06cb0b2edcc809014d32ad320b903be84f6dd3e517807a7f01a97b93146aab9e

Analysis

max time kernel
148s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 17:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06cb0b2edcc809014d32ad320b903be84f6dd3e517807a7f01a97b93146aab9e.exe
Size

1.1MB
MD5

08ba3a37f5acf922091e5a204b58fa0b
SHA1

b85a1ac27faa71f4da7152fa280abeb7fbfdcc98
SHA256

06cb0b2edcc809014d32ad320b903be84f6dd3e517807a7f01a97b93146aab9e
SHA512

b6a29b90c228db90632627da9d873ecd18546d3c155a0fa1e353e04f48f7ac8f9d93ac8ca6f875cb2dee72dcb8ffdcb0e7cdec57ba45d42da135ea1eb234b9c8
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qu:CcaClSFlG4ZM7QzM1

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

svchcst.exe

pid process

2640 svchcst.exe

Executes dropped EXE 23 IoCs

Processes:

svchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exe

pid	process
2640	svchcst.exe
2396	svchcst.exe
2468	svchcst.exe
2248	svchcst.exe
580	svchcst.exe
412	svchcst.exe
784	svchcst.exe
2656	svchcst.exe
2724	svchcst.exe
2788	svchcst.exe
380	svchcst.exe
1780	svchcst.exe
2076	svchcst.exe
2260	svchcst.exe
448	svchcst.exe
556	svchcst.exe
1904	svchcst.exe
3012	svchcst.exe
3052	svchcst.exe
1484	svchcst.exe
1712	svchcst.exe
2096	svchcst.exe
2280	svchcst.exe

Loads dropped DLL 33 IoCs

Processes:

WScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exe

pid	process
2788	WScript.exe
2788	WScript.exe
380	WScript.exe
288	WScript.exe
872	WScript.exe
2556	WScript.exe
544	WScript.exe
1700	WScript.exe
1700	WScript.exe
2824	WScript.exe
2992	WScript.exe
3008	WScript.exe
3008	WScript.exe
1864	WScript.exe
1864	WScript.exe
1056	WScript.exe
1056	WScript.exe
628	WScript.exe
628	WScript.exe
1644	WScript.exe
1644	WScript.exe
2720	WScript.exe
2720	WScript.exe
2620	WScript.exe
2620	WScript.exe
2604	WScript.exe
2604	WScript.exe
1824	WScript.exe
1824	WScript.exe
700	WScript.exe
700	WScript.exe
1572	WScript.exe
1572	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

06cb0b2edcc809014d32ad320b903be84f6dd3e517807a7f01a97b93146aab9e.exesvchcst.exesvchcst.exe

pid	process
3068	06cb0b2edcc809014d32ad320b903be84f6dd3e517807a7f01a97b93146aab9e.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2396	svchcst.exe
2396	svchcst.exe
2396	svchcst.exe
2396	svchcst.exe
2396	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

06cb0b2edcc809014d32ad320b903be84f6dd3e517807a7f01a97b93146aab9e.exe

pid process

3068 06cb0b2edcc809014d32ad320b903be84f6dd3e517807a7f01a97b93146aab9e.exe

Suspicious use of SetWindowsHookEx 48 IoCs

Processes:

06cb0b2edcc809014d32ad320b903be84f6dd3e517807a7f01a97b93146aab9e.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exe

pid	process
3068	06cb0b2edcc809014d32ad320b903be84f6dd3e517807a7f01a97b93146aab9e.exe
3068	06cb0b2edcc809014d32ad320b903be84f6dd3e517807a7f01a97b93146aab9e.exe
2640	svchcst.exe
2640	svchcst.exe
2396	svchcst.exe
2396	svchcst.exe
2468	svchcst.exe
2468	svchcst.exe
2248	svchcst.exe
2248	svchcst.exe
580	svchcst.exe
580	svchcst.exe
412	svchcst.exe
412	svchcst.exe
784	svchcst.exe
784	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
380	svchcst.exe
380	svchcst.exe
1780	svchcst.exe
1780	svchcst.exe
2076	svchcst.exe
2076	svchcst.exe
2260	svchcst.exe
2260	svchcst.exe
448	svchcst.exe
448	svchcst.exe
556	svchcst.exe
556	svchcst.exe
1904	svchcst.exe
1904	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1712	svchcst.exe
1712	svchcst.exe
2096	svchcst.exe
2096	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

06cb0b2edcc809014d32ad320b903be84f6dd3e517807a7f01a97b93146aab9e.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exe

description	pid	process	target process
PID 3068 wrote to memory of 2788	3068	06cb0b2edcc809014d32ad320b903be84f6dd3e517807a7f01a97b93146aab9e.exe	WScript.exe
PID 3068 wrote to memory of 2788	3068	06cb0b2edcc809014d32ad320b903be84f6dd3e517807a7f01a97b93146aab9e.exe	WScript.exe
PID 3068 wrote to memory of 2788	3068	06cb0b2edcc809014d32ad320b903be84f6dd3e517807a7f01a97b93146aab9e.exe	WScript.exe
PID 3068 wrote to memory of 2788	3068	06cb0b2edcc809014d32ad320b903be84f6dd3e517807a7f01a97b93146aab9e.exe	WScript.exe
PID 2788 wrote to memory of 2640	2788	WScript.exe	svchcst.exe
PID 2788 wrote to memory of 2640	2788	WScript.exe	svchcst.exe
PID 2788 wrote to memory of 2640	2788	WScript.exe	svchcst.exe
PID 2788 wrote to memory of 2640	2788	WScript.exe	svchcst.exe
PID 2640 wrote to memory of 380	2640	svchcst.exe	WScript.exe
PID 2640 wrote to memory of 380	2640	svchcst.exe	WScript.exe
PID 2640 wrote to memory of 380	2640	svchcst.exe	WScript.exe
PID 2640 wrote to memory of 380	2640	svchcst.exe	WScript.exe
PID 380 wrote to memory of 2396	380	WScript.exe	svchcst.exe
PID 380 wrote to memory of 2396	380	WScript.exe	svchcst.exe
PID 380 wrote to memory of 2396	380	WScript.exe	svchcst.exe
PID 380 wrote to memory of 2396	380	WScript.exe	svchcst.exe
PID 2396 wrote to memory of 288	2396	svchcst.exe	WScript.exe
PID 2396 wrote to memory of 288	2396	svchcst.exe	WScript.exe
PID 2396 wrote to memory of 288	2396	svchcst.exe	WScript.exe
PID 2396 wrote to memory of 288	2396	svchcst.exe	WScript.exe
PID 288 wrote to memory of 2468	288	WScript.exe	svchcst.exe
PID 288 wrote to memory of 2468	288	WScript.exe	svchcst.exe
PID 288 wrote to memory of 2468	288	WScript.exe	svchcst.exe
PID 288 wrote to memory of 2468	288	WScript.exe	svchcst.exe
PID 2468 wrote to memory of 872	2468	svchcst.exe	WScript.exe
PID 2468 wrote to memory of 872	2468	svchcst.exe	WScript.exe
PID 2468 wrote to memory of 872	2468	svchcst.exe	WScript.exe
PID 2468 wrote to memory of 872	2468	svchcst.exe	WScript.exe
PID 872 wrote to memory of 2248	872	WScript.exe	svchcst.exe
PID 872 wrote to memory of 2248	872	WScript.exe	svchcst.exe
PID 872 wrote to memory of 2248	872	WScript.exe	svchcst.exe
PID 872 wrote to memory of 2248	872	WScript.exe	svchcst.exe
PID 2248 wrote to memory of 2556	2248	svchcst.exe	WScript.exe
PID 2248 wrote to memory of 2556	2248	svchcst.exe	WScript.exe
PID 2248 wrote to memory of 2556	2248	svchcst.exe	WScript.exe
PID 2248 wrote to memory of 2556	2248	svchcst.exe	WScript.exe
PID 2556 wrote to memory of 580	2556	WScript.exe	svchcst.exe
PID 2556 wrote to memory of 580	2556	WScript.exe	svchcst.exe
PID 2556 wrote to memory of 580	2556	WScript.exe	svchcst.exe
PID 2556 wrote to memory of 580	2556	WScript.exe	svchcst.exe
PID 580 wrote to memory of 544	580	svchcst.exe	WScript.exe
PID 580 wrote to memory of 544	580	svchcst.exe	WScript.exe
PID 580 wrote to memory of 544	580	svchcst.exe	WScript.exe
PID 580 wrote to memory of 544	580	svchcst.exe	WScript.exe
PID 544 wrote to memory of 412	544	WScript.exe	svchcst.exe
PID 544 wrote to memory of 412	544	WScript.exe	svchcst.exe
PID 544 wrote to memory of 412	544	WScript.exe	svchcst.exe
PID 544 wrote to memory of 412	544	WScript.exe	svchcst.exe
PID 412 wrote to memory of 1700	412	svchcst.exe	WScript.exe
PID 412 wrote to memory of 1700	412	svchcst.exe	WScript.exe
PID 412 wrote to memory of 1700	412	svchcst.exe	WScript.exe
PID 412 wrote to memory of 1700	412	svchcst.exe	WScript.exe
PID 1700 wrote to memory of 784	1700	WScript.exe	svchcst.exe
PID 1700 wrote to memory of 784	1700	WScript.exe	svchcst.exe
PID 1700 wrote to memory of 784	1700	WScript.exe	svchcst.exe
PID 1700 wrote to memory of 784	1700	WScript.exe	svchcst.exe
PID 784 wrote to memory of 2292	784	svchcst.exe	WScript.exe
PID 784 wrote to memory of 2292	784	svchcst.exe	WScript.exe
PID 784 wrote to memory of 2292	784	svchcst.exe	WScript.exe
PID 784 wrote to memory of 2292	784	svchcst.exe	WScript.exe
PID 1700 wrote to memory of 2656	1700	WScript.exe	svchcst.exe
PID 1700 wrote to memory of 2656	1700	WScript.exe	svchcst.exe
PID 1700 wrote to memory of 2656	1700	WScript.exe	svchcst.exe
PID 1700 wrote to memory of 2656	1700	WScript.exe	svchcst.exe

C:\Users\Admin\AppData\Local\Temp\06cb0b2edcc809014d32ad320b903be84f6dd3e517807a7f01a97b93146aab9e.exe
"C:\Users\Admin\AppData\Local\Temp\06cb0b2edcc809014d32ad320b903be84f6dd3e517807a7f01a97b93146aab9e.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3068

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
3⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2640

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:380

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2396

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:288

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2468

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
8⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:872

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2248

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
10⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
12⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:544

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
13⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:412

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
14⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1700

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
15⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:784

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
16⤵
PID:2292

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
15⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2656

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
16⤵
- Loads dropped DLL
PID:2824

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
17⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2724

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
18⤵
- Loads dropped DLL
PID:2992

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
19⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2788

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
20⤵
- Loads dropped DLL
PID:3008

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
21⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:380

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
22⤵
PID:2044

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
21⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1780

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
22⤵
- Loads dropped DLL
PID:1864

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
23⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2076

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
24⤵
PID:2252

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
23⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2260

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
24⤵
- Loads dropped DLL
PID:1056

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
25⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:448

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
26⤵
- Loads dropped DLL
PID:628

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
27⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:556

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
28⤵
- Loads dropped DLL
PID:1644

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
29⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1904

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
1⤵
- Loads dropped DLL
PID:2720

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3012

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
3⤵
- Loads dropped DLL
PID:2620

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3052

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
5⤵
- Loads dropped DLL
PID:2604

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1484

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
7⤵
- Loads dropped DLL
PID:1824

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1712

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
9⤵
- Loads dropped DLL
PID:700

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2096

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
11⤵
- Loads dropped DLL
PID:1572

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
12⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2280

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
13⤵
PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
85039f29e9fbdb42ba1fe566ad4e177a

SHA1
f1e06b305c768c772be59f0ea8ca3c58d5aebfc6

SHA256
4d2f0853887f504b4b3708f6530ecaf60bcb50be07aa64353513be03f7aa488c

SHA512
ed6960f56c46533e2576127fd4c5c36e4d25e2708f6fa3e070b5487014b194f1b092d30adc2327d4f8d21b688602ba669e5a7b64be398ffaad61a6bdba42f21a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0d7287608e57c918d75f595179c5fa29

SHA1
d16c5add83d14855a0d674ca2d287ef0233e7062

SHA256
539b077eb4ef610403f7c3cdec3fd11482b2a0c4f3c254c2e8f6f2a51905c9d1

SHA512
0050624a5937e196a1e7d08318d9a499ea706cf8023bf7c6b1ba42a671e98e202ab83723740e9aab99bd6c17c3895ca1f2b17f6e94dd81d1d01c064b997c8bff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
18daeaff7fc134fc2edabbaea7e7e9f0

SHA1
a6a3002f7828141bac042e08241df957ef348bb4

SHA256
56a26505482cb65715785a972070bd6b72ad56c09ec26f7a97d7b0ac5bf52303

SHA512
6a91ececa4ca5ffbd12c7ca83888a63a7baf2be281610d9b0d83ee9dfcb8f6d04c1466de5ac1b53abe3daaf2998ec40b4b3a1a1d6fc271f35d25523358bd3df0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
81911744d71ed066085116eec2026095

SHA1
47cfe383cd90c80f367d20667fa26cd160507a8f

SHA256
3154f7fe0c77b8441733285f257a444605ca5badb1148288aa7275033f75d3f5

SHA512
e64925ee682737251c7d5f42a378a4f6c23a50a07a6811882547567725b59c172da356b235afc977d4c1e8209f5c1ba696b9dd54e7739f67a71c099c031d7396

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c4e7c6e63669b7ac19a2abc4d482e577

SHA1
0b715c1b8c52526a168c5972ce10621deb7454cb

SHA256
44ce88ac30afb018736ddeb48d6592af936aa52a424f3630ed07f9ff016b3a58

SHA512
f95b66230ceb77d9ce412c472376233324766a3b31adcfe85797f5628b933811c970a7c538ebb06e5c66418656766704206c178745f71bec63bbbabab46af747

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e74576d29f1c1a7185cdf1e12b96a260

SHA1
f76ee203cb56b7dda62a2947ff1e2fc954efa777

SHA256
e31ecb9dcf31c19fbd131b31e5191375f7aeb708ffa678363de99e118715eb65

SHA512
934e3a9171de8fe03c9b398b4e79b3eee77845750ba2b0d16c3a38bc8299d3d72643cedfbb025df848f4c5ab302f5d4b145da13c2ac3ed96bdc1658791d4f5bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3fe126921f6537cf36cd507b1649ffbb

SHA1
445c8796d072bb5829f0af8421e3eb7da34add70

SHA256
b4af7c7ab452f12e0ea38532d00cfa19cf99247ef169e5e698acd882e72750a6

SHA512
5d8527210f01cc30bda93521cdbd9828d03f2af3e2810996ad8c60cf62a35e415c0e54a34e00847ae30bf2718e8c431b65ed4f509c11986a8eb54ed6ed64ac94

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1a94fff9bade36e4d067e0fcefb1a8f5

SHA1
1713c3fc499a56cd97035e44405e0b5e1a0a586b

SHA256
1977a5ac15e88252efdd11b9aace6de92383e71132a94273b0e890e92ae91048

SHA512
89a7dd6811f9491a14bf49f1cbce3e869107d2e0d410fa3d3c867ce68d573d6f8e6ada98ac3635fc620c96c61676b5cef2563b5fbea14f617c1fa61bce4f3ac7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e5bba46683440caa1508061b6e638120

SHA1
538ff5b7cb3ca90cee3e60bae0b487f4b78912de

SHA256
9b324dbd185a14c0ebfd2cd2731f6bb32c501dfefa7aef4f65b137357502c65d

SHA512
466f00fee10e323273e5d1151062e9fcc36f5657a404c6dd3c0c9ecb56e5205930087e612b13a9c6d1a56df7e05a2bd9c14e95debd5e5aed96ad2ef867e8de4d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
251a70f0c55d02e74e34c409c5795274

SHA1
b0eb587b5e8d597ef801848722b790692d804be2

SHA256
f5397f02a6c8c59bc9869c0e5c726c096a69c84ad7f0934608fdbd8bc7e5b9f3

SHA512
023cca65a97265961790183f43605fb3dd47426049f2152e5ed90d2daed98607d1e215cb8cabf54d7d2068f7a86d3b01b1d101823e8ed1acfb09076e69b67c71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3f88ed4a802ff96db44e34ad53ac06c2

SHA1
446fe4e265af02ea012b5a8d5d0e7a0c9867f1ed

SHA256
04a5abb92c689fa7b9d768a067b1d9bd16c0a5d856c67c7f7881d62662ae0911

SHA512
f1afaf53ee96969d58902836b841ca7feed9769c81d9b2d63b72db5d7cf04d6a659b50869f8dba0d650aa6833d892261c0c3dd918e8bfbed13237e6333c47fdf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6d7f7c489889b75561316023d3e8b801

SHA1
222906d8a273e49d99b9107d388856ba8e6a5400

SHA256
3c01dd72d85883db4a345c0092b799f8deb31d43fde226e7df011c64d95202a7

SHA512
7238e65f9b93ee3be8828f01b54fbb6acaeaaf31e2b62af398356b02fa80d615acc3f41139fb001b9c1e8855e5cfa467f2883acda663a08194955cadb409a24a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
33923002ff087d4e9d20dc9167bf4b6f

SHA1
cd218dc8073081f7329889f96e1159c6d11fb8a1

SHA256
f24781ed9f535b0d29cbef666b2e299ee84ab75c48fd47bfdf0e9c2beaa0796e

SHA512
628c465e3ebed9b3ad689a6fa1fe38d3194c69a7446320408c28667acd49a157b853f734325e828a1577810393d0f9e69b6719bd7c201816ef0f06219a26534c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
951aaea1269f2a203f3dd7cd181c5d34

SHA1
3623d216764b24aa0b02cbc136287252bf5b412a

SHA256
228b66ed4c4a1270fe5a6655cdd849de937351e95974b96acafa59b8107b7dd4

SHA512
cd84967ad43a13c3cd57cc80f6533a9e9fd93a5eddf4807825b8d19883da4acda3e7b4ff963f23209c579050fedf834382d8e718386c852ceaf350b2b0f91816

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
632KB

MD5
307d5712f3fe39c3bded854b3ced8c04

SHA1
030e81103328f392307f057ec7c792b8999ec687

SHA256
65bcc9e3e96546662b4ae95c1324fbc4be4e69595fe94acf52a07546601f6028

SHA512
bf0ccfcd7072b98ad50d02b104b7414349d4f7fed2f9e5933d4fcd174498308768a1c691b5ade9571e65baea68388571e3da8a3ea0ddab9c2ad89c5f29df6dcf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
11dacc69a1202b2953c05fc7da7fcaa8

SHA1
1a9856a59735288889a836d96a75ccc29139337b

SHA256
0ac845ba2f3f564d928685986965254862cd6fad24db66d0d80cebba17815fde

SHA512
8463adb45328af3453ee3802c73ff10b18e63c2f8a1ab15b467b6af224718c79fadbd1a3b6ac25537bb1b99bc1a92d69ebce31f629b5a95acba3cbf124b88d5c

Download Submit
C:\Users\Admin\AppData\Roaming\svchcst.exe

Filesize
744KB

MD5
37a23942520c13dea3baf4b91bf5e491

SHA1
b29c4d777174da2ecc940b7c13c01e04f51d06ed

SHA256
3fffef5604c8280607c10b328251e96b21a2bf02cddcbed3e2c39e84e8d4a618

SHA512
5c4b581668e97886ccd251b0e18fa80bef34d8845275812d065579221de142db700d6c23fe53afee1d971a0c1757ee8126bea5dc50075a9c42cf33b8d711b39a

Download Submit
C:\Users\Admin\AppData\Roaming\svchcst.exe

Filesize
996KB

MD5
61960d372759052738358480bd51d945

SHA1
ffd28363bf8b576d799cb187244c86302f24c514

SHA256
2f1f639a11ee39508a8667d468ecb89840374e014bf353b09578a0fd5e318149

SHA512
bf146eaaaee29023dcbb56ff6cb1d70e289c021cf6d68eff1099054e0523b62d2e43b1ddc5aae7f8e558eb7a1c4c6cbaf762c3ccd790e512c814f78121c1b4cc

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
949KB

MD5
8d65d5df8a2ff08ff8fd961145207200

SHA1
b13b36e678e59bc694343fbf1233beb4da383d96

SHA256
2ed0affbb87a9372a80f22d1c958355012d1941c978c06a04500488997579236

SHA512
11edf23c77a9b87317b97033b1ae2ed5e62ac71e641a13d204805b1d9ae0408a52b0933c00191ba6b13287edd1e9738519b864a3fd0d66202ff76a4e98e7727d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
532KB

MD5
22d2cdc8f769381f4edfa0f8ba72da0a

SHA1
683be64b21ddd1f635567f4847961e965265c454

SHA256
fa475efa73e4bcf4a887c36371c2070e5dcd6388d411e492aa61337202be7000

SHA512
deab74bf1b56016b275b8fa63d82e7f9ff4058b724352fa7e628f34b970c44503b597364dd57089d89d12df83e9496da508b180576208ca3f587dc879172ec09

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
926KB

MD5
67035f6e88cdc9e969185ba64e831a1a

SHA1
3b5e8ebe9a0a4b02161f2da70d9ac96725c2fc82

SHA256
aa67139ebbfdf9e6c4338ced12945d49072510fdb7bace17217ac863c248f6f4

SHA512
3dd64df2daf295bf06c1466743daaa4db68f2956fc124ecae5477d60ab803a12558e34cb07faf3f4e2ecac9bc05d041ab3d79a1d95e622e56835b1119a4c68f9

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.0MB

MD5
0db4cfe036fdcefe611b25d21c05bd86

SHA1
876953df7d1697ec6f66b475a5b7d39f413fe4c4

SHA256
7359e5d6915effa4784f97a8545e4ea624e7746eb2bd7247bd82d673631cdee9

SHA512
e9c27def6db1f128e69917dfb2a3fab7d64a7e7f67381097d8e5e0f3ac658857d7c4dabb9e3913eb58c1c85605622c6762e7540b5804b56c4371cbe6a47249cb

Download Submit