856	9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe	WScript.exe
PID 2856 wrote to memory of 3040	2856	9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe	WScript.exe
PID 2856 wrote to memory of 3040	2856	9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe	WScript.exe
PID 2856 wrote to memory of 3040	2856	9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe	WScript.exe
PID 3040 wrote to memory of 2764	3040	WScript.exe	svchcst.exe
PID 3040 wrote to memory of 2764	3040	WScript.exe	svchcst.exe
PID 3040 wrote to memory of 2764	3040	WScript.exe	svchcst.exe
PID 3040 wrote to memory of 2764	3040	WScript.exe	svchcst.exe
PID 2764 wrote to memory of 2516	2764	svchcst.exe	WScript.exe
PID 2764 wrote to memory of 2516	2764	svchcst.exe	WScript.exe
PID 2764 wrote to memory of 2516	2764	svchcst.exe	WScript.exe
PID 2764 wrote to memory of 2516	2764	svchcst.exe	WScript.exe
PID 2516 wrote to memory of 1676	2516	WScript.exe	svchcst.exe
PID 2516 wrote to memory of 1676	2516	WScript.exe	svchcst.exe
PID 2516 wrote to memory of 1676	2516	WScript.exe	svchcst.exe
PID 2516 wrote to memory of 1676	2516	WScript.exe	svchcst.exe
PID 1676 wrote to memory of 1932	1676	svchcst.exe	WScript.exe
PID 1676 wrote to memory of 1932	1676	svchcst.exe	WScript.exe
PID 1676 wrote to memory of 1932	1676	svchcst.exe	WScript.exe
PID 1676 wrote to memory of 1932	1676	svchcst.exe	WScript.exe
PID 1932 wrote to memory of 1096	1932	WScript.exe	svchcst.exe
PID 1932 wrote to memory of 1096	1932	WScript.exe	svchcst.exe
PID 1932 wrote to memory of 1096	1932	WScript.exe	svchcst.exe
PID 1932 wrote to memory of 1096	1932	WScript.exe	svchcst.exe
PID 1096 wrote to memory of 2236	1096	svchcst.exe	WScript.exe
PID 1096 wrote to memory of 2236	1096	svchcst.exe	WScript.exe
PID 1096 wrote to memory of 2236	1096	svchcst.exe	WScript.exe
PID 1096 wrote to memory of 2236	1096	svchcst.exe	WScript.exe
PID 2236 wrote to memory of 2284	2236	WScript.exe	svchcst.exe
PID 2236 wrote to memory of 2284	2236	WScript.exe	svchcst.exe
PID 2236 wrote to memory of 2284	2236	WScript.exe	svchcst.exe
PID 2236 wrote to memory of 2284	2236	WScript.exe	svchcst.exe
PID 2284 wrote to memory of 2292	2284	svchcst.exe	WScript.exe
PID 2284 wrote to memory of 2292	2284	svchcst.exe	WScript.exe
PID 2284 wrote to memory of 2292	2284	svchcst.exe	WScript.exe
PID 2284 wrote to memory of 2292	2284	svchcst.exe	WScript.exe
PID 2292 wrote to memory of 976	2292	WScript.exe	svchcst.exe
PID 2292 wrote to memory of 976	2292	WScript.exe	svchcst.exe
PID 2292 wrote to memory of 976	2292	WScript.exe	svchcst.exe
PID 2292 wrote to memory of 976	2292	WScript.exe	svchcst.exe
PID 976 wrote to memory of 2004	976	svchcst.exe	WScript.exe
PID 976 wrote to memory of 2004	976	svchcst.exe	WScript.exe
PID 976 wrote to memory of 2004	976	svchcst.exe	WScript.exe
PID 976 wrote to memory of 2004	976	svchcst.exe	WScript.exe
PID 2004 wrote to memory of 2368	2004	WScript.exe	svchcst.exe
PID 2004 wrote to memory of 2368	2004	WScript.exe	svchcst.exe
PID 2004 wrote to memory of 2368	2004	WScript.exe	svchcst.exe
PID 2004 wrote to memory of 2368	2004	WScript.exe	svchcst.exe
PID 2368 wrote to memory of 1584	2368	svchcst.exe	WScript.exe
PID 2368 wrote to memory of 1584	2368	svchcst.exe	WScript.exe
PID 2368 wrote to memory of 1584	2368	svchcst.exe	WScript.exe
PID 2368 wrote to memory of 1584	2368	svchcst.exe	WScript.exe
PID 1584 wrote to memory of 1872	1584	WScript.exe	svchcst.exe
PID 1584 wrote to memory of 1872	1584	WScript.exe	svchcst.exe
PID 1584 wrote to memory of 1872	1584	WScript.exe	svchcst.exe
PID 1584 wrote to memory of 1872	1584	WScript.exe	svchcst.exe
PID 1872 wrote to memory of 1960	1872	svchcst.exe	WScript.exe
PID 1872 wrote to memory of 1960	1872	svchcst.exe	WScript.exe
PID 1872 wrote to memory of 1960	1872	svchcst.exe	WScript.exe
PID 1872 wrote to memory of 1960	1872	svchcst.exe	WScript.exe
PID 1584 wrote to memory of 1460	1584	WScript.exe	svchcst.exe
PID 1584 wrote to memory of 1460	1584	WScript.exe	svchcst.exe
PID 1584 wrote to memory of 1460	1584	WScript.exe	svchcst.exe
PID 1584 wrote to memory of 1460	1584	WScript.exe	svchcst.exe

C:\Users\Admin\AppData\Local\Temp\9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe
"C:\Users\Admin\AppData\Local\Temp\9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2856

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
3⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2764

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1932

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
8⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2284

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
10⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2292

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
12⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
13⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2368

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
14⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1584

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
15⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1872

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
16⤵
PID:1960

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
15⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1460

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
16⤵
- Loads dropped DLL
PID:2588

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
17⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2856

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
18⤵
PID:2492

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
17⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3040

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
18⤵
- Loads dropped DLL
PID:2180

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
19⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2176

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
20⤵
PID:2976

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
19⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1160

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
20⤵
- Loads dropped DLL
PID:1192

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
21⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2108

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
22⤵
- Loads dropped DLL
PID:1100

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
23⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2744

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
24⤵
PID:276

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
23⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1464

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
24⤵
- Loads dropped DLL
PID:3060

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
25⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1148

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
26⤵
- Loads dropped DLL
PID:1128

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
27⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2796

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
28⤵
- Loads dropped DLL
PID:2572

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
29⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1440

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
30⤵
- Loads dropped DLL
PID:1648

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
31⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2472

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
32⤵
- Loads dropped DLL
PID:2656

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
33⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2532

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
34⤵
- Loads dropped DLL
PID:1096

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
35⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1800

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
36⤵
- Loads dropped DLL
PID:2116

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
37⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2976

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
38⤵
- Loads dropped DLL
PID:528

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
39⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:604

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
40⤵
PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5f762b3b2477d92959f29d768008d453

SHA1
ceaa2b37d64bcffd7f862a75e1d0fb06edbddb97

SHA256
5827d14409ed9f3361d81904d50e067223457590dda163a680ce4216e495a3d5

SHA512
fd1445d89a0fa5d185ce51442c402d9906fa8bf7c1458a862568ad0649dfa22c5f90ed243b98339ec9706541d244b0217f1cd05e715dc49067e059fe08d80420

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1c4a20bad462e2ead31b207cd4b0dd1b

SHA1
e6037559a47f711d0e930c907b6c33269cb8ecb9

SHA256
7cbf5f523fb2c8a62f6308bc56b5ff19556c167b7ce2c9e2d74329835c79d29e

SHA512
78e63943987dbb5fa66f2b9865002911c5225dbcba3e89ea0de4ed94dbd211e965e766073e19205a55a7d83cc631e87c50b9f6815d83fced9f41a72c842c145b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
619955d43a58558c766025119a5a66cb

SHA1
cfb43d2b9cb68699667ca8d4929e71b25ed115ab

SHA256
a129bff17a859b7b2d6681f519c985c661797dd508ac249d30f02a0a78858cee

SHA512
20f9499cddf2fb824365830736255a1dce689da0e94fa8e999ee4e28883e65637410710ea01204b5f3d48213f697461288da2b7a535511da87f848b1e6e83bc6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
9ac34382b3b2b527e79a84793e273f78

SHA1
060474ffdfe4ed5f2981a4059bb27bc5aa2ca21e

SHA256
ec2b756bcd86c66931828932e2faf585f6792b46c1cbb4dad6251c38943d475e

SHA512
36b6f137ddfee7d1ea9506fc0a0e19368b87655f5eb50380dd97ac9eafa69237bb8cba9d33cbdc3a7b42797d099453ff2b0aa4bfff42df1846ed86fc432b309a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3ed43de1cee96aaf1d64189d4482a672

SHA1
a346f6b3eca7b8442021d9878288d91084d00d79

SHA256
b2905e040a668759a3fbdc7f07ff57b3e197bbeec24099b65734e884c1e0bd98

SHA512
8f8536a36603c14a567034f0119212a6b3bf9dd52afcbe213b4e26c737394fe838baf0743440f62cd5d61d8d9c694279679e155920a9af3c2cac1549d43040dc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
4433cc23fc280ad8dcff9966bac19fe4

SHA1
62cc2abfe6e2ee0fd6b5cbce20daff4ba787bff0

SHA256
ca7cfd972b03d0b30404c8233125adda1dacc81a2e43e919d70bf1c2700af55b

SHA512
6a5e7454dde98251a987bedc21e628550c469480cbe41f3b3644789da38e782c8b94660d4a076697cc7abf3fcc767650d00ac3639b11cfeba96ece8110920b4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1ef0f0b572c2f4293cad723d25d00c42

SHA1
21070aedce103ee5e41ef411b732699f04623804

SHA256
92f0114d24a1bf7f670197c1b6e8cecc445559bbf6b12e1a82538aa9213fe4a3

SHA512
0af8482f8df004ae0534ab1d23addd55149209ab50bfb1ecbfc4d9ee49c7cce91b53fd3ed3b155e020286772eaa8396c89b8f67befe3ca5d9804b7871add0c4c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ddd204c2596c95e0b37f2faf17345158

SHA1
fb5c9a676eb0b0e08ed0498a5696bbd7d443b1a2

SHA256
6ba8498e50d16dedd7a4479998981b504b684f524c08329269fd4eb6e3fe52a2

SHA512
17f8ff158d74cb8b37954cd5d458440cbf7e41dd03d08d5101b55f7ca259fdd1e36967e5231a31362c68456d0e91bdbac1c83cc19876ab7ec1c97bde0ec03244

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
951aaea1269f2a203f3dd7cd181c5d34

SHA1
3623d216764b24aa0b02cbc136287252bf5b412a

SHA256
228b66ed4c4a1270fe5a6655cdd849de937351e95974b96acafa59b8107b7dd4

SHA512
cd84967ad43a13c3cd57cc80f6533a9e9fd93a5eddf4807825b8d19883da4acda3e7b4ff963f23209c579050fedf834382d8e718386c852ceaf350b2b0f91816

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
234d3bd7d4c79c9f8515c4e3812a1c9b

SHA1
f0add1f9e02bad7016d7b183f6d64d4800df4e12

SHA256
c9ba84b70031261f15918f7e74bd45b7b889b8e8427efa4ff19537e3d27633d0

SHA512
3d42cb367d8ba46cff006692c69f88ab165b9b326000c0bf187e682ce181413dd6f8eb083972765f332dc4309996b3621018ce3cf22d4d944c2b3c0e51f4aea0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
18daeaff7fc134fc2edabbaea7e7e9f0

SHA1
a6a3002f7828141bac042e08241df957ef348bb4

SHA256
56a26505482cb65715785a972070bd6b72ad56c09ec26f7a97d7b0ac5bf52303

SHA512
6a91ececa4ca5ffbd12c7ca83888a63a7baf2be281610d9b0d83ee9dfcb8f6d04c1466de5ac1b53abe3daaf2998ec40b4b3a1a1d6fc271f35d25523358bd3df0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2c3b5340da071ac89dded61dffd49fb5

SHA1
77a880658d0b70e5455379099427bfdae8cc0ae8

SHA256
d7433fbea40ea3f87e991ce54c73436c110cfbb83748d554aea8d94051a5224e

SHA512
7e69f14c55afec39149491531c2a499b6253aa71ad448e722912f239fde055826b34383bd8d14773af08ef475b5fe53451a0a93e0bcc46fbeba3872198200f3c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1023KB

MD5
b10f68ba9ebd3b819da4be2e0d597f4e

SHA1
b0fc0bd7169fe45a1116116c20ceef191b96037e

SHA256
833e2453eafe6b716d5f3bfd62c9142e6cfe17d44604a9cb64b166737aa8d9f4

SHA512
901c8a1edb4233c3eee92fdc2f7cb546cf34acf84a89cd20c60948e6ce7f9c7a35fa074921b8a01623cf90f32c8e32a4ee981fe84ce416e10a7b82770abdc381

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
827KB

MD5
f21c274add6f68abbe173d5a56cd1b87

SHA1
ec21a2daf446e350caceb7cd442c7c884114e704

SHA256
9d5ac21c38e1a8957ee4955df4ddd82cab5924e5bf77c224875330849352291e

SHA512
502a7d33358778d639a3d77122d8141ff359586b94526b8edb506617ee9c4b4aa4efe3d4a842842b432b4153bdb5fadde409300074f765454aa08594ab39a30a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
502KB

MD5
6c7c14146ea4f274fb125f7272c7657b

SHA1
d42b2069f27a259a2e94d04ffd5f4139753b93cf

SHA256
bc821b5517428117ed808690c3d0e9a4f962e25d6bd0c0946c520c78ec3b773b

SHA512
b02e7c44544fef5a13c8a03936f0a5a8371006588cc20281fd006bb987f1e0af64807f018243737d100825eac65851938d01db0d42f91195def1619d11fa9e64

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
878KB

MD5
f357ee21e8909b2637bfc8fb601b07f8

SHA1
57dde600c63cc54bf3a32a6c0ab046fe7f73e18f

SHA256
1653df838ea35052ce23026f3ce82671010ffe2a5cf5e73b127d6492ddec0b5a

SHA512
848cf5b987c346b0f47b18575b9f78bf0e431501a74f2615314c08f8f3ad80013eeb3f2c61ac16bcf1071db13e4f065e1f134f797d3588d7a7201817eee975d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
229KB

MD5
8791e512506fcb2893ca2a7b33738a44

SHA1
00e931316c854293abe79989380f30de85c8447b

SHA256
581dc56e5bf85e9e8f3187df45e62d6cf90a089b96f317cadd5e3f4a975b0344

SHA512
8b94c449794bd88bc0ffcf8e8f60c2d3f84ca9837ed0c592a90377c2a277ffc44f83a1b485cee2ad9769b8ca96f3fc8cd1cd1d162b3cd8fcfb789830b022b2d1

Download Submit
C:\Users\Admin\AppData\Roaming\svchcst.exe

Filesize
952KB

MD5
b08fbf68e6da490403ff16381636f4db

SHA1
3f38f922b7eaaac8fdd722302be99155a26248d8

SHA256
17acf6eb824c95d1f72d5bf1c5b3f7597a98c6edb722dcf483a93e43d72c6de5

SHA512
7907de422c1c0a3f93eaf36d06ecda7f89df7b2ad0b53b623bdfbef49930db7c3348f0985992f4a57609938b214d3f06aa3d105bd729749c56220b3cd6b1b47f

Download Submit
C:\Users\Admin\AppData\Roaming\svchcst.exe

Filesize
354KB

MD5
fbbf6e2ccb0dbb078fb65c536cc89f47

SHA1
80f5bcefc153470b07e7f49d845a992070a46449

SHA256
f3113785dad80bf60bb5a23a2578e7086e5b1a303d28e0e6a4c64c9221f53663

SHA512
dfdc04fc0c3d919c72a4c377bef113d397b97a09563cb81c83a622c7fa26bf629b6b8bdbe1e5530e6b85a7bb66b730950aac9f0616c7b2bd73250839a73b03b1

Download Submit
C:\Users\Admin\AppData\Roaming\svchcst.exe

Filesize
552KB

MD5
a8836fd41f4a97a2a022a92da983fbe9

SHA1
050f2452612b9f67ab3e26ee78e1447b61785ed6

SHA256
a1e5959d4e02e09451ce33e3e37cbfe6333c19a35d33cf35766e619853f56212

SHA512
856fbcb3ab4914191d48fabb92c3f959f85558d70cb9dd5077eb42aadd535c545e582e8e8775e2055c37c5bf8b39f22f0d6e939dd18ca17458c1276c4e99d8f6

Download Submit
C:\Users\Admin\AppData\Roaming\svchcst.exe

Filesize
661KB

MD5
60e1ca004125977d1f8980464e2cfa70

SHA1
1e0d6c3220aa75f664324f2abe0d19a5b7c69b92

SHA256
db86d9c6b47699812951766de422440605268b55b76b2ab35a912554f030dbe5

SHA512
8bcb79b00c658f67f9d69933a744f354176577548954d9ecae2981089a175cd56a5e7ddbdd4b78b920739b4ed3c5529852ea646f8d91a083934a3ac05181e06f

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
44359611d3dbda466f71868d64ac2dcb

SHA1
a72d353406c55d60d2c253fcb6d4d9b0d1698746

SHA256
54a155e2ecf45901a714f8c504e9fd3e53266d91a321180605aea7d1fcbcc741

SHA512
52c09ebb563f136cc3f4ca7bbbb8dcbc3fdf1b79b2ca290411fc6015534a2499722e8c8abd446d8cd3e7276a85d76700158816eb0272897e8d9ac7b73a930480

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
832KB

MD5
c90d3f79161670ce94f06e5514560453

SHA1
453afe30dbfca2586ef0b6536dbe1c35ab9eefda

SHA256
862cdfe637dd5458c1521a1a3aaa74be322647e08e13fd7d13e43a8aa6f23825

SHA512
936b8e3277f502164804ce1c00f22eef00b7d256b4653b5db5b2b03088d3dfd20b51ada50b867bf6afebf0eef6166aa57bb55dfb89a718b00c87abe8ce171e1f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
914KB

MD5
2e698d56b34d4d58156fbe00e6b9a1c6

SHA1
c74f3d5fca80e69fa614b829abb23fa31d891604

SHA256
7742873ac05e7679a3fa9eafc987a68f44912ce22feeb8d1843a622916611ae7

SHA512
02aabbd08b1dbbc09332856f43e06609aefda5d9f72d523b80e3aa580213cb2d1f532867a6f61c61e6e0c5d6931d6753d2ab5d4898d53743f36e3bae1a92c9e3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
483KB

MD5
e8b040d53d137dcf8b232ed1366edb70

SHA1
28a7d40298f23d5dc1d94206ef38e4397ed960c8

SHA256
d3eeba3305e4a16b8a5d26c479016f55dff772f7215e70c8c60d388972ab2ec6

SHA512
94db32b97d7181f37346f43abd394db33d03d881eee1d12b0d8feecae667cb0a55a3d557a5b0c5d3b815a7df7658e263bb20d8158c557258deeddc541d731711

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
932KB

MD5
1c8384e69e50f70352988a68e7a53ae9

SHA1
256f9088ae2bd58bf9fd82147b39b6540625b15c

SHA256
e33d02a2be228cf314b0c83529ecf0ff98524e9688afb31c6af1baeaf4835429

SHA512
cc13bcded1eceb51c6f2807e9616235d423df3a52d4d738e6e3fc25336f0cc9608cdb0d4fc66aeb859de18eafb90829ed0d7b8ce1e57f386ea81018030a2c87f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
311KB

MD5
707b321aecdadf975041a3aba828beef

SHA1
5fd7ef898c46e4e9d682b81505666eaceb0da001

SHA256
e3e787b1a13be39d24ce7f8d5194ce9cf6d028350a9635f84c46ba6b97deace3

SHA512
bf07b1d493a57fc79ac6c430720e81bd1cf23e13b8f579f9c10fc2ed87f8970de2215e85598a68a010f6023d084baf39c9f792525c6b5c2f24b6079000dc6d52

Download Submit