8bc90ddbc0b8b731a8a7bad2401d4e7b043a81dd509cfb57f6894cf49e142e95

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-04-2024 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8bc90ddbc0b8b731a8a7bad2401d4e7b043a81dd509cfb57f6894cf49e142e95.exe
Size

1.1MB
MD5

b40e49cf9a6ede7662eb6f35c72a8c2b
SHA1

b84433a77180667379099f11bd317fc778c471c0
SHA256

8bc90ddbc0b8b731a8a7bad2401d4e7b043a81dd509cfb57f6894cf49e142e95
SHA512

14c3afdbe4e5219a5678b296c33adc570235f41478b4a675eb21784e6472337695ab9e79d06a85af73c35f059b3251c5e31916fb3075b4cd037f4db5877b2487
SSDEEP

24576:aH0dl8myX9BgT2QoXFkrzkmmlSgRZbo0lG4Z8r7Qfbkiu5QH:a1aClSQlG4ZM7QzMU

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

svchcst.exe

pid process

2632 svchcst.exe

Executes dropped EXE 23 IoCs

Processes:

svchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exe

pid	process
2632	svchcst.exe
284	svchcst.exe
2680	svchcst.exe
1636	svchcst.exe
608	svchcst.exe
1688	svchcst.exe
896	svchcst.exe
1840	svchcst.exe
2952	svchcst.exe
1932	svchcst.exe
2188	svchcst.exe
2312	svchcst.exe
1560	svchcst.exe
1556	svchcst.exe
1136	svchcst.exe
1016	svchcst.exe
1240	svchcst.exe
2456	svchcst.exe
772	svchcst.exe
1492	svchcst.exe
2304	svchcst.exe
2104	svchcst.exe
1348	svchcst.exe

Loads dropped DLL 35 IoCs

Processes:

WScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exe

pid	process
2028	WScript.exe
2028	WScript.exe
2248	WScript.exe
1304	WScript.exe
1304	WScript.exe
2344	WScript.exe
2344	WScript.exe
1240	WScript.exe
2388	WScript.exe
1096	WScript.exe
108	WScript.exe
1236	WScript.exe
1236	WScript.exe
1236	WScript.exe
2316	WScript.exe
1288	WScript.exe
1288	WScript.exe
2264	WScript.exe
2264	WScript.exe
1608	WScript.exe
1608	WScript.exe
2164	WScript.exe
2164	WScript.exe
2928	WScript.exe
2928	WScript.exe
1028	WScript.exe
1028	WScript.exe
108	WScript.exe
108	WScript.exe
1052	WScript.exe
1052	WScript.exe
2036	WScript.exe
2036	WScript.exe
1164	WScript.exe
1164	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8bc90ddbc0b8b731a8a7bad2401d4e7b043a81dd509cfb57f6894cf49e142e95.exesvchcst.exesvchcst.exe

pid	process
2208	8bc90ddbc0b8b731a8a7bad2401d4e7b043a81dd509cfb57f6894cf49e142e95.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
284	svchcst.exe
284	svchcst.exe
284	svchcst.exe
284	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

8bc90ddbc0b8b731a8a7bad2401d4e7b043a81dd509cfb57f6894cf49e142e95.exe

pid process

2208 8bc90ddbc0b8b731a8a7bad2401d4e7b043a81dd509cfb57f6894cf49e142e95.exe

Suspicious use of SetWindowsHookEx 48 IoCs

Processes:

8bc90ddbc0b8b731a8a7bad2401d4e7b043a81dd509cfb57f6894cf49e142e95.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exe

pid	process
2208	8bc90ddbc0b8b731a8a7bad2401d4e7b043a81dd509cfb57f6894cf49e142e95.exe
2208	8bc90ddbc0b8b731a8a7bad2401d4e7b043a81dd509cfb57f6894cf49e142e95.exe
2632	svchcst.exe
2632	svchcst.exe
284	svchcst.exe
284	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
1636	svchcst.exe
1636	svchcst.exe
608	svchcst.exe
608	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
896	svchcst.exe
896	svchcst.exe
1840	svchcst.exe
1840	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
1932	svchcst.exe
1932	svchcst.exe
2188	svchcst.exe
2188	svchcst.exe
2312	svchcst.exe
2312	svchcst.exe
1560	svchcst.exe
1560	svchcst.exe
1556	svchcst.exe
1556	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
1016	svchcst.exe
1016	svchcst.exe
1240	svchcst.exe
1240	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
772	svchcst.exe
772	svchcst.exe
1492	svchcst.exe
1492	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
1348	svchcst.exe
1348	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8bc90ddbc0b8b731a8a7bad2401d4e7b043a81dd509cfb57f6894cf49e142e95.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exesvchcst.exeWScript.exesvchcst.exesvchcst.exeWScript.exesvchcst.exe

description	pid	process	target process
PID 2208 wrote to memory of 2028	2208	8bc90ddbc0b8b731a8a7bad2401d4e7b043a81dd509cfb57f6894cf49e142e95.exe	WScript.exe
PID 2208 wrote to memory of 2028	2208	8bc90ddbc0b8b731a8a7bad2401d4e7b043a81dd509cfb57f6894cf49e142e95.exe	WScript.exe
PID 2208 wrote to memory of 2028	2208	8bc90ddbc0b8b731a8a7bad2401d4e7b043a81dd509cfb57f6894cf49e142e95.exe	WScript.exe
PID 2208 wrote to memory of 2028	2208	8bc90ddbc0b8b731a8a7bad2401d4e7b043a81dd509cfb57f6894cf49e142e95.exe	WScript.exe
PID 2028 wrote to memory of 2632	2028	WScript.exe	svchcst.exe
PID 2028 wrote to memory of 2632	2028	WScript.exe	svchcst.exe
PID 2028 wrote to memory of 2632	2028	WScript.exe	svchcst.exe
PID 2028 wrote to memory of 2632	2028	WScript.exe	svchcst.exe
PID 2632 wrote to memory of 2248	2632	svchcst.exe	WScript.exe
PID 2632 wrote to memory of 2248	2632	svchcst.exe	WScript.exe
PID 2632 wrote to memory of 2248	2632	svchcst.exe	WScript.exe
PID 2632 wrote to memory of 2248	2632	svchcst.exe	WScript.exe
PID 2632 wrote to memory of 2236	2632	svchcst.exe	WScript.exe
PID 2632 wrote to memory of 2236	2632	svchcst.exe	WScript.exe
PID 2632 wrote to memory of 2236	2632	svchcst.exe	WScript.exe
PID 2632 wrote to memory of 2236	2632	svchcst.exe	WScript.exe
PID 2248 wrote to memory of 284	2248	WScript.exe	svchcst.exe
PID 2248 wrote to memory of 284	2248	WScript.exe	svchcst.exe
PID 2248 wrote to memory of 284	2248	WScript.exe	svchcst.exe
PID 2248 wrote to memory of 284	2248	WScript.exe	svchcst.exe
PID 284 wrote to memory of 1304	284	svchcst.exe	WScript.exe
PID 284 wrote to memory of 1304	284	svchcst.exe	WScript.exe
PID 284 wrote to memory of 1304	284	svchcst.exe	WScript.exe
PID 284 wrote to memory of 1304	284	svchcst.exe	WScript.exe
PID 1304 wrote to memory of 2680	1304	WScript.exe	svchcst.exe
PID 1304 wrote to memory of 2680	1304	WScript.exe	svchcst.exe
PID 1304 wrote to memory of 2680	1304	WScript.exe	svchcst.exe
PID 1304 wrote to memory of 2680	1304	WScript.exe	svchcst.exe
PID 2680 wrote to memory of 1296	2680	svchcst.exe	WScript.exe
PID 2680 wrote to memory of 1296	2680	svchcst.exe	WScript.exe
PID 2680 wrote to memory of 1296	2680	svchcst.exe	WScript.exe
PID 2680 wrote to memory of 1296	2680	svchcst.exe	WScript.exe
PID 1304 wrote to memory of 1636	1304	WScript.exe	svchcst.exe
PID 1304 wrote to memory of 1636	1304	WScript.exe	svchcst.exe
PID 1304 wrote to memory of 1636	1304	WScript.exe	svchcst.exe
PID 1304 wrote to memory of 1636	1304	WScript.exe	svchcst.exe
PID 1636 wrote to memory of 2344	1636	svchcst.exe	WScript.exe
PID 1636 wrote to memory of 2344	1636	svchcst.exe	WScript.exe
PID 1636 wrote to memory of 2344	1636	svchcst.exe	WScript.exe
PID 1636 wrote to memory of 2344	1636	svchcst.exe	WScript.exe
PID 2344 wrote to memory of 608	2344	WScript.exe	svchcst.exe
PID 2344 wrote to memory of 608	2344	WScript.exe	svchcst.exe
PID 2344 wrote to memory of 608	2344	WScript.exe	svchcst.exe
PID 2344 wrote to memory of 608	2344	WScript.exe	svchcst.exe
PID 608 wrote to memory of 1132	608	svchcst.exe	WScript.exe
PID 608 wrote to memory of 1132	608	svchcst.exe	WScript.exe
PID 608 wrote to memory of 1132	608	svchcst.exe	WScript.exe
PID 608 wrote to memory of 1132	608	svchcst.exe	WScript.exe
PID 2344 wrote to memory of 1688	2344	WScript.exe	svchcst.exe
PID 2344 wrote to memory of 1688	2344	WScript.exe	svchcst.exe
PID 2344 wrote to memory of 1688	2344	WScript.exe	svchcst.exe
PID 2344 wrote to memory of 1688	2344	WScript.exe	svchcst.exe
PID 1688 wrote to memory of 1240	1688	svchcst.exe	WScript.exe
PID 1688 wrote to memory of 1240	1688	svchcst.exe	WScript.exe
PID 1688 wrote to memory of 1240	1688	svchcst.exe	WScript.exe
PID 1688 wrote to memory of 1240	1688	svchcst.exe	WScript.exe
PID 1240 wrote to memory of 896	1240	WScript.exe	svchcst.exe
PID 1240 wrote to memory of 896	1240	WScript.exe	svchcst.exe
PID 1240 wrote to memory of 896	1240	WScript.exe	svchcst.exe
PID 1240 wrote to memory of 896	1240	WScript.exe	svchcst.exe
PID 896 wrote to memory of 2388	896	svchcst.exe	WScript.exe
PID 896 wrote to memory of 2388	896	svchcst.exe	WScript.exe
PID 896 wrote to memory of 2388	896	svchcst.exe	WScript.exe
PID 896 wrote to memory of 2388	896	svchcst.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\8bc90ddbc0b8b731a8a7bad2401d4e7b043a81dd509cfb57f6894cf49e142e95.exe
"C:\Users\Admin\AppData\Local\Temp\8bc90ddbc0b8b731a8a7bad2401d4e7b043a81dd509cfb57f6894cf49e142e95.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
3⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2632

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2248

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:284

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1304

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
8⤵
PID:1296

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
8⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2344

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:608

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
10⤵
PID:1132

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
10⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1240

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:896

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
12⤵
- Loads dropped DLL
PID:2388

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
13⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1840

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
14⤵
- Loads dropped DLL
PID:1096

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
15⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2952

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
16⤵
- Loads dropped DLL
PID:108

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
17⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1932

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
18⤵
- Loads dropped DLL
PID:1236

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
19⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2188

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
20⤵
PID:388

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
19⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2312

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
20⤵
- Loads dropped DLL
PID:2316

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
21⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1560

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
22⤵
- Loads dropped DLL
PID:1288

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
23⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1556

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
24⤵
- Loads dropped DLL
PID:2264

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
25⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1136

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
26⤵
- Loads dropped DLL
PID:1608

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
27⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1016

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
28⤵
- Loads dropped DLL
PID:2164

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
29⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1240

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
30⤵
- Loads dropped DLL
PID:2928

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
31⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2456

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
32⤵
- Loads dropped DLL
PID:1028

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
33⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:772

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
34⤵
- Loads dropped DLL
PID:108

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
35⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1492

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
36⤵
- Loads dropped DLL
PID:1052

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
37⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2304

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
38⤵
- Loads dropped DLL
PID:2036

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
39⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2104

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
40⤵
- Loads dropped DLL
PID:1164

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
41⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1348

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
42⤵
PID:1364

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
4⤵
PID:2236

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini
Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
f3159db8bd483868144429c5909d280a

SHA1
a3698b1ebb0e43a564357bb77c3462539a114f87

SHA256
f31b8921a342ba1eecff8852bd1904a17e94e544a1975106b9b5533155ed044c

SHA512
328e166bbd706c7e6848c246909d96779ee2efcdf7bdb0ff47eed24e0267dcca005bb41651b60393ffafbb7b7467d94b22454e8c4be57108ffeb6238e88db916

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
7c92f92a39b74a1a62d4e78cab1e85ce

SHA1
12be3de5566511f06ef1d1354ce14e74381ef078

SHA256
919b452d34117c54e6e79cf6c3d338679c3553dd3ef1bb8d750da8738f6f4166

SHA512
ad945215baeb1b488a43705d18520fea653a881632cfcd8bc79182ce2863d7167e8631043bdea1ee1071eabfb87f7ce63f460becf63c9c2060e51a30fc8171b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
753B

MD5
cdf3ff5a45662e2729827d54011e374b

SHA1
1dc8c1cb5a1229ac125e7fb737301b13e81e0e72

SHA256
554fe6f5cd8a3210c055745f8cbd83ed1226ecf63c425148f108f0a5b0e6aa21

SHA512
885e0510880caa547d560397a27465aa034905a5d34e36ac07f44e1090e20d624e36dbf70fbe984761c5f48b36a25c51ce1f7bd24713d7a112ac5944190bc274

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
d9ab21af2046aedc3484d569036c3ef7

SHA1
ade5e9eb5b1180a77a2164e61f74beb411cdfb56

SHA256
90b8f17e573879b63c512e7c0dd6ff9454d177163e2d95d0090b2ef22ae5ec79

SHA512
cb8c202cd3d66ee897982e42257320dfef0a23eb96b9a3189869e9a0ce030d4baaa8c0a6fc5e197d2d19d742b0d7b3f34adb12933192dd6e4b1388433755d1ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
1ddf68547078713a6bd04e589e87bc2f

SHA1
cdfb5481f8214590744133c77204eff54e733b90

SHA256
a5954677872e02157f5c6921ef883fbc22a4f7940d17403a9a0658931d4971fc

SHA512
194d12570a7d4e8e9341f56d23fda7ff49e131e818b93633b75c6ef05b6972b8428294bb95529af25cf75cbe2d86756dab000be200466a30a64922e764ebfc2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
c85adfb789ee03eba0d843b08042e4db

SHA1
263793011d11bd0dd1daf4b55215a8802f9bf6e2

SHA256
8cc7784dcb4efa452913063eacec257cd1b6577c80bb3540f7cfcc48320dbf59

SHA512
b52184fa3c8a36d8e9293921a40820991247bbd203aa991678dafcd5cc96af20bf2df3e0b876b77a0d6a91f5b43aa2768137f88fca28357f883410d3b9f77539

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
55765ba68da8820ee35d2d4d1dedeac0

SHA1
19f5f147056f3d837a11d6b08a7fc9544f9927f6

SHA256
1eb237d283717ac45bdfef217d3d09fb4ef73db3838859057c94e488b329c522

SHA512
61b6361b8dfef2067016c50e830db1fc768d0654a3f643cf4b4cb1193de722f74401e73f719d8cff5a443058adfa7e3cd0dfc502f25dd249cdc36a7056c81c18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
f9d25791d9949ef33ed0c208f3d11851

SHA1
1cdf525209a1d7ade65168011e4de530de7bdc5a

SHA256
d3592a18c2a195dba2db76e25fb1516b2a9ef5297e9d72716e232d3540bc4481

SHA512
efb6f3882b9c75aa5193cf1bfeeb430b0a963681bf5367f535e3eb9c4e7c796c0aa1d0e3df9803c635ba6d863dc129a9ab30c954c6d4af27803036859d3d3113

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
d7e57302723e6adcd36bc753c7cb3d1b

SHA1
24f5af99f2988b5fa7383dae1f53347b597956a3

SHA256
abf7ef48d31eaabd0227b0a91a44e8b53e9fbadff16ef2d9c2b131776898977e

SHA512
0aee51cab495d2df1e1957f85cbfa1a8ca95fad5fa669d2f0918a0e4be4d090c868582935136684d872695bdd075523ad1386639690e9d7016201b6985a9c8a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
75b8f60cfe6895a93f2d8f1b5568af94

SHA1
b80485bc82864b4e1bf0bcc44579eaa01776b1fb

SHA256
6ff47f7681e8f497470bd11b2cfd8156c5d8f1b01f48bfd89037cc4bfe0f34cc

SHA512
089e237c5309d36058e036f69d78deb4144749e91b3a8a8383f817af051a3452acfdf42227cc721517e93428cfd5d48b42e9750e9548762609e81917a4de29c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
f2d2f31794455ef80ea8a41b0b218045

SHA1
926c4e45922f43c6afc2cb31d96b5b35d4db3cae

SHA256
698e3bc7681704e68728030dcceb12377aae02f71e91a5fd15c12b686ba00141

SHA512
36cc2c9bd29c6bd97c2bd7eef7b9bffc512ebabf43d089a2866a66efc4f4f3f7d92b2d0719ae61ad07c38b89b1c0a4b59df57f84beef76c88bd376125048d714

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
c0b5050d31a3c3086d56cf03dbf39e65

SHA1
2f16721133b7efffc3b7c495803a409b47223c1f

SHA256
4eed6a5c4f010b8604f822c91683ba0cf9c2c1f7fd803bcd9c05bfd36d84f37a

SHA512
be8a9ade498e5b54e7ca07bb3f9f114962847942d282e46e2b4f3e53704b27b47853c7bc60e5fdfc777b6e1fa2f8d34aa0d3321354c8a6b81d1640ce7780d9d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
696B

MD5
99c6d3daae7cb362152020047cb956dc

SHA1
4d70b60a43d37fbfea1be333aad269606ae3d3a7

SHA256
b35a71753d085b170fca9949910d93671a298e1fcc05cf0cdff308dba4d12324

SHA512
37098e0594a21439720df6adc851063d275020c7a337326cf0f83c8fce79ac210bd42c5458e49e560c4641b569be88b34ee5ee99dccba5c2655fee127c21e110

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
Filesize
1.1MB

MD5
115addbfd8961aa7eaa0469a61775d66

SHA1
d13d9a5894a4c8865332049b3b9a48b0967dd143

SHA256
a15511d748ec82fc1042f208533bb9d5295cfc2ee37d0e0504ff04d816a0d5bf

SHA512
de92966618f97011ec87bb67e7d72a37f758193cc0f0740b9a290f534ed90a4efb4b1b0839201e17e01f552ed84b6f5c7b8d1fa7b4c6b8c346520cf0ed962150

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
Filesize
1.1MB

MD5
f79e22b76d82ada76be962ee15a5a30c

SHA1
48099f659c350292289ab5b25def340ace203182

SHA256
75b544df81e54859404e0f1765f6265af2788a782807c60500ee0aa6ba7342b7

SHA512
bbc84c6e9b1c3b818abc84c7eedfec9a1f38077f56762f2da62699dfe42805058f0d9cb738266a304170db83d762481ee96cf5c2b8a3257dd5100cd48bb7d5be

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/284-37-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/284-30-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/608-71-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/608-63-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/772-211-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/772-204-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/896-94-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/896-90-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1016-186-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1136-171-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1136-178-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1236-149-0x0000000005AB0000-0x0000000005C0F000-memory.dmp

Filesize
1.4MB

Download
memory/1240-85-0x0000000005DF0000-0x0000000005F4F000-memory.dmp

Filesize
1.4MB

Download
memory/1240-195-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1240-188-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1288-185-0x0000000004690000-0x00000000047EF000-memory.dmp

Filesize
1.4MB

Download
memory/1304-52-0x0000000004700000-0x000000000485F000-memory.dmp

Filesize
1.4MB

Download
memory/1348-240-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1492-212-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1492-219-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1556-167-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1556-170-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1560-155-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1560-162-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1636-53-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1636-59-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1688-76-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1688-82-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1840-97-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1840-105-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1932-127-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1932-123-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2028-15-0x00000000043F0000-0x000000000454F000-memory.dmp

Filesize
1.4MB

Download
memory/2028-14-0x00000000043F0000-0x000000000454F000-memory.dmp

Filesize
1.4MB

Download
memory/2104-228-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2104-235-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2164-187-0x0000000005E10000-0x0000000005F6F000-memory.dmp

Filesize
1.4MB

Download
memory/2188-140-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2188-131-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2208-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2208-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2304-220-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2304-227-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2312-154-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2312-150-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2344-73-0x00000000042A0000-0x00000000043FF000-memory.dmp

Filesize
1.4MB

Download
memory/2344-62-0x00000000059A0000-0x0000000005AFF000-memory.dmp

Filesize
1.4MB

Download
memory/2456-203-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2456-200-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2632-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2632-27-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2680-40-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2680-48-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2952-117-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2952-109-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads