Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 18:43
Static task
static1
Behavioral task
behavioral1
Sample
691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe
Resource
win10v2004-20240611-en
General
-
Target
691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe
-
Size
1.1MB
-
MD5
6d76dd1996b7c3c54a522968ea2ed08f
-
SHA1
3f716630ac0d1b107e5bbc4b7b12502cf04fd8a8
-
SHA256
691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f
-
SHA512
96acca447a2e5997ece19e527584fb712a4182970071f8eb3eb6bc3b2fa6293d3303b352fa482630ba90aede9a28f51957120337285712b8b8b47cfe61638223
-
SSDEEP
24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qb:acallSllG4ZM7QzM8
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
svchcst.exepid process 2420 svchcst.exe -
Executes dropped EXE 25 IoCs
Processes:
svchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exepid process 2420 svchcst.exe 2668 svchcst.exe 1008 svchcst.exe 1260 svchcst.exe 1396 svchcst.exe 3040 svchcst.exe 2080 svchcst.exe 2584 svchcst.exe 2544 svchcst.exe 2000 svchcst.exe 2332 svchcst.exe 1836 svchcst.exe 2848 svchcst.exe 1172 svchcst.exe 1428 svchcst.exe 1928 svchcst.exe 2528 svchcst.exe 2324 svchcst.exe 2412 svchcst.exe 1960 svchcst.exe 1940 svchcst.exe 2028 svchcst.exe 744 svchcst.exe 1312 svchcst.exe 1264 svchcst.exe -
Loads dropped DLL 41 IoCs
Processes:
WScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exepid process 2564 WScript.exe 2564 WScript.exe 2472 WScript.exe 2472 WScript.exe 2124 WScript.exe 332 WScript.exe 332 WScript.exe 332 WScript.exe 2092 WScript.exe 2092 WScript.exe 1900 WScript.exe 2296 WScript.exe 2296 WScript.exe 2296 WScript.exe 2372 WScript.exe 2340 WScript.exe 1008 WScript.exe 2340 WScript.exe 1008 WScript.exe 816 WScript.exe 816 WScript.exe 3000 WScript.exe 3000 WScript.exe 2072 WScript.exe 2072 WScript.exe 2384 WScript.exe 2384 WScript.exe 2136 WScript.exe 2136 WScript.exe 3056 WScript.exe 3056 WScript.exe 340 WScript.exe 340 WScript.exe 1724 WScript.exe 1724 WScript.exe 2316 WScript.exe 2316 WScript.exe 2404 WScript.exe 2404 WScript.exe 2100 WScript.exe 2100 WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exesvchcst.exesvchcst.exepid process 3056 691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe 2420 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe 2420 svchcst.exe 2668 svchcst.exe 2668 svchcst.exe 2668 svchcst.exe 2668 svchcst.exe 2668 svchcst.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exepid process 3056 691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe -
Suspicious use of SetWindowsHookEx 52 IoCs
Processes:
691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exepid process 3056 691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe 3056 691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe 2420 svchcst.exe 2420 svchcst.exe 2668 svchcst.exe 2668 svchcst.exe 1008 svchcst.exe 1008 svchcst.exe 1260 svchcst.exe 1260 svchcst.exe 1396 svchcst.exe 1396 svchcst.exe 3040 svchcst.exe 3040 svchcst.exe 2080 svchcst.exe 2080 svchcst.exe 2584 svchcst.exe 2584 svchcst.exe 2544 svchcst.exe 2544 svchcst.exe 2000 svchcst.exe 2000 svchcst.exe 2332 svchcst.exe 2332 svchcst.exe 1836 svchcst.exe 2848 svchcst.exe 1836 svchcst.exe 2848 svchcst.exe 1172 svchcst.exe 1172 svchcst.exe 1428 svchcst.exe 1428 svchcst.exe 1928 svchcst.exe 1928 svchcst.exe 2528 svchcst.exe 2528 svchcst.exe 2324 svchcst.exe 2324 svchcst.exe 2412 svchcst.exe 2412 svchcst.exe 1960 svchcst.exe 1960 svchcst.exe 1940 svchcst.exe 1940 svchcst.exe 2028 svchcst.exe 2028 svchcst.exe 744 svchcst.exe 744 svchcst.exe 1312 svchcst.exe 1312 svchcst.exe 1264 svchcst.exe 1264 svchcst.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exedescription pid process target process PID 3056 wrote to memory of 2564 3056 691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe WScript.exe PID 3056 wrote to memory of 2564 3056 691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe WScript.exe PID 3056 wrote to memory of 2564 3056 691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe WScript.exe PID 3056 wrote to memory of 2564 3056 691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe WScript.exe PID 2564 wrote to memory of 2420 2564 WScript.exe svchcst.exe PID 2564 wrote to memory of 2420 2564 WScript.exe svchcst.exe PID 2564 wrote to memory of 2420 2564 WScript.exe svchcst.exe PID 2564 wrote to memory of 2420 2564 WScript.exe svchcst.exe PID 2420 wrote to memory of 2472 2420 svchcst.exe WScript.exe PID 2420 wrote to memory of 2472 2420 svchcst.exe WScript.exe PID 2420 wrote to memory of 2472 2420 svchcst.exe WScript.exe PID 2420 wrote to memory of 2472 2420 svchcst.exe WScript.exe PID 2472 wrote to memory of 2668 2472 WScript.exe svchcst.exe PID 2472 wrote to memory of 2668 2472 WScript.exe svchcst.exe PID 2472 wrote to memory of 2668 2472 WScript.exe svchcst.exe PID 2472 wrote to memory of 2668 2472 WScript.exe svchcst.exe PID 2668 wrote to memory of 2124 2668 svchcst.exe WScript.exe PID 2668 wrote to memory of 2124 2668 svchcst.exe WScript.exe PID 2668 wrote to memory of 2124 2668 svchcst.exe WScript.exe PID 2668 wrote to memory of 2124 2668 svchcst.exe WScript.exe PID 2124 wrote to memory of 1008 2124 WScript.exe svchcst.exe PID 2124 wrote to memory of 1008 2124 WScript.exe svchcst.exe PID 2124 wrote to memory of 1008 2124 WScript.exe svchcst.exe PID 2124 wrote to memory of 1008 2124 WScript.exe svchcst.exe PID 1008 wrote to memory of 332 1008 svchcst.exe WScript.exe PID 1008 wrote to memory of 332 1008 svchcst.exe WScript.exe PID 1008 wrote to memory of 332 1008 svchcst.exe WScript.exe PID 1008 wrote to memory of 332 1008 svchcst.exe WScript.exe PID 332 wrote to memory of 1260 332 WScript.exe svchcst.exe PID 332 wrote to memory of 1260 332 WScript.exe svchcst.exe PID 332 wrote to memory of 1260 332 WScript.exe svchcst.exe PID 332 wrote to memory of 1260 332 WScript.exe svchcst.exe PID 1260 wrote to memory of 2228 1260 svchcst.exe WScript.exe PID 1260 wrote to memory of 2228 1260 svchcst.exe WScript.exe PID 1260 wrote to memory of 2228 1260 svchcst.exe WScript.exe PID 1260 wrote to memory of 2228 1260 svchcst.exe WScript.exe PID 332 wrote to memory of 1396 332 WScript.exe svchcst.exe PID 332 wrote to memory of 1396 332 WScript.exe svchcst.exe PID 332 wrote to memory of 1396 332 WScript.exe svchcst.exe PID 332 wrote to memory of 1396 332 WScript.exe svchcst.exe PID 1396 wrote to memory of 2092 1396 svchcst.exe WScript.exe PID 1396 wrote to memory of 2092 1396 svchcst.exe WScript.exe PID 1396 wrote to memory of 2092 1396 svchcst.exe WScript.exe PID 1396 wrote to memory of 2092 1396 svchcst.exe WScript.exe PID 2092 wrote to memory of 3040 2092 WScript.exe svchcst.exe PID 2092 wrote to memory of 3040 2092 WScript.exe svchcst.exe PID 2092 wrote to memory of 3040 2092 WScript.exe svchcst.exe PID 2092 wrote to memory of 3040 2092 WScript.exe svchcst.exe PID 3040 wrote to memory of 1900 3040 svchcst.exe WScript.exe PID 3040 wrote to memory of 1900 3040 svchcst.exe WScript.exe PID 3040 wrote to memory of 1900 3040 svchcst.exe WScript.exe PID 3040 wrote to memory of 1900 3040 svchcst.exe WScript.exe PID 1900 wrote to memory of 2080 1900 WScript.exe svchcst.exe PID 1900 wrote to memory of 2080 1900 WScript.exe svchcst.exe PID 1900 wrote to memory of 2080 1900 WScript.exe svchcst.exe PID 1900 wrote to memory of 2080 1900 WScript.exe svchcst.exe PID 2080 wrote to memory of 2296 2080 svchcst.exe WScript.exe PID 2080 wrote to memory of 2296 2080 svchcst.exe WScript.exe PID 2080 wrote to memory of 2296 2080 svchcst.exe WScript.exe PID 2080 wrote to memory of 2296 2080 svchcst.exe WScript.exe PID 2296 wrote to memory of 2584 2296 WScript.exe svchcst.exe PID 2296 wrote to memory of 2584 2296 WScript.exe svchcst.exe PID 2296 wrote to memory of 2584 2296 WScript.exe svchcst.exe PID 2296 wrote to memory of 2584 2296 WScript.exe svchcst.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe"C:\Users\Admin\AppData\Local\Temp\691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"8⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"10⤵PID:2228
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"10⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"12⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"14⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"15⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2584 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"16⤵
- Loads dropped DLL
PID:2372 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2000 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"18⤵
- Loads dropped DLL
PID:2340 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2332 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"20⤵
- Loads dropped DLL
PID:1008 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"21⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1836 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"21⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1172 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"22⤵
- Loads dropped DLL
PID:816 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"23⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1428 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"24⤵
- Loads dropped DLL
PID:3000 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"25⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1928 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"26⤵
- Loads dropped DLL
PID:2072 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"27⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2528 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"28⤵
- Loads dropped DLL
PID:2384 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"29⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2324 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"30⤵
- Loads dropped DLL
PID:2136 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"31⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2412 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"32⤵
- Loads dropped DLL
PID:3056 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"33⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1960 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"34⤵
- Loads dropped DLL
PID:340 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"35⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1940 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"36⤵
- Loads dropped DLL
PID:1724 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"37⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2028 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"38⤵
- Loads dropped DLL
PID:2316 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"39⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:744 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"40⤵
- Loads dropped DLL
PID:2404 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"41⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1312 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"42⤵
- Loads dropped DLL
PID:2100 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"43⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1264 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"44⤵PID:3000
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2848 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"15⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2544 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"16⤵PID:2564
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92B
MD567b9b3e2ded7086f393ebbc36c5e7bca
SHA1e6299d0450b9a92a18cc23b5704a2b475652c790
SHA25644063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d
SHA512826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09
-
Filesize
696B
MD5774844b08b364b32d1209ef0d962d2fd
SHA1967a30d076aa269a5cef321d36ac1f5c1eb180cb
SHA256c9beda5ae7965cd968f1e6b1e11f17b1b443b8fc6dddb9ad0fe830aafe35ae3a
SHA5122bab1d82f2cf484029722e64dd75516645e3f2dc6028153b65479757a3d33bbe883a1ac97771f1a9dfff1927cbfc58b5460f0c21a3ce01a4eae32b205772c4ec
-
Filesize
696B
MD5d6aef0b19d7d8dc2eda464cf358007b7
SHA1c271fa23eee2c534cc862f7575df47f660c94d27
SHA25670965d19e9afccec497ac21e98bfea9be46cf5df938982b3d19e6295aab3bb1d
SHA512c547f50069f9f97dd9877bdb529f4ed49f9761d5cab1ff703e5185a6071e7591b98237834c6bd386b68b9c6504b76bdc581bf17a6fcef94e74b1483d47cf764a
-
Filesize
696B
MD5bdff210bf33c9ed5f2b10773c8c98ff5
SHA1fc4fbaca4c7f23506dc792dec89e640050ad62e9
SHA256900ab6b8ac0df4e138335d9d8e283495f569bf9fa1f401a6f8122661104f8cf8
SHA51245849b735796586ea2518bd4aec42377db54b2de01025df65e52d8d1561d7e26702051c945ac7257857e00d7ab9d2d7fbf87f178e1e606905e095b22d95e5b32
-
Filesize
753B
MD57acb3b276a6e23cc97861bb10fd48d5e
SHA1458ca9fd7a469766573bdd9a4b527a7caadbdefb
SHA256f19fdb878a52ee85d97a14085849ec88a2124126189213f8be103d5e13934397
SHA512efd4b0b601b57de4e821c7be4f9d0e66affa2c91a18522dba015261efeeda08e33e13b8b0b2a500d164b3f77f5adcb19bbb2d2e82e9a0f40888027b2e190707d
-
Filesize
696B
MD5c5ae655707a21f6473c5f382a787e100
SHA11d2078ebfae286212eb90e60c9dbce5e70ac24f1
SHA256baf83e476c96ab1af7a7482de26dae9909744fad6d12c6ae818f51b834cecb50
SHA512af80731f380d75a643ab885ba152cb7118297ab4e70ff44dd96b7bae8542881f0d06cdbe0ac524cdc30ddca970c2b27adf6398f8efc6e510cea6cc0b2a59b34f
-
Filesize
696B
MD52c6490a42a6a0c40ff0c4e23b3e1aa2f
SHA1673399038e095a86936267b5014fc7d216ee5c0a
SHA2564b5b75f23c5d2765bccf9691327947fcdd4e1e17e6da73c1b1c47dab8db99b3d
SHA5128ffd13c3e9ecd8c522703bf13f839b3925bf3dd0418c33e8b4edc5cd07ca53d76d21e3d8f2e47622d51cc73ac3eed7dd2f7308bb332cde1bd1e6f1cb8f8bb8d5
-
Filesize
696B
MD54e9605159361f93230fef3cc5ad4301c
SHA164e6d5673487e049cc4e96650b507641062ca1bf
SHA2562abd0c0ae088f6c911f23add50e985c447f1c62c8a45f848698b08d6e6dd20e7
SHA5125cf02982826cc6e08ea33c4ce5d186ad4277493480cf08c2df56a7deea87e58a6df3a95097c96409a89317528933e0999d4ccddc2403024bd04b6e1c312f42fe
-
Filesize
696B
MD53fe126921f6537cf36cd507b1649ffbb
SHA1445c8796d072bb5829f0af8421e3eb7da34add70
SHA256b4af7c7ab452f12e0ea38532d00cfa19cf99247ef169e5e698acd882e72750a6
SHA5125d8527210f01cc30bda93521cdbd9828d03f2af3e2810996ad8c60cf62a35e415c0e54a34e00847ae30bf2718e8c431b65ed4f509c11986a8eb54ed6ed64ac94
-
Filesize
696B
MD5f262d0722b88145e786399f42047785d
SHA19f4426b6ac52bb0456945b0619fcd355d118a0b7
SHA256f20592c5d5216a153e7d9fc67c87e2d3346f3781014162462e824a5dbc4c7aef
SHA512da8aa8fd4f84c224f7c6f3fe483b030e2307f3313c003f17f6b9c943f9ea9d052d9d9297f93fdf49428eedd235ef6d7efe0199e1620e55cb052f2ca3cb492eb1
-
Filesize
696B
MD5344b0286b823cd492e5ca9c83c00ba11
SHA1b76dbac9b5724f5b1e11a10ed7a2125edb16259b
SHA25604ea89515062031f99eb08fad07de798532e0adea7ff18c0c9a8b1e3a1d4dbbd
SHA5129aba17235e4f1bd62f45545cfa0e4f302c0471732b33a8398b462e334126c5a3e74fdcbe17db70029184cc1207f558efc46b868475fb607ad536288b0796bb80
-
Filesize
696B
MD51c4a20bad462e2ead31b207cd4b0dd1b
SHA1e6037559a47f711d0e930c907b6c33269cb8ecb9
SHA2567cbf5f523fb2c8a62f6308bc56b5ff19556c167b7ce2c9e2d74329835c79d29e
SHA51278e63943987dbb5fa66f2b9865002911c5225dbcba3e89ea0de4ed94dbd211e965e766073e19205a55a7d83cc631e87c50b9f6815d83fced9f41a72c842c145b
-
Filesize
696B
MD59d9867376c8284245aea97643987cadf
SHA1fe6a7bd23577feb841e3cbeae6aebd38a742b0a5
SHA256b31c91bdbe14673b004567163ddea094dd6bd903f62c5a57c3b3f79268021fb4
SHA5122dc179cf9f71aae049072f62e06951537e38c6070d79d98aaaa94d2b1b53edd6550f6d1c61a2ffc117ed53791689b59c50826bb506cf22cb01235da522d623a1
-
Filesize
696B
MD5d9ab21af2046aedc3484d569036c3ef7
SHA1ade5e9eb5b1180a77a2164e61f74beb411cdfb56
SHA25690b8f17e573879b63c512e7c0dd6ff9454d177163e2d95d0090b2ef22ae5ec79
SHA512cb8c202cd3d66ee897982e42257320dfef0a23eb96b9a3189869e9a0ce030d4baaa8c0a6fc5e197d2d19d742b0d7b3f34adb12933192dd6e4b1388433755d1ac
-
Filesize
1.1MB
MD56be6c6e7f069c3bf9f1d895f7d6dd6f9
SHA1b82e1a63d67a70312d4e72ed0cad16c9eff2ea2d
SHA256dffba73e9d8ef452fe2ebc3bf1468b89b2cc7e285f40f70dd1d27d2bf4772bd8
SHA512d8915c3b517d927d476eaf96b9d9412e37822d5c1d1affa0013c75a858245ff080467b238efb171b9c0c43bb5fb79a68120eac48ecd169398b4c89de85b07ce9
-
Filesize
1.1MB
MD5d5c326197c3c8819ce4834ce40ae5543
SHA1655193ba4fd92bdce5d66ef92e8e4f26a2744692
SHA256ac1b0a673c0487bdb00991b7e691be0de9eaf5c8a5364db88f034fb19985653a
SHA512eaa8e4b5cb9372e9d052518b5708c520b4b069cc68f17624313d8eac08cbe17b3379ea6efd6cbc99eb2870f5353195407962c8ad6c46f6be355107098d79af21
-
Filesize
1.1MB
MD524bbc5a71c3896d3e8a8c404f9a63e13
SHA1c01e200e1e700b6dcb8fc8119b4fd1a758617695
SHA256c088e69540af849d49ab1fbe376fb3ae0f0bcb1fb7ccb5911caa7780bda28aef
SHA5129ed40f24d6a54735c9af367d1b94f2dad61c53ad449c6581ac9b428fc8022157698b8a447c10549428cb4378f17c8a6c745f4da5e7944d7cdace264b235422bd
-
Filesize
1.1MB
MD555befd42195f27f2306f1cea1e980e53
SHA12f2de86c209fb9bb8b2dc79b3d9c5b974c2dfd8f
SHA256a66ad18d767d721ca1b2b25e231eec8cfee12f9bf5d025d81f2dafde451b2a04
SHA512906abde0b9aafd027442965b1bf865e39702ba5f6804ff5395543d0da636b34c12bf633ebc519dcab72529f74e675ee2fabf526658cc5f2f7dad3f3c92f58456
-
Filesize
1.1MB
MD5c6329eeca2e45e82064afa07bc581406
SHA1ad386af4101ebac4dbfddaf799f279e421d60826
SHA2562b86de4712cb2c7e787c60e8767e747c5d819441cefec73bf081a148105e6817
SHA51267f28db214685db505b5f7cb14926cba7d1ae9223f386bf191f68f2de9e51ab1205a6f37235dee1632a8e9f7f755ba1336c06ae36fe128b6c068facae5e818cf
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e