1347a77565cf2dbeb69f4babd3ad35bcb008917f2888dc995775f923b4f3c15b

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1347a77565cf2dbeb69f4babd3ad35bcb008917f2888dc995775f923b4f3c15b.exe
Size

1.1MB
MD5

1a2ea174eed876ae66a1d841383ee4d9
SHA1

51efabbc0f6430c599781eab4a8b4fedb4464960
SHA256

1347a77565cf2dbeb69f4babd3ad35bcb008917f2888dc995775f923b4f3c15b
SHA512

611c2e6bfc9a9cb9fef182dbbed73f71a122f1493860f639aafcdc9737c19278a0dbe068f1417d94205cb24130c5a45bc057eb9dc90fc4f00159e819cd5946d6
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QM:CcaClSFlG4ZM7QzM7

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

svchcst.exe

pid process

2612 svchcst.exe

Executes dropped EXE 23 IoCs

Processes:

svchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exe

pid	process
2612	svchcst.exe
2624	svchcst.exe
1680	svchcst.exe
1784	svchcst.exe
556	svchcst.exe
3036	svchcst.exe
1556	svchcst.exe
2780	svchcst.exe
2028	svchcst.exe
2648	svchcst.exe
1008	svchcst.exe
328	svchcst.exe
696	svchcst.exe
808	svchcst.exe
1708	svchcst.exe
1036	svchcst.exe
2308	svchcst.exe
2468	svchcst.exe
2480	svchcst.exe
2760	svchcst.exe
2372	svchcst.exe
2412	svchcst.exe
872	svchcst.exe

Loads dropped DLL 35 IoCs

Processes:

WScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exe

pid	process
3040	WScript.exe
3040	WScript.exe
2344	WScript.exe
2344	WScript.exe
2340	WScript.exe
2340	WScript.exe
2412	WScript.exe
2628	WScript.exe
1668	WScript.exe
1876	WScript.exe
1876	WScript.exe
2588	WScript.exe
2588	WScript.exe
2392	WScript.exe
1968	WScript.exe
2144	WScript.exe
600	WScript.exe
3024	WScript.exe
3024	WScript.exe
600	WScript.exe
600	WScript.exe
1628	WScript.exe
1628	WScript.exe
3012	WScript.exe
3012	WScript.exe
2684	WScript.exe
2684	WScript.exe
1356	WScript.exe
1356	WScript.exe
2024	WScript.exe
2024	WScript.exe
2904	WScript.exe
2904	WScript.exe
696	WScript.exe
696	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1347a77565cf2dbeb69f4babd3ad35bcb008917f2888dc995775f923b4f3c15b.exesvchcst.exesvchcst.exe

pid	process
2028	1347a77565cf2dbeb69f4babd3ad35bcb008917f2888dc995775f923b4f3c15b.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

1347a77565cf2dbeb69f4babd3ad35bcb008917f2888dc995775f923b4f3c15b.exe

pid process

2028 1347a77565cf2dbeb69f4babd3ad35bcb008917f2888dc995775f923b4f3c15b.exe

Suspicious use of SetWindowsHookEx 48 IoCs

Processes:

1347a77565cf2dbeb69f4babd3ad35bcb008917f2888dc995775f923b4f3c15b.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exe

pid	process
2028	1347a77565cf2dbeb69f4babd3ad35bcb008917f2888dc995775f923b4f3c15b.exe
2028	1347a77565cf2dbeb69f4babd3ad35bcb008917f2888dc995775f923b4f3c15b.exe
2612	svchcst.exe
2612	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1784	svchcst.exe
1784	svchcst.exe
556	svchcst.exe
556	svchcst.exe
3036	svchcst.exe
3036	svchcst.exe
1556	svchcst.exe
1556	svchcst.exe
2780	svchcst.exe
2780	svchcst.exe
2028	svchcst.exe
2028	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
328	svchcst.exe
328	svchcst.exe
696	svchcst.exe
696	svchcst.exe
808	svchcst.exe
808	svchcst.exe
1708	svchcst.exe
1708	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
2308	svchcst.exe
2308	svchcst.exe
2468	svchcst.exe
2468	svchcst.exe
2480	svchcst.exe
2480	svchcst.exe
2760	svchcst.exe
2760	svchcst.exe
2372	svchcst.exe
2372	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
872	svchcst.exe
872	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1347a77565cf2dbeb69f4babd3ad35bcb008917f2888dc995775f923b4f3c15b.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exe

description	pid	process	target process
PID 2028 wrote to memory of 3040	2028	1347a77565cf2dbeb69f4babd3ad35bcb008917f2888dc995775f923b4f3c15b.exe	WScript.exe
PID 2028 wrote to memory of 3040	2028	1347a77565cf2dbeb69f4babd3ad35bcb008917f2888dc995775f923b4f3c15b.exe	WScript.exe
PID 2028 wrote to memory of 3040	2028	1347a77565cf2dbeb69f4babd3ad35bcb008917f2888dc995775f923b4f3c15b.exe	WScript.exe
PID 2028 wrote to memory of 3040	2028	1347a77565cf2dbeb69f4babd3ad35bcb008917f2888dc995775f923b4f3c15b.exe	WScript.exe
PID 3040 wrote to memory of 2612	3040	WScript.exe	svchcst.exe
PID 3040 wrote to memory of 2612	3040	WScript.exe	svchcst.exe
PID 3040 wrote to memory of 2612	3040	WScript.exe	svchcst.exe
PID 3040 wrote to memory of 2612	3040	WScript.exe	svchcst.exe
PID 2612 wrote to memory of 2344	2612	svchcst.exe	WScript.exe
PID 2612 wrote to memory of 2344	2612	svchcst.exe	WScript.exe
PID 2612 wrote to memory of 2344	2612	svchcst.exe	WScript.exe
PID 2612 wrote to memory of 2344	2612	svchcst.exe	WScript.exe
PID 2344 wrote to memory of 2624	2344	WScript.exe	svchcst.exe
PID 2344 wrote to memory of 2624	2344	WScript.exe	svchcst.exe
PID 2344 wrote to memory of 2624	2344	WScript.exe	svchcst.exe
PID 2344 wrote to memory of 2624	2344	WScript.exe	svchcst.exe
PID 2624 wrote to memory of 2340	2624	svchcst.exe	WScript.exe
PID 2624 wrote to memory of 2340	2624	svchcst.exe	WScript.exe
PID 2624 wrote to memory of 2340	2624	svchcst.exe	WScript.exe
PID 2624 wrote to memory of 2340	2624	svchcst.exe	WScript.exe
PID 2340 wrote to memory of 1680	2340	WScript.exe	svchcst.exe
PID 2340 wrote to memory of 1680	2340	WScript.exe	svchcst.exe
PID 2340 wrote to memory of 1680	2340	WScript.exe	svchcst.exe
PID 2340 wrote to memory of 1680	2340	WScript.exe	svchcst.exe
PID 1680 wrote to memory of 2412	1680	svchcst.exe	WScript.exe
PID 1680 wrote to memory of 2412	1680	svchcst.exe	WScript.exe
PID 1680 wrote to memory of 2412	1680	svchcst.exe	WScript.exe
PID 1680 wrote to memory of 2412	1680	svchcst.exe	WScript.exe
PID 2412 wrote to memory of 1784	2412	WScript.exe	svchcst.exe
PID 2412 wrote to memory of 1784	2412	WScript.exe	svchcst.exe
PID 2412 wrote to memory of 1784	2412	WScript.exe	svchcst.exe
PID 2412 wrote to memory of 1784	2412	WScript.exe	svchcst.exe
PID 1784 wrote to memory of 2628	1784	svchcst.exe	WScript.exe
PID 1784 wrote to memory of 2628	1784	svchcst.exe	WScript.exe
PID 1784 wrote to memory of 2628	1784	svchcst.exe	WScript.exe
PID 1784 wrote to memory of 2628	1784	svchcst.exe	WScript.exe
PID 2628 wrote to memory of 556	2628	WScript.exe	svchcst.exe
PID 2628 wrote to memory of 556	2628	WScript.exe	svchcst.exe
PID 2628 wrote to memory of 556	2628	WScript.exe	svchcst.exe
PID 2628 wrote to memory of 556	2628	WScript.exe	svchcst.exe
PID 556 wrote to memory of 1668	556	svchcst.exe	WScript.exe
PID 556 wrote to memory of 1668	556	svchcst.exe	WScript.exe
PID 556 wrote to memory of 1668	556	svchcst.exe	WScript.exe
PID 556 wrote to memory of 1668	556	svchcst.exe	WScript.exe
PID 1668 wrote to memory of 3036	1668	WScript.exe	svchcst.exe
PID 1668 wrote to memory of 3036	1668	WScript.exe	svchcst.exe
PID 1668 wrote to memory of 3036	1668	WScript.exe	svchcst.exe
PID 1668 wrote to memory of 3036	1668	WScript.exe	svchcst.exe
PID 3036 wrote to memory of 1876	3036	svchcst.exe	WScript.exe
PID 3036 wrote to memory of 1876	3036	svchcst.exe	WScript.exe
PID 3036 wrote to memory of 1876	3036	svchcst.exe	WScript.exe
PID 3036 wrote to memory of 1876	3036	svchcst.exe	WScript.exe
PID 1876 wrote to memory of 1556	1876	WScript.exe	svchcst.exe
PID 1876 wrote to memory of 1556	1876	WScript.exe	svchcst.exe
PID 1876 wrote to memory of 1556	1876	WScript.exe	svchcst.exe
PID 1876 wrote to memory of 1556	1876	WScript.exe	svchcst.exe
PID 1556 wrote to memory of 3012	1556	svchcst.exe	WScript.exe
PID 1556 wrote to memory of 3012	1556	svchcst.exe	WScript.exe
PID 1556 wrote to memory of 3012	1556	svchcst.exe	WScript.exe
PID 1556 wrote to memory of 3012	1556	svchcst.exe	WScript.exe
PID 1876 wrote to memory of 2780	1876	WScript.exe	svchcst.exe
PID 1876 wrote to memory of 2780	1876	WScript.exe	svchcst.exe
PID 1876 wrote to memory of 2780	1876	WScript.exe	svchcst.exe
PID 1876 wrote to memory of 2780	1876	WScript.exe	svchcst.exe

C:\Users\Admin\AppData\Local\Temp\1347a77565cf2dbeb69f4babd3ad35bcb008917f2888dc995775f923b4f3c15b.exe
"C:\Users\Admin\AppData\Local\Temp\1347a77565cf2dbeb69f4babd3ad35bcb008917f2888dc995775f923b4f3c15b.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
3⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2344

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2624

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2340

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
8⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
10⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:556

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
12⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1668

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
13⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3036

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
14⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1876

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
15⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
16⤵
PID:3012

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
15⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2780

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
16⤵
- Loads dropped DLL
PID:2588

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
17⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2028

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
18⤵
PID:2452

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
17⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2648

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
18⤵
- Loads dropped DLL
PID:2392

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
19⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1008

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
20⤵
- Loads dropped DLL
PID:1968

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
21⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:328

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
22⤵
- Loads dropped DLL
PID:2144

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
23⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:696

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
24⤵
- Loads dropped DLL
PID:600

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
25⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:808

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
26⤵
- Loads dropped DLL
PID:3024

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
27⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1708

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
28⤵
PID:2116

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
25⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1036

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
26⤵
- Loads dropped DLL
PID:1628

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
27⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2308

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
28⤵
- Loads dropped DLL
PID:3012

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
29⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2468

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
30⤵
- Loads dropped DLL
PID:2684

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
31⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2480

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
32⤵
- Loads dropped DLL
PID:1356

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
33⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2760

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
34⤵
- Loads dropped DLL
PID:2024

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
35⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2372

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
36⤵
- Loads dropped DLL
PID:2904

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
37⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2412

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
38⤵
- Loads dropped DLL
PID:696

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
39⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:872

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
40⤵
PID:808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8e2ae053ceb7062fca84af2a4b776842

SHA1
e0efd0b54009a60e3682ed38deaddd833c8652b6

SHA256
58391f462883b293fdb398c52afb015698a4aa455fde921d706159ccccc6375f

SHA512
71b28f16bbcd83fd3cd69c985cc7482ddb167f287f6f331fc6c2f71b5b9759d6692ad93eb45e3a4039e5234f795076cd090e46c80b2661a00327a19b0ceab7b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ad7007ed9542468662553e405df66821

SHA1
757c5ee287a113d689f2d370176fcf9c9e1223a3

SHA256
12967e637928b853b708430671e1b72f6ca847a2af2680f8f15da98efb31161e

SHA512
812220b05239ebb0e14f3cd738e58274deb60624eacc360d2b3be6c5010dc418f2587f5f6736a1d80a3a5f52ae9887a492e8934e64af66c89b45a9b47d3069c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
a06a6c634f5fe9f86f9ba759415f15aa

SHA1
4e35507eaf182ad3c5606cb1c265fc25da0b5b5c

SHA256
5d7effe51c587f32d04685e1ce8396247cd8044d7c34f6d3b84a0cb0ed07298f

SHA512
5aeb2698622bb0e3b2be1e81e53de7de527154c3a5f3e9b950961d8102cbf0263caa2b4745f13382ef002836d94cf17c40a937fb8a80404e576e2c778e7f9156

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a6723d81dd75369a43431bd61814ac74

SHA1
c3d950a8d9f5738222594d01dcaae3fcb467d548

SHA256
add1a22f571c2dfbfda508d6ad632223ab81690c73a376500e56855afeb1752b

SHA512
d7a42037066b1b1d1dffbc792aef400ca374665b012f02de40a6ff118482acd14555edabd6750defb402a6cf4e273a132c1856103202e47aa090119546718727

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d0a7594dbfff2934bae6e22de9f233fe

SHA1
b2a276918a0f5fb2da4440d77ec65c3c644dcf74

SHA256
b5ba466f75e4b160d164ce3886c42fe86c339961f2f303cfdba40d2c711bc61d

SHA512
3d0c5b27841efaa0286d2b58d1749c1efe45ce115cbcb2af1473e29ec3791501a278c90f087e995279518b3c3aec687edca8937f77ff2520ed6b8d3dff6c0a63

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
48e04b8c794b661550560f9e02af5bb4

SHA1
973d939e48bc7713c0338e95966219616bd415d0

SHA256
f3bfe9c6c363e0ef4e22d9990175cb4c1c5d7d087aa5a2cff9f912d5ac6676da

SHA512
23ca46c09e1c2c320c7c79e71056dc6cb78d1dbaa75f4cee92e63626fe1eef268d91c519a8a0219f816049d2babd0276d27471ccc57a05825ce339ea88eea778

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
619955d43a58558c766025119a5a66cb

SHA1
cfb43d2b9cb68699667ca8d4929e71b25ed115ab

SHA256
a129bff17a859b7b2d6681f519c985c661797dd508ac249d30f02a0a78858cee

SHA512
20f9499cddf2fb824365830736255a1dce689da0e94fa8e999ee4e28883e65637410710ea01204b5f3d48213f697461288da2b7a535511da87f848b1e6e83bc6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
072a46f071251f08c67b3aba4c983435

SHA1
371837f885eac20c802901026d2e7aa1d4f6cd5c

SHA256
0d0a8daeceed64600e817a5a0437a39048c52e857868a35d9130d42fdfa896ed

SHA512
e3d35d428a29eec047b0cc43c87aa701eed81e9efe921b4ef13fa2e8e24ef11ce602bd67868b7ad1bdbd9f39eb681a8c95c715479238a2f17c17105ea4653c83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c1f667683c1809dc2fa81d863ea10a4e

SHA1
dc9fdbeca32f2afbcfdc5363769ebb594fc93e44

SHA256
a0afd04975f7f5cf26533640020a9533d4dcf1b152143e69196f93bd5b49fa1e

SHA512
e4c894530934444cb97392b0180e5b6040b84ab5c639412c6b9e5355a13152412da8d881403832c2f3c601624465b16242ebd8710f6e6a4666a27e15ce759b2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
44c38fa25d3a9963483b583388b6f47b

SHA1
e9b37eb8bcbe2ddda96178ee7502616660cfce57

SHA256
004b640ccc72e36c16e85661847b12fff228d63de834042accadde333aa33e36

SHA512
c39bd240b263314169cef9af85a8e8a89146e96400026936b68a69a7c732d301c16561971dbeaee752e2618f2a592bff5a6a91ee75893522e77f574176887905

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
df56efc5aa49720056952b653a76a0d1

SHA1
82823a83837e69b031a973238d78e0360d113ac7

SHA256
bd6fdd2db5dd3828baa84352f1c382304ce0481755f000a7445e3977c24d0a35

SHA512
ffd2ffc465dcd33cca7fdf4cce8711ce7a5cb6af0933fbf2885b7b4164ea2c19ec1a776f2422996599e28b05a3ff927dd76221b9b4dec49b942941b48962034c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
052d0351a5a2283ca385805bf30cc37b

SHA1
0f86c2c33b5641b89bcc430a98956447cb8f6f06

SHA256
643f8c0adfd63b72f9419f5b077829fa7f6d454b738cbcaeead63cd1feb4a9af

SHA512
6e4f1c407fa96a3ed03b416fcf4cb300f7ecefd2e67ddc0d45407b0f97f254ffa55cf34fac7c8ed1e69ece8704fae1d483612948dab8fb6d0c9d39e06bbb23ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
08e59d2d672728796d1d263f61b8e693

SHA1
e2cf49b43ffba5735bf7d9aa4e1da8c5a1a4a243

SHA256
f0504a6142a9709ba8612a4e55816d410dc92778bedea66d34316e77edd2f923

SHA512
328bc5a9404388f3ef192bb0e4da20cc34b9eacd974299461b5cc2f37ce7d7f9bb494e933fe7e8bca0baa037b40778b06965e76ce258b596b60e88bd6b2f4253

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
124e402fc0eead486b1e847816038448

SHA1
41f0652b3ac6744e40d022e32e9f7708882a03fa

SHA256
64045b7f71112ea9c054349abeba2985381ce28ec2a81009b3155a988b95d181

SHA512
933a60ec1394d63af905f2b08ef0b71c9756107c1c0ec9828ca6c032244df9aedc32a43f3c2f7c19b3cf99d35c23c5bea250f121f2d7abeb3f1cf1b0673e4b10

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2059da92b7814165adf3c9537f6c70a8

SHA1
1fa40a435f89d83ea1b82858a33f9b7410d9f93d

SHA256
add4aebd31b4412ca8176bbe80cdff11885229085cea9e9a1c20bb76f5c53f7c

SHA512
f1c003956d24417212413eb9ff33156ec782676c88970424f08f14dd11537bc2ec18b41ddd1396099c44277d381dccaa55411cd09255dd5d23f5a8f12d665ce3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c4094a12459f27c21b8c8d72d114921f

SHA1
e9c5b150f9516a137ad3c1a2292a4f5115200c7e

SHA256
223ff247534d30c527e2ca14fe42345ed786bee74eeffe616976f9e4b92fab43

SHA512
264cc4356a8a86127ea4e8a5a67f5f9b34492ab3fb46ff6008abab66025a020456ee71275bcedf22dff3a4cf51106eca5dc34442b6ffc1d7f1795978897e6bd5

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2028-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download