10f3cbfbc4da8ff6c2d9282576003c041000f81a468bc3e9d20ea7816440e1b1

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10f3cbfbc4da8ff6c2d9282576003c041000f81a468bc3e9d20ea7816440e1b1.exe
Size

1.1MB
MD5

5666f2fc8a62cb272fe59420d50907d1
SHA1

09b65e423d220d5c85c636ba78249aadc67be8f5
SHA256

10f3cbfbc4da8ff6c2d9282576003c041000f81a468bc3e9d20ea7816440e1b1
SHA512

71129cae2e22df79bd007d0db278ae4453b531fd3fea056973c7ae49ec7884ab44a8584e2a0fd2468a3d12e034cb44abd23ded242c84e03d18b28f96dc117b61
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qo:CcaClSFlG4ZM7QzM/

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

svchcst.exe

pid process

2784 svchcst.exe

Executes dropped EXE 23 IoCs

Processes:

svchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exe

pid	process
2784	svchcst.exe
1824	svchcst.exe
268	svchcst.exe
2340	svchcst.exe
764	svchcst.exe
2440	svchcst.exe
1028	svchcst.exe
2368	svchcst.exe
2524	svchcst.exe
2932	svchcst.exe
1256	svchcst.exe
1624	svchcst.exe
2760	svchcst.exe
1320	svchcst.exe
2336	svchcst.exe
2100	svchcst.exe
1676	svchcst.exe
2556	svchcst.exe
2056	svchcst.exe
1500	svchcst.exe
1284	svchcst.exe
1924	svchcst.exe
840	svchcst.exe

Loads dropped DLL 46 IoCs

Processes:

WScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exe

pid	process
2092	WScript.exe
2092	WScript.exe
2512	WScript.exe
2512	WScript.exe
2776	WScript.exe
2776	WScript.exe
1608	WScript.exe
1608	WScript.exe
1984	WScript.exe
1984	WScript.exe
1780	WScript.exe
1780	WScript.exe
1604	WScript.exe
1604	WScript.exe
2816	WScript.exe
2816	WScript.exe
3024	WScript.exe
3024	WScript.exe
2696	WScript.exe
2696	WScript.exe
2712	WScript.exe
2712	WScript.exe
1924	WScript.exe
1924	WScript.exe
1232	WScript.exe
1232	WScript.exe
448	WScript.exe
448	WScript.exe
1368	WScript.exe
1368	WScript.exe
940	WScript.exe
940	WScript.exe
2992	WScript.exe
2992	WScript.exe
2640	WScript.exe
2640	WScript.exe
2468	WScript.exe
2468	WScript.exe
2164	WScript.exe
2164	WScript.exe
2792	WScript.exe
2792	WScript.exe
376	WScript.exe
376	WScript.exe
988	WScript.exe
988	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

10f3cbfbc4da8ff6c2d9282576003c041000f81a468bc3e9d20ea7816440e1b1.exesvchcst.exesvchcst.exe

pid	process
1784	10f3cbfbc4da8ff6c2d9282576003c041000f81a468bc3e9d20ea7816440e1b1.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
1824	svchcst.exe
1824	svchcst.exe
1824	svchcst.exe
1824	svchcst.exe
1824	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

10f3cbfbc4da8ff6c2d9282576003c041000f81a468bc3e9d20ea7816440e1b1.exe

pid process

1784 10f3cbfbc4da8ff6c2d9282576003c041000f81a468bc3e9d20ea7816440e1b1.exe

Suspicious use of SetWindowsHookEx 48 IoCs

Processes:

10f3cbfbc4da8ff6c2d9282576003c041000f81a468bc3e9d20ea7816440e1b1.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exe

pid	process
1784	10f3cbfbc4da8ff6c2d9282576003c041000f81a468bc3e9d20ea7816440e1b1.exe
1784	10f3cbfbc4da8ff6c2d9282576003c041000f81a468bc3e9d20ea7816440e1b1.exe
2784	svchcst.exe
2784	svchcst.exe
1824	svchcst.exe
1824	svchcst.exe
268	svchcst.exe
268	svchcst.exe
2340	svchcst.exe
2340	svchcst.exe
764	svchcst.exe
764	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
2368	svchcst.exe
2368	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2932	svchcst.exe
2932	svchcst.exe
1256	svchcst.exe
1256	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
2760	svchcst.exe
2760	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2100	svchcst.exe
2100	svchcst.exe
1676	svchcst.exe
1676	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2056	svchcst.exe
2056	svchcst.exe
1500	svchcst.exe
1500	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1924	svchcst.exe
1924	svchcst.exe
840	svchcst.exe
840	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

10f3cbfbc4da8ff6c2d9282576003c041000f81a468bc3e9d20ea7816440e1b1.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exe

description	pid	process	target process
PID 1784 wrote to memory of 2092	1784	10f3cbfbc4da8ff6c2d9282576003c041000f81a468bc3e9d20ea7816440e1b1.exe	WScript.exe
PID 1784 wrote to memory of 2092	1784	10f3cbfbc4da8ff6c2d9282576003c041000f81a468bc3e9d20ea7816440e1b1.exe	WScript.exe
PID 1784 wrote to memory of 2092	1784	10f3cbfbc4da8ff6c2d9282576003c041000f81a468bc3e9d20ea7816440e1b1.exe	WScript.exe
PID 1784 wrote to memory of 2092	1784	10f3cbfbc4da8ff6c2d9282576003c041000f81a468bc3e9d20ea7816440e1b1.exe	WScript.exe
PID 2092 wrote to memory of 2784	2092	WScript.exe	svchcst.exe
PID 2092 wrote to memory of 2784	2092	WScript.exe	svchcst.exe
PID 2092 wrote to memory of 2784	2092	WScript.exe	svchcst.exe
PID 2092 wrote to memory of 2784	2092	WScript.exe	svchcst.exe
PID 2784 wrote to memory of 2512	2784	svchcst.exe	WScript.exe
PID 2784 wrote to memory of 2512	2784	svchcst.exe	WScript.exe
PID 2784 wrote to memory of 2512	2784	svchcst.exe	WScript.exe
PID 2784 wrote to memory of 2512	2784	svchcst.exe	WScript.exe
PID 2512 wrote to memory of 1824	2512	WScript.exe	svchcst.exe
PID 2512 wrote to memory of 1824	2512	WScript.exe	svchcst.exe
PID 2512 wrote to memory of 1824	2512	WScript.exe	svchcst.exe
PID 2512 wrote to memory of 1824	2512	WScript.exe	svchcst.exe
PID 1824 wrote to memory of 2776	1824	svchcst.exe	WScript.exe
PID 1824 wrote to memory of 2776	1824	svchcst.exe	WScript.exe
PID 1824 wrote to memory of 2776	1824	svchcst.exe	WScript.exe
PID 1824 wrote to memory of 2776	1824	svchcst.exe	WScript.exe
PID 2776 wrote to memory of 268	2776	WScript.exe	svchcst.exe
PID 2776 wrote to memory of 268	2776	WScript.exe	svchcst.exe
PID 2776 wrote to memory of 268	2776	WScript.exe	svchcst.exe
PID 2776 wrote to memory of 268	2776	WScript.exe	svchcst.exe
PID 268 wrote to memory of 1608	268	svchcst.exe	WScript.exe
PID 268 wrote to memory of 1608	268	svchcst.exe	WScript.exe
PID 268 wrote to memory of 1608	268	svchcst.exe	WScript.exe
PID 268 wrote to memory of 1608	268	svchcst.exe	WScript.exe
PID 1608 wrote to memory of 2340	1608	WScript.exe	svchcst.exe
PID 1608 wrote to memory of 2340	1608	WScript.exe	svchcst.exe
PID 1608 wrote to memory of 2340	1608	WScript.exe	svchcst.exe
PID 1608 wrote to memory of 2340	1608	WScript.exe	svchcst.exe
PID 2340 wrote to memory of 1984	2340	svchcst.exe	WScript.exe
PID 2340 wrote to memory of 1984	2340	svchcst.exe	WScript.exe
PID 2340 wrote to memory of 1984	2340	svchcst.exe	WScript.exe
PID 2340 wrote to memory of 1984	2340	svchcst.exe	WScript.exe
PID 1984 wrote to memory of 764	1984	WScript.exe	svchcst.exe
PID 1984 wrote to memory of 764	1984	WScript.exe	svchcst.exe
PID 1984 wrote to memory of 764	1984	WScript.exe	svchcst.exe
PID 1984 wrote to memory of 764	1984	WScript.exe	svchcst.exe
PID 764 wrote to memory of 1780	764	svchcst.exe	WScript.exe
PID 764 wrote to memory of 1780	764	svchcst.exe	WScript.exe
PID 764 wrote to memory of 1780	764	svchcst.exe	WScript.exe
PID 764 wrote to memory of 1780	764	svchcst.exe	WScript.exe
PID 1780 wrote to memory of 2440	1780	WScript.exe	svchcst.exe
PID 1780 wrote to memory of 2440	1780	WScript.exe	svchcst.exe
PID 1780 wrote to memory of 2440	1780	WScript.exe	svchcst.exe
PID 1780 wrote to memory of 2440	1780	WScript.exe	svchcst.exe
PID 2440 wrote to memory of 1604	2440	svchcst.exe	WScript.exe
PID 2440 wrote to memory of 1604	2440	svchcst.exe	WScript.exe
PID 2440 wrote to memory of 1604	2440	svchcst.exe	WScript.exe
PID 2440 wrote to memory of 1604	2440	svchcst.exe	WScript.exe
PID 1604 wrote to memory of 1028	1604	WScript.exe	svchcst.exe
PID 1604 wrote to memory of 1028	1604	WScript.exe	svchcst.exe
PID 1604 wrote to memory of 1028	1604	WScript.exe	svchcst.exe
PID 1604 wrote to memory of 1028	1604	WScript.exe	svchcst.exe
PID 1028 wrote to memory of 2816	1028	svchcst.exe	WScript.exe
PID 1028 wrote to memory of 2816	1028	svchcst.exe	WScript.exe
PID 1028 wrote to memory of 2816	1028	svchcst.exe	WScript.exe
PID 1028 wrote to memory of 2816	1028	svchcst.exe	WScript.exe
PID 2816 wrote to memory of 2368	2816	WScript.exe	svchcst.exe
PID 2816 wrote to memory of 2368	2816	WScript.exe	svchcst.exe
PID 2816 wrote to memory of 2368	2816	WScript.exe	svchcst.exe
PID 2816 wrote to memory of 2368	2816	WScript.exe	svchcst.exe

C:\Users\Admin\AppData\Local\Temp\10f3cbfbc4da8ff6c2d9282576003c041000f81a468bc3e9d20ea7816440e1b1.exe
"C:\Users\Admin\AppData\Local\Temp\10f3cbfbc4da8ff6c2d9282576003c041000f81a468bc3e9d20ea7816440e1b1.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2512
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1824
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:268
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2368
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:3024
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2524
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2696
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2932
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:2712
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1256
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:1924
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1624
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:1232
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2760
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:448
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1320
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:1368
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2336
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:940
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2100
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:2992
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1676
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:2640
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2556
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:2468
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2056
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:2164
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1500
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:2792
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1284
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        
        PID:376
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1924
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        
        PID:988
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:840
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        
        PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
66dec81d7f7dc4e36f9d8151fe38056a

SHA1
fc169994b2239eb407778d28d35025f7c9a1658e

SHA256
a09a3c722b494400011829c5645415020d39c8e6ec90f466fc3109a1ba49db2a

SHA512
3e8af1d301ba9228d5afcfaa1e1d3e6f931c5f0ba5e19c74f73b88ddf7c4baa7b24f13533679096f6c94871985de9e47d0f91362ec2ee9132b1e1b772d56fbcc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d5a26bd3b4366107ffbb4663050f6576

SHA1
09a5b81e452620340fcc2343a146ac5469576d44

SHA256
6e6abc76efb5447d4e9b20d07396db93d0368e6f81f558217f81a4dedc437eef

SHA512
527fe34594e983df77843639208f832c63f24a23e6e72fabc3e27eb1cce2e08e4306f3a5ebd288142f9684c6730431fe09f2c60f699a0825dc8270e961abbb10

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a6723d81dd75369a43431bd61814ac74

SHA1
c3d950a8d9f5738222594d01dcaae3fcb467d548

SHA256
add1a22f571c2dfbfda508d6ad632223ab81690c73a376500e56855afeb1752b

SHA512
d7a42037066b1b1d1dffbc792aef400ca374665b012f02de40a6ff118482acd14555edabd6750defb402a6cf4e273a132c1856103202e47aa090119546718727

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
bf8c66bc238068346f8bc94f6763b894

SHA1
43019b1b9d3d7e90719747856103a1af12d024ef

SHA256
de7fa3ae16d70f789b4d0aa427b017215cdb51f141038688ca5ba2cbb4060b5d

SHA512
a5d2d1662be29ceebb5d9441b537804722646c7ee3974d89d87bb37d1563bdbcac709f29e3251cf9d45845bdedd518bca99e203102b5c7f0e3657eca406277c6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
02bec440e11bdc76b5de3232abd91f03

SHA1
2118a1f2249848ea084c7d98709f7ba7906e43a3

SHA256
4382e8d6fd98aeb7c574b195019c1687ac6628e8f97485614ad743ae5a0616b0

SHA512
f86e900e6bd38151fad12b160c0489823bd18d15609346172ca1f815593e69f9269cb28a0eaea6a588a29d41343f3b9d4c6489cc3c50e2b24a31720de26e0411

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1a94fff9bade36e4d067e0fcefb1a8f5

SHA1
1713c3fc499a56cd97035e44405e0b5e1a0a586b

SHA256
1977a5ac15e88252efdd11b9aace6de92383e71132a94273b0e890e92ae91048

SHA512
89a7dd6811f9491a14bf49f1cbce3e869107d2e0d410fa3d3c867ce68d573d6f8e6ada98ac3635fc620c96c61676b5cef2563b5fbea14f617c1fa61bce4f3ac7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
98328aa8ad181fbf0b87edfc21155dce

SHA1
3ca100ca64d5f62a5dceef47f414c0953fd4f559

SHA256
a6928cf27564f6f983d8f62358463a2dee471715b220de03db8b72ebf105f20c

SHA512
75f298c982eeebf184fdd0612436583a863beba740bd55053539dc1b1c20103a1c6f5da46b41621eb00d601cdfc86c1705080a0da08fef7756637805dcb588ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3f88ed4a802ff96db44e34ad53ac06c2

SHA1
446fe4e265af02ea012b5a8d5d0e7a0c9867f1ed

SHA256
04a5abb92c689fa7b9d768a067b1d9bd16c0a5d856c67c7f7881d62662ae0911

SHA512
f1afaf53ee96969d58902836b841ca7feed9769c81d9b2d63b72db5d7cf04d6a659b50869f8dba0d650aa6833d892261c0c3dd918e8bfbed13237e6333c47fdf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
9f87870aabac31b89e8f641cc4796a67

SHA1
0e7c4d9fa14eb4afe07e0ded564229685c3cbe4b

SHA256
c5ccc91ebc3838b354e5ae05c7b3efa01813e004b427f843ba23e78ff272e695

SHA512
28c7fe3049354286831a5c2b52ea96583bef30c4a294d07bfb10c11bb9e3469b944d8029d58f73611daa616a279e280d0c14fa037d390ab34a5daa2f5a25c4f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
552a4eea10be4ccbbf8ec769cd824693

SHA1
3e350ca51cb92971d9e65d02fad041aeac8b6c90

SHA256
686bf5557873095ef1ef6ced35f628c8a191f182b584922b3091883833b46115

SHA512
e55fa8ad548c3a763cee844c1b590f6e2a89f6ee03283fc6338224310d2b04595f500f555db5d46b20ada27737946ac1eb08bb57f3a11932b925992c3da524ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
85237fd417d4b2a128dceeb9c541eb23

SHA1
7f87ca05e126e00a27fcf010bf2918f6777f4c48

SHA256
f6e0eb2a93e2f32d156088775c56254ac5577ff23cfcbe077229766397149ebc

SHA512
483d954c6d354b3734128baa5c41f98c75914e4145d3742c83d9a1bf3b258793067fe88194e22612099f4dc61c6ae56958083399131c4f446e79315f72db6cad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c1a05096b3eef097c01168e5b9180346

SHA1
42e83e01d8e1bffb7ba34c3c8e27aa1a42bce2c7

SHA256
711ff88ab782e1116ad1effbdf484259f63ef0e0bafa653815503a9a2e9094af

SHA512
179d279a7f3361b56aaeb3ecaf7a3444905c9fe2976aded2eb499e17a0dc28feb2db944e618a72ef5f788b4d23c7f5592ae6765bcb8da36e5da0ed285a9153b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2419465a854a83b74ac8933689078fac

SHA1
4f2c9bde9e6b794fce35168e187a9c94b889ccca

SHA256
18bd7eef3357bab8d48b1c070a2591d610043bd44b9e95fffa740538244ed29a

SHA512
d3ea988fb1af04feab660975a8faf2958221b947f23c03d6420afaa0cf6ba08ad0feae40f270e3c1dfedebbe68993262f95319d98346b3dc35eb76dd0f6b5366

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7a25edd2987c5423b54f2d8b83811dc5

SHA1
c25d14736de3b7f09f0db2b77f791dbf964a149c

SHA256
bca16e09e0f1a96bb712a1bad340690d8a3ec3abbf083e1e51a96670283b10df

SHA512
6f146c4a75fcab005cafaf38143e7cfd300cd9178ba315ea5099f440e928673f5c959ecab52fb82afb003b07c6d2179b734ad897b1781da8aafd60eefa4eac40

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
8b7484fec5a3a6fcbf5728458fea9ab2

SHA1
56a4c5899ba695fdeed155644c9494ee25eb4edb

SHA256
05a6be4305ec6c80f3f958a79078f212d0c26eee464a16637c707f8513e780a7

SHA512
11328815e54d9fcbb2b1fe94ed960f029c8ed6a96a7e08f03dfee3dba97cfae2c92869657952099cd4267056016dcebd2f7d29a9d961a1e95c41acc5bc5f3539

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
adac17e99b3dbcadb984734a62cf864b

SHA1
db99b2595a73808d0abb200e62b0b161020a4a98

SHA256
f4f170d2d0d3f558dc22db0446395be8a64ec0d1f4be5d66cdcf475620fabe51

SHA512
db9afb5707f7e265eced051640d3b4933b710c077cbe98e4a1e4b9430357905c6bcb6542ff1b0f3f66237cf5d690cec05a0f4ad456959c99d6e2a275af675304

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f2d1f8e698c162c868e2767cf3385c06

SHA1
51476e1bc067b1ae5ba3856809e580f0a45f294e

SHA256
dba9c585d08c7dd0e7cf5b02ba5ad28a8aa5a47b72d8548af76680634a16a412

SHA512
68c5ee26b9754dda4ca49cf76255170bd3943116103fcef8d78edde06b55386147261aa6d702db14aec763f2c6a6141070647158c71e956f9bc0b5a0de5e23eb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ab5f3b091c13d15fc1520be394ba5f34

SHA1
5cd7d9d8a486a7267d31c7f155d380c1a468ce8a

SHA256
2693bb950f08367fb9b816f11baa111ca2e1bbb5897c29910e586a7780f6fa71

SHA512
c231c250e45d5e1e5a39792f569ae214513eb630e806d6a97e9a14859504bf9d0417d556139fb6304be48108b97bb5bc5728f8c35a4481fe98f8d6c39ab6d3e8

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
70cccf669490de961ae92740c49b05e0

SHA1
a0e9328b52a5ee035c7a2a62890ec6a3b085f3b8

SHA256
c209de5abc45b18de31dbac273aa1da572a2207888ccc720951c9ac89affbc0b

SHA512
3b4cfed145ba2265937c2c326ea6a95c5ff2d47bb809f9d4cbc259efea177a697bb42c684f348c080f2fb8cebcfcc88747d28d494f754b4ac7ad6428d30ad625

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ba54876cf6b05dd48417911058dac25f

SHA1
bc3bd98cd8c9297f28c4adf6a14787a64477b95f

SHA256
dc9f8eea6d55d7c992ee1af6e52426ecb245deeacd7d799d746cef66de92d2fe

SHA512
e14edea2e87e8b8600f91eb6366109a3b1051ac2b87161cc060e8a10a314946f1f508361e5865675ea8a81092a36dc2fb1101a10b94cadc43297f6b3b32f4c6e

Download Submit
memory/1784-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download