5ca84cf244f7188989c6ec0f1651d3fb1782c54c72f3b0036c8aebbfec018f5c

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 15:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ca84cf244f7188989c6ec0f1651d3fb1782c54c72f3b0036c8aebbfec018f5c.exe
Size

1.1MB
MD5

5e671b506290f309a6f0e29264942fca
SHA1

de6cf98dc4d09d1eb3b60d83125f146af5311847
SHA256

5ca84cf244f7188989c6ec0f1651d3fb1782c54c72f3b0036c8aebbfec018f5c
SHA512

df5640e5897a6a7b016327fc3d2ce9ca196592b779fd1d3d6b377ad594e395af36185f66215cad9dadde67ddad8f369c0c6628c97adb9bc310a15bc08b9ddad0
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QM:acallSllG4ZM7QzML

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

svchcst.exe

pid process

2408 svchcst.exe

Executes dropped EXE 26 IoCs

Processes:

svchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exe

pid	process
2408	svchcst.exe
1432	svchcst.exe
272	svchcst.exe
3048	svchcst.exe
604	svchcst.exe
2872	svchcst.exe
1728	svchcst.exe
328	svchcst.exe
2776	svchcst.exe
2836	svchcst.exe
2580	svchcst.exe
2408	svchcst.exe
1620	svchcst.exe
2492	svchcst.exe
2444	svchcst.exe
2988	svchcst.exe
2672	svchcst.exe
2244	svchcst.exe
2468	svchcst.exe
1216	svchcst.exe
1224	svchcst.exe
2272	svchcst.exe
3032	svchcst.exe
2444	svchcst.exe
1564	svchcst.exe
1012	svchcst.exe

Loads dropped DLL 42 IoCs

Processes:

WScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exe

pid	process
2604	WScript.exe
2604	WScript.exe
2800	WScript.exe
2304	WScript.exe
2656	WScript.exe
2656	WScript.exe
2116	WScript.exe
2116	WScript.exe
556	WScript.exe
2360	WScript.exe
556	WScript.exe
2360	WScript.exe
2360	WScript.exe
2428	WScript.exe
2428	WScript.exe
2188	WScript.exe
1784	WScript.exe
1784	WScript.exe
2436	WScript.exe
2436	WScript.exe
2848	WScript.exe
2848	WScript.exe
2068	WScript.exe
2068	WScript.exe
2068	WScript.exe
2068	WScript.exe
1860	WScript.exe
1860	WScript.exe
1656	WScript.exe
1656	WScript.exe
1692	WScript.exe
1692	WScript.exe
2420	WScript.exe
2420	WScript.exe
1020	WScript.exe
1020	WScript.exe
1428	WScript.exe
1428	WScript.exe
1308	WScript.exe
1308	WScript.exe
1964	WScript.exe
1964	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5ca84cf244f7188989c6ec0f1651d3fb1782c54c72f3b0036c8aebbfec018f5c.exesvchcst.exesvchcst.exe

pid	process
2172	5ca84cf244f7188989c6ec0f1651d3fb1782c54c72f3b0036c8aebbfec018f5c.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
1432	svchcst.exe
1432	svchcst.exe
1432	svchcst.exe
1432	svchcst.exe
1432	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

5ca84cf244f7188989c6ec0f1651d3fb1782c54c72f3b0036c8aebbfec018f5c.exe

pid process

2172 5ca84cf244f7188989c6ec0f1651d3fb1782c54c72f3b0036c8aebbfec018f5c.exe

Suspicious use of SetWindowsHookEx 52 IoCs

Processes:

5ca84cf244f7188989c6ec0f1651d3fb1782c54c72f3b0036c8aebbfec018f5c.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exe

pid	process
2172	5ca84cf244f7188989c6ec0f1651d3fb1782c54c72f3b0036c8aebbfec018f5c.exe
2172	5ca84cf244f7188989c6ec0f1651d3fb1782c54c72f3b0036c8aebbfec018f5c.exe
2408	svchcst.exe
2408	svchcst.exe
1432	svchcst.exe
1432	svchcst.exe
272	svchcst.exe
272	svchcst.exe
3048	svchcst.exe
3048	svchcst.exe
604	svchcst.exe
604	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
1728	svchcst.exe
1728	svchcst.exe
328	svchcst.exe
328	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
1620	svchcst.exe
1620	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2444	svchcst.exe
2444	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2672	svchcst.exe
2672	svchcst.exe
2244	svchcst.exe
2244	svchcst.exe
2468	svchcst.exe
2468	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1224	svchcst.exe
1224	svchcst.exe
2272	svchcst.exe
2272	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
2444	svchcst.exe
2444	svchcst.exe
1564	svchcst.exe
1564	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5ca84cf244f7188989c6ec0f1651d3fb1782c54c72f3b0036c8aebbfec018f5c.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exesvchcst.exeWScript.exesvchcst.exeWScript.exeWScript.exe

description	pid	process	target process
PID 2172 wrote to memory of 2604	2172	5ca84cf244f7188989c6ec0f1651d3fb1782c54c72f3b0036c8aebbfec018f5c.exe	WScript.exe
PID 2172 wrote to memory of 2604	2172	5ca84cf244f7188989c6ec0f1651d3fb1782c54c72f3b0036c8aebbfec018f5c.exe	WScript.exe
PID 2172 wrote to memory of 2604	2172	5ca84cf244f7188989c6ec0f1651d3fb1782c54c72f3b0036c8aebbfec018f5c.exe	WScript.exe
PID 2172 wrote to memory of 2604	2172	5ca84cf244f7188989c6ec0f1651d3fb1782c54c72f3b0036c8aebbfec018f5c.exe	WScript.exe
PID 2604 wrote to memory of 2408	2604	WScript.exe	svchcst.exe
PID 2604 wrote to memory of 2408	2604	WScript.exe	svchcst.exe
PID 2604 wrote to memory of 2408	2604	WScript.exe	svchcst.exe
PID 2604 wrote to memory of 2408	2604	WScript.exe	svchcst.exe
PID 2408 wrote to memory of 2800	2408	svchcst.exe	WScript.exe
PID 2408 wrote to memory of 2800	2408	svchcst.exe	WScript.exe
PID 2408 wrote to memory of 2800	2408	svchcst.exe	WScript.exe
PID 2408 wrote to memory of 2800	2408	svchcst.exe	WScript.exe
PID 2800 wrote to memory of 1432	2800	WScript.exe	svchcst.exe
PID 2800 wrote to memory of 1432	2800	WScript.exe	svchcst.exe
PID 2800 wrote to memory of 1432	2800	WScript.exe	svchcst.exe
PID 2800 wrote to memory of 1432	2800	WScript.exe	svchcst.exe
PID 1432 wrote to memory of 2304	1432	svchcst.exe	WScript.exe
PID 1432 wrote to memory of 2304	1432	svchcst.exe	WScript.exe
PID 1432 wrote to memory of 2304	1432	svchcst.exe	WScript.exe
PID 1432 wrote to memory of 2304	1432	svchcst.exe	WScript.exe
PID 2304 wrote to memory of 272	2304	WScript.exe	svchcst.exe
PID 2304 wrote to memory of 272	2304	WScript.exe	svchcst.exe
PID 2304 wrote to memory of 272	2304	WScript.exe	svchcst.exe
PID 2304 wrote to memory of 272	2304	WScript.exe	svchcst.exe
PID 272 wrote to memory of 2656	272	svchcst.exe	WScript.exe
PID 272 wrote to memory of 2656	272	svchcst.exe	WScript.exe
PID 272 wrote to memory of 2656	272	svchcst.exe	WScript.exe
PID 272 wrote to memory of 2656	272	svchcst.exe	WScript.exe
PID 2656 wrote to memory of 3048	2656	WScript.exe	svchcst.exe
PID 2656 wrote to memory of 3048	2656	WScript.exe	svchcst.exe
PID 2656 wrote to memory of 3048	2656	WScript.exe	svchcst.exe
PID 2656 wrote to memory of 3048	2656	WScript.exe	svchcst.exe
PID 3048 wrote to memory of 2116	3048	svchcst.exe	WScript.exe
PID 3048 wrote to memory of 2116	3048	svchcst.exe	WScript.exe
PID 3048 wrote to memory of 2116	3048	svchcst.exe	WScript.exe
PID 3048 wrote to memory of 2116	3048	svchcst.exe	WScript.exe
PID 2656 wrote to memory of 604	2656	WScript.exe	svchcst.exe
PID 2656 wrote to memory of 604	2656	WScript.exe	svchcst.exe
PID 2656 wrote to memory of 604	2656	WScript.exe	svchcst.exe
PID 2656 wrote to memory of 604	2656	WScript.exe	svchcst.exe
PID 604 wrote to memory of 2360	604	svchcst.exe	WScript.exe
PID 604 wrote to memory of 2360	604	svchcst.exe	WScript.exe
PID 604 wrote to memory of 2360	604	svchcst.exe	WScript.exe
PID 604 wrote to memory of 2360	604	svchcst.exe	WScript.exe
PID 2116 wrote to memory of 2872	2116	WScript.exe	svchcst.exe
PID 2116 wrote to memory of 2872	2116	WScript.exe	svchcst.exe
PID 2116 wrote to memory of 2872	2116	WScript.exe	svchcst.exe
PID 2116 wrote to memory of 2872	2116	WScript.exe	svchcst.exe
PID 2872 wrote to memory of 556	2872	svchcst.exe	WScript.exe
PID 2872 wrote to memory of 556	2872	svchcst.exe	WScript.exe
PID 2872 wrote to memory of 556	2872	svchcst.exe	WScript.exe
PID 2872 wrote to memory of 556	2872	svchcst.exe	WScript.exe
PID 556 wrote to memory of 1728	556	WScript.exe	svchcst.exe
PID 556 wrote to memory of 1728	556	WScript.exe	svchcst.exe
PID 556 wrote to memory of 1728	556	WScript.exe	svchcst.exe
PID 556 wrote to memory of 1728	556	WScript.exe	svchcst.exe
PID 2360 wrote to memory of 328	2360	WScript.exe	svchcst.exe
PID 2360 wrote to memory of 328	2360	WScript.exe	svchcst.exe
PID 2360 wrote to memory of 328	2360	WScript.exe	svchcst.exe
PID 2360 wrote to memory of 328	2360	WScript.exe	svchcst.exe
PID 556 wrote to memory of 2776	556	WScript.exe	svchcst.exe
PID 556 wrote to memory of 2776	556	WScript.exe	svchcst.exe
PID 556 wrote to memory of 2776	556	WScript.exe	svchcst.exe
PID 556 wrote to memory of 2776	556	WScript.exe	svchcst.exe

C:\Users\Admin\AppData\Local\Temp\5ca84cf244f7188989c6ec0f1651d3fb1782c54c72f3b0036c8aebbfec018f5c.exe
"C:\Users\Admin\AppData\Local\Temp\5ca84cf244f7188989c6ec0f1651d3fb1782c54c72f3b0036c8aebbfec018f5c.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2172

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
3⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2408

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1432

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2304

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:272

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
8⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3048

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
10⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2116

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2872

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
12⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:556

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
13⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1728

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
13⤵
- Executes dropped EXE
PID:2776

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
14⤵
PID:2512

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:604

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
10⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2360

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:328

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2836

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2580

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
12⤵
- Loads dropped DLL
PID:2428

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
13⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2408

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
14⤵
- Loads dropped DLL
PID:2188

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
15⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1620

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
16⤵
- Loads dropped DLL
PID:1784

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
17⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2492

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
18⤵
- Loads dropped DLL
PID:2436

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
19⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2444

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
20⤵
- Loads dropped DLL
PID:2848

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
21⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2988

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
22⤵
PID:1012

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
22⤵
- Loads dropped DLL
PID:2068

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
23⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2672

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
24⤵
PID:1648

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
23⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2244

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
24⤵
- Loads dropped DLL
PID:1860

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
25⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2468

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
26⤵
- Loads dropped DLL
PID:1656

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
27⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1216

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
28⤵
- Loads dropped DLL
PID:1692

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
29⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1224

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
30⤵
- Loads dropped DLL
PID:2420

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
31⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2272

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
32⤵
- Loads dropped DLL
PID:1020

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
33⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3032

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
34⤵
- Loads dropped DLL
PID:1428

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
35⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2444

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
36⤵
- Loads dropped DLL
PID:1308

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
37⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1564

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
38⤵
- Loads dropped DLL
PID:1964

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
39⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1012

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
40⤵
PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
45e06e0ae977f3c8a13047c88d01d838

SHA1
974a1f2d1f6736c2e124ecd0e5eef171e6b0d549

SHA256
6bc0cae6d4391aa2273334bbebe7cf15b1bd4f9ee1acd5dabc4dc5282ae582ed

SHA512
9e54e1146b89745e3d98fecf981cc8294d663c24970a81c3d131ef6e45ba19ba06dd233d2c7ea17046ea26e2d3aeb3ba9cfe4e8d8545f5f27b3d84c61753ceb3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
9f87870aabac31b89e8f641cc4796a67

SHA1
0e7c4d9fa14eb4afe07e0ded564229685c3cbe4b

SHA256
c5ccc91ebc3838b354e5ae05c7b3efa01813e004b427f843ba23e78ff272e695

SHA512
28c7fe3049354286831a5c2b52ea96583bef30c4a294d07bfb10c11bb9e3469b944d8029d58f73611daa616a279e280d0c14fa037d390ab34a5daa2f5a25c4f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
70e226fbd8b4b3f2ddf8a8753a77586a

SHA1
a81a39d08f77479d0ee65599dd2749031c32fc19

SHA256
3eb2bfca11e83ada63c9e426764e07267c058964f959ca5e0c3f0f8933e40026

SHA512
f8c3f2f4172e8cabb856cbc2527dae48cba6d740a8ad9844bb32013ccba200b4c03dfdbe3713d9caa5f7416b8729cba4d516a73989b388c952ab08205b3cd4b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
379619305716718fbeeab2f364946c39

SHA1
b663cf106c4673549692fa39d25e9e8f4561cd64

SHA256
c844bc25686320e65c1b5259a6d0d6d47f61709f46e2c8eb2ad3f9c3b9333d84

SHA512
b2c91d0f1cbc9e253bb3bb339acbab0e31eef31188cc00132c423fee2a85c7a91132c9259b99b23a149f6ba1172b8522e2d8350f88dbb735ad8d7a32f71e2ed8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ab52ce62f84a24d48d9cebec5331b1c6

SHA1
6fcb810a46e83020e55af419752f5583f9dcb9ba

SHA256
908bec6021a78b90a02c6123db4ac62b590ea738e97fa35aac7c4dce624f3244

SHA512
8823f3f60863692a8fd2be8610670b06077ea7c948b7c46f9a1ab712276b27e48c19d0a394e7f51c0fbdf753f989af4cac5dab078e4f04ee5ee6a50427368cd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1ddf68547078713a6bd04e589e87bc2f

SHA1
cdfb5481f8214590744133c77204eff54e733b90

SHA256
a5954677872e02157f5c6921ef883fbc22a4f7940d17403a9a0658931d4971fc

SHA512
194d12570a7d4e8e9341f56d23fda7ff49e131e818b93633b75c6ef05b6972b8428294bb95529af25cf75cbe2d86756dab000be200466a30a64922e764ebfc2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
024be950e07002e527b8dd1efbb0e4b4

SHA1
1a56034c6366027442be28a75bce7cdea55a8a98

SHA256
51f47375c2a87dc9fe8cc958432adcc166d0faf75f7d1da1322e238fb5d72893

SHA512
96864be4661feeef155d1816192852146e5d2aa3266ce5b732ec203d43a6098a5fa456a7decb9ab1bd66bc959ed85b485de32c11cea6ee6d1a48d0bea2349b6f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
be85ce7bb02d959078db568ee3a8905d

SHA1
e3598468f1db49d961a98da4deda91a619b56985

SHA256
4d76969f7a746574f6be0eca7b1939230ca7607610f12f82b670f4b7bf829806

SHA512
8ffd0d9432c57b2a445afb0701de88903bee1df5295b7ec14042623bfd5d72d0d3cdf198bbdce55be06439c8ac594ddc9bcf53f425bf9e9c9ebb299f6d8150cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
321085c6e57a8455a3e915906a6c160b

SHA1
9cd284183cd00b8ed9766cf5ba4433bd041c381e

SHA256
0d5abb9f989e8b184b17b159987cacb4be04d476a85a3c684e797cdbded810cb

SHA512
030c762c6548c28805fb3f9d97ed98ff958a379fb5142b7ba6c4cb2a8dd7a59051135e649abd6c16320361b10c374e4a1003c802560fcc244849089255fb7722

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
85fa416be0b995c6e53ce5e2df106d8a

SHA1
bcffe6d0eb7594897fb6c1c1e6e409bacd04f009

SHA256
f08a191ea7850c2d2e0fa0cd1f40254eecb8dcb63a9dfa94cc8a97f609c49293

SHA512
5d92938d833d0555e94027148d0d9fc064274885bb4992f4e5840e7be03b629a3d2dc3703f9a7aa7614cb46ee19f9cfe26c69cc2e3a162f4be9045e5da18efbf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3612d3ea6472851cf27d0650f30a8461

SHA1
6deb8050a9d5911a2bcaa1dff30442b243389423

SHA256
2952c41a53b0569f4005c91e142940e5e96ab915146591fd27e380826de74370

SHA512
274ea073a41fbb585172d72f0f3c37132154378212b24cf3609f2bb450d631741c438035f81046ec36f08e62f287949079776d359cd42602ad097cfc0689f49c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
86e9d2a5259c9583be33fe4d546d1b0a

SHA1
44423ac268f3d9cd14cae53d054aa2d1eccbf0fa

SHA256
4e49bff1f9101e9cf70e196e9a0a6e2a865261f6a2f5f72df924dc13a405e748

SHA512
d3f323a1c69bb3ee503d33656bb13ec5bc1a85e3b96d0c509dcf3c91b0cac7853f0fd1dbe33cf4142ae4ce0ebc87b192dd5a4929e0af33a12f88f62b933d22e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
da324625e4b2f4e705d867617baa772c

SHA1
fc6bfc1595af0af027e743f41fb75762714f6573

SHA256
bc65cb17e97a4dc8ab8b566b62d798d239cac15e3b772629b644ef10183b9d39

SHA512
e7baf710f6b048114b6c87cf4a1195b3b11ea016f0bc63a3d96ca00d65cdd694045fbceb7cbcbcc0a0eec21717b0cc0cb666093dff9af68b3a2a3539ded69427

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1c12f32660a4f7be40a0441efee9fa02

SHA1
3a93f751153a9e5f56b15e46394727217af21eef

SHA256
29704d912da20899327e6ca679ca764297beac3d31002c5bc63f66ce811259ee

SHA512
574d3a85f72d9e3ecfd2a93519cfb5cdbe54c1b5adc50a58f284b682f392e829bfa85219d4aef8efc2423b4921a2b229e809ffe7224493499cee1a268ee4015d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a06ede88d582e9ce9f786f95681f61bb

SHA1
064c70bf5496a31acdfbc331ba37e16cdf8a2aac

SHA256
f8e4248cafc037a83258c3a26905bc048d44280dc370a58f582f89acd26ddb05

SHA512
3d5d8254a2c3c7f4eb649f6fdd4ac78688d9bf3d8c8f2dc3e6787901dffed933724d4005977d5b01ee9973e4c7f10169f8990f154afa28e4908cfcfe1e95aa2a

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/272-44-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/272-35-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/328-91-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/328-92-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/556-88-0x0000000004600000-0x000000000475F000-memory.dmp

Filesize
1.4MB

Download
memory/604-67-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1012-250-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1216-201-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1216-208-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1224-213-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1224-216-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1432-32-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1564-249-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1620-142-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1656-200-0x0000000005CF0000-0x0000000005E4F000-memory.dmp

Filesize
1.4MB

Download
memory/1728-90-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1728-93-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1860-217-0x0000000005C10000-0x0000000005D6F000-memory.dmp

Filesize
1.4MB

Download
memory/1860-191-0x0000000005C10000-0x0000000005D6F000-memory.dmp

Filesize
1.4MB

Download
memory/2116-71-0x0000000004690000-0x00000000047EF000-memory.dmp

Filesize
1.4MB

Download
memory/2116-72-0x0000000004690000-0x00000000047EF000-memory.dmp

Filesize
1.4MB

Download
memory/2172-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2172-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2188-132-0x0000000005980000-0x0000000005ADF000-memory.dmp

Filesize
1.4MB

Download
memory/2244-190-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2244-183-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2272-219-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2272-226-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2360-98-0x0000000004680000-0x00000000047DF000-memory.dmp

Filesize
1.4MB

Download
memory/2360-106-0x0000000004700000-0x000000000485F000-memory.dmp

Filesize
1.4MB

Download
memory/2408-22-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2408-120-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2408-129-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2420-218-0x00000000046A0000-0x00000000047FF000-memory.dmp

Filesize
1.4MB

Download
memory/2444-242-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2444-235-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2444-156-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2444-163-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2468-199-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2468-196-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2492-155-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2580-115-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2656-58-0x0000000005D60000-0x0000000005EBF000-memory.dmp

Filesize
1.4MB

Download
memory/2656-48-0x00000000059C0000-0x0000000005B1F000-memory.dmp

Filesize
1.4MB

Download
memory/2672-175-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2672-182-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2776-104-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2836-100-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2836-99-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2848-165-0x0000000004730000-0x000000000488F000-memory.dmp

Filesize
1.4MB

Download
memory/2848-164-0x0000000004730000-0x000000000488F000-memory.dmp

Filesize
1.4MB

Download
memory/2872-83-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2872-74-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2988-174-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3032-227-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3032-234-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3048-49-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3048-56-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download