dbb2379595f0e6c4586bb6e30fbda936378854814b253f71a3aa0c941a2f9bf9

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
10-07-2024 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dbb2379595f0e6c4586bb6e30fbda936378854814b253f71a3aa0c941a2f9bf9.exe
Size

1.1MB
MD5

1887c162bc09af430797085df1c78f41
SHA1

76870ae475504b53e6bc01cfc7c9328abb1c11e5
SHA256

dbb2379595f0e6c4586bb6e30fbda936378854814b253f71a3aa0c941a2f9bf9
SHA512

1612c92cde0a51a0c0c33e8b07d0539eca0a8e78618de5297c1aae9275aa74ce9961ea028f66dd51699030b891dd669739ab94bb43096a3c2d1867bf289a3336
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QP:CcaClSFlG4ZM7QzM4

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

svchcst.exe

pid process

2768 svchcst.exe

Executes dropped EXE 23 IoCs

Processes:

svchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exe

pid	process
2768	svchcst.exe
2508	svchcst.exe
1976	svchcst.exe
2168	svchcst.exe
1480	svchcst.exe
2240	svchcst.exe
2500	svchcst.exe
2996	svchcst.exe
2436	svchcst.exe
1456	svchcst.exe
2968	svchcst.exe
1804	svchcst.exe
3028	svchcst.exe
2476	svchcst.exe
796	svchcst.exe
2492	svchcst.exe
2636	svchcst.exe
2460	svchcst.exe
916	svchcst.exe
2948	svchcst.exe
2676	svchcst.exe
1632	svchcst.exe
3028	svchcst.exe

Loads dropped DLL 43 IoCs

Processes:

WScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exe

pid	process
2548	WScript.exe
2548	WScript.exe
2880	WScript.exe
2880	WScript.exe
1736	WScript.exe
1736	WScript.exe
1564	WScript.exe
1564	WScript.exe
1256	WScript.exe
1256	WScript.exe
2416	WScript.exe
2416	WScript.exe
572	WScript.exe
572	WScript.exe
1700	WScript.exe
2316	WScript.exe
2316	WScript.exe
2316	WScript.exe
2276	WScript.exe
2276	WScript.exe
604	WScript.exe
1152	WScript.exe
1152	WScript.exe
1008	WScript.exe
1008	WScript.exe
1652	WScript.exe
1652	WScript.exe
2716	WScript.exe
2716	WScript.exe
2728	WScript.exe
2728	WScript.exe
1584	WScript.exe
1584	WScript.exe
2608	WScript.exe
2608	WScript.exe
2372	WScript.exe
2372	WScript.exe
2812	WScript.exe
2812	WScript.exe
940	WScript.exe
940	WScript.exe
2468	WScript.exe
2468	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

dbb2379595f0e6c4586bb6e30fbda936378854814b253f71a3aa0c941a2f9bf9.exesvchcst.exe

pid	process
3068	dbb2379595f0e6c4586bb6e30fbda936378854814b253f71a3aa0c941a2f9bf9.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

dbb2379595f0e6c4586bb6e30fbda936378854814b253f71a3aa0c941a2f9bf9.exe

pid process

3068 dbb2379595f0e6c4586bb6e30fbda936378854814b253f71a3aa0c941a2f9bf9.exe

Suspicious use of SetWindowsHookEx 48 IoCs

Processes:

dbb2379595f0e6c4586bb6e30fbda936378854814b253f71a3aa0c941a2f9bf9.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exe

pid	process
3068	dbb2379595f0e6c4586bb6e30fbda936378854814b253f71a3aa0c941a2f9bf9.exe
3068	dbb2379595f0e6c4586bb6e30fbda936378854814b253f71a3aa0c941a2f9bf9.exe
2768	svchcst.exe
2768	svchcst.exe
2508	svchcst.exe
2508	svchcst.exe
1976	svchcst.exe
1976	svchcst.exe
2168	svchcst.exe
2168	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2500	svchcst.exe
2500	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
1456	svchcst.exe
1456	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
1804	svchcst.exe
1804	svchcst.exe
3028	svchcst.exe
3028	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
796	svchcst.exe
796	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
2636	svchcst.exe
2636	svchcst.exe
2460	svchcst.exe
2460	svchcst.exe
916	svchcst.exe
916	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
1632	svchcst.exe
1632	svchcst.exe
3028	svchcst.exe
3028	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

dbb2379595f0e6c4586bb6e30fbda936378854814b253f71a3aa0c941a2f9bf9.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exe

description	pid	process	target process
PID 3068 wrote to memory of 2548	3068	dbb2379595f0e6c4586bb6e30fbda936378854814b253f71a3aa0c941a2f9bf9.exe	WScript.exe
PID 3068 wrote to memory of 2548	3068	dbb2379595f0e6c4586bb6e30fbda936378854814b253f71a3aa0c941a2f9bf9.exe	WScript.exe
PID 3068 wrote to memory of 2548	3068	dbb2379595f0e6c4586bb6e30fbda936378854814b253f71a3aa0c941a2f9bf9.exe	WScript.exe
PID 3068 wrote to memory of 2548	3068	dbb2379595f0e6c4586bb6e30fbda936378854814b253f71a3aa0c941a2f9bf9.exe	WScript.exe
PID 2548 wrote to memory of 2768	2548	WScript.exe	svchcst.exe
PID 2548 wrote to memory of 2768	2548	WScript.exe	svchcst.exe
PID 2548 wrote to memory of 2768	2548	WScript.exe	svchcst.exe
PID 2548 wrote to memory of 2768	2548	WScript.exe	svchcst.exe
PID 2768 wrote to memory of 2880	2768	svchcst.exe	WScript.exe
PID 2768 wrote to memory of 2880	2768	svchcst.exe	WScript.exe
PID 2768 wrote to memory of 2880	2768	svchcst.exe	WScript.exe
PID 2768 wrote to memory of 2880	2768	svchcst.exe	WScript.exe
PID 2880 wrote to memory of 2508	2880	WScript.exe	svchcst.exe
PID 2880 wrote to memory of 2508	2880	WScript.exe	svchcst.exe
PID 2880 wrote to memory of 2508	2880	WScript.exe	svchcst.exe
PID 2880 wrote to memory of 2508	2880	WScript.exe	svchcst.exe
PID 2508 wrote to memory of 1736	2508	svchcst.exe	WScript.exe
PID 2508 wrote to memory of 1736	2508	svchcst.exe	WScript.exe
PID 2508 wrote to memory of 1736	2508	svchcst.exe	WScript.exe
PID 2508 wrote to memory of 1736	2508	svchcst.exe	WScript.exe
PID 1736 wrote to memory of 1976	1736	WScript.exe	svchcst.exe
PID 1736 wrote to memory of 1976	1736	WScript.exe	svchcst.exe
PID 1736 wrote to memory of 1976	1736	WScript.exe	svchcst.exe
PID 1736 wrote to memory of 1976	1736	WScript.exe	svchcst.exe
PID 1976 wrote to memory of 1564	1976	svchcst.exe	WScript.exe
PID 1976 wrote to memory of 1564	1976	svchcst.exe	WScript.exe
PID 1976 wrote to memory of 1564	1976	svchcst.exe	WScript.exe
PID 1976 wrote to memory of 1564	1976	svchcst.exe	WScript.exe
PID 1564 wrote to memory of 2168	1564	WScript.exe	svchcst.exe
PID 1564 wrote to memory of 2168	1564	WScript.exe	svchcst.exe
PID 1564 wrote to memory of 2168	1564	WScript.exe	svchcst.exe
PID 1564 wrote to memory of 2168	1564	WScript.exe	svchcst.exe
PID 2168 wrote to memory of 1256	2168	svchcst.exe	WScript.exe
PID 2168 wrote to memory of 1256	2168	svchcst.exe	WScript.exe
PID 2168 wrote to memory of 1256	2168	svchcst.exe	WScript.exe
PID 2168 wrote to memory of 1256	2168	svchcst.exe	WScript.exe
PID 1256 wrote to memory of 1480	1256	WScript.exe	svchcst.exe
PID 1256 wrote to memory of 1480	1256	WScript.exe	svchcst.exe
PID 1256 wrote to memory of 1480	1256	WScript.exe	svchcst.exe
PID 1256 wrote to memory of 1480	1256	WScript.exe	svchcst.exe
PID 1480 wrote to memory of 2416	1480	svchcst.exe	WScript.exe
PID 1480 wrote to memory of 2416	1480	svchcst.exe	WScript.exe
PID 1480 wrote to memory of 2416	1480	svchcst.exe	WScript.exe
PID 1480 wrote to memory of 2416	1480	svchcst.exe	WScript.exe
PID 2416 wrote to memory of 2240	2416	WScript.exe	svchcst.exe
PID 2416 wrote to memory of 2240	2416	WScript.exe	svchcst.exe
PID 2416 wrote to memory of 2240	2416	WScript.exe	svchcst.exe
PID 2416 wrote to memory of 2240	2416	WScript.exe	svchcst.exe
PID 2240 wrote to memory of 572	2240	svchcst.exe	WScript.exe
PID 2240 wrote to memory of 572	2240	svchcst.exe	WScript.exe
PID 2240 wrote to memory of 572	2240	svchcst.exe	WScript.exe
PID 2240 wrote to memory of 572	2240	svchcst.exe	WScript.exe
PID 572 wrote to memory of 2500	572	WScript.exe	svchcst.exe
PID 572 wrote to memory of 2500	572	WScript.exe	svchcst.exe
PID 572 wrote to memory of 2500	572	WScript.exe	svchcst.exe
PID 572 wrote to memory of 2500	572	WScript.exe	svchcst.exe
PID 2500 wrote to memory of 1700	2500	svchcst.exe	WScript.exe
PID 2500 wrote to memory of 1700	2500	svchcst.exe	WScript.exe
PID 2500 wrote to memory of 1700	2500	svchcst.exe	WScript.exe
PID 2500 wrote to memory of 1700	2500	svchcst.exe	WScript.exe
PID 1700 wrote to memory of 2996	1700	WScript.exe	svchcst.exe
PID 1700 wrote to memory of 2996	1700	WScript.exe	svchcst.exe
PID 1700 wrote to memory of 2996	1700	WScript.exe	svchcst.exe
PID 1700 wrote to memory of 2996	1700	WScript.exe	svchcst.exe

C:\Users\Admin\AppData\Local\Temp\dbb2379595f0e6c4586bb6e30fbda936378854814b253f71a3aa0c941a2f9bf9.exe
"C:\Users\Admin\AppData\Local\Temp\dbb2379595f0e6c4586bb6e30fbda936378854814b253f71a3aa0c941a2f9bf9.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3068

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
3⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2768

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2508

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1736

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
8⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1564

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
10⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1256

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
12⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
13⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
14⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:572

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
15⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2500

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
16⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1700

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
17⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2996

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
18⤵
- Loads dropped DLL
PID:2316

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
19⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2436

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
20⤵
PID:2624

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
19⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1456

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
20⤵
- Loads dropped DLL
PID:2276

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
21⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2968

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
22⤵
- Loads dropped DLL
PID:604

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
23⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1804

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
24⤵
- Loads dropped DLL
PID:1152

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
25⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3028

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
26⤵
- Loads dropped DLL
PID:1008

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
27⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2476

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
28⤵
- Loads dropped DLL
PID:1652

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
29⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:796

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
30⤵
- Loads dropped DLL
PID:2716

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
31⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2492

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
32⤵
- Loads dropped DLL
PID:2728

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
33⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2636

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
34⤵
- Loads dropped DLL
PID:1584

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
35⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2460

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
36⤵
- Loads dropped DLL
PID:2608

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
37⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:916

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
38⤵
- Loads dropped DLL
PID:2372

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
39⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2948

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
40⤵
- Loads dropped DLL
PID:2812

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
41⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2676

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
42⤵
- Loads dropped DLL
PID:940

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
43⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1632

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
44⤵
- Loads dropped DLL
PID:2468

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
45⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3028

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
46⤵
PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
f715ac0cdd665945d41928099370a101

SHA1
c24fa2c7b518154dc3c9fd9a782d9f401deeef7d

SHA256
8c2c24a6f328cc31f7f6b3dbbaf30d02fa01811df8a3146708616d659a2e1e2c

SHA512
6805cf91b3728c62fdce4375f4c0b31e6dc52aca47739531bfedc7e0ac72f18968d84290f4509f8e910ad3811b628aa75b08d223433bee43d506b0e855a129d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5ef4272f4d6f345fc8cc1b2f059c81b4

SHA1
78bcb559f775d70e10396e1d6d7b95c28d2645d1

SHA256
19f8d5209b4a5789cdfd5b67cb0b9f6c3546c62912bcb1ef1c69a15602beb652

SHA512
002693255c600456d965b5a7e36f780deec4d80cd9fe56f7f974b8762e2b140002a1dabf4b059d6163c9cc00a0e1e9da71899e13347fb4bb2985bbc7058469cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b42266100fb9f5e0b7be593aac3c37cf

SHA1
7cd55f31fd2871d09de73a6f62e3a7e1a53327b2

SHA256
1a6710caaf3886be368f3205ee8c9905e10f8ed754d80598c80f1455a700d846

SHA512
d3e5a4f7395d6196403e60214239043b2da6e546cbe080f74c3a680a6f4a7fe1374988df0a1aa84dbc0e41199efd8fb11050d1d1295f3b45811935d740a5108b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
98328aa8ad181fbf0b87edfc21155dce

SHA1
3ca100ca64d5f62a5dceef47f414c0953fd4f559

SHA256
a6928cf27564f6f983d8f62358463a2dee471715b220de03db8b72ebf105f20c

SHA512
75f298c982eeebf184fdd0612436583a863beba740bd55053539dc1b1c20103a1c6f5da46b41621eb00d601cdfc86c1705080a0da08fef7756637805dcb588ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2caa2e102cde23b48c1d5a47d901c3ff

SHA1
715fcb390ad3d9016885ab48ea99b2e204d1989b

SHA256
8e1f14065ac316ee2fcefab057390fe8b1ec88d9c35536f0755204ddf0d84ada

SHA512
9f6b298b5becff9b0af67c3181177876366db57d8d48ad3974dffa4f61fe7512b68d770e518d08d59c58d2707c52bd78930d2e36f00ef06f0a26d208e5372ae3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
379619305716718fbeeab2f364946c39

SHA1
b663cf106c4673549692fa39d25e9e8f4561cd64

SHA256
c844bc25686320e65c1b5259a6d0d6d47f61709f46e2c8eb2ad3f9c3b9333d84

SHA512
b2c91d0f1cbc9e253bb3bb339acbab0e31eef31188cc00132c423fee2a85c7a91132c9259b99b23a149f6ba1172b8522e2d8350f88dbb735ad8d7a32f71e2ed8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
95cbcc068b61f14455af7f3daea5c57f

SHA1
7121bec25241666a150cd1a58eb7efb0b26eab96

SHA256
205412cd3d890bd070295ebf41e4a831de855a2b755c1a583b4dd2df66d5bc81

SHA512
5ae57031bb2ce71bf93c683f07f82b521918ef8a145a80f8e488e403d7ca97079cb305bb3f9ad93f2b3a99f44954063447a5f9a2c0f6f276a2ef84beff5674a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0192d17fea0102bde8e142aabd30379e

SHA1
f625075beef58c06ca68d43a3ba5cc1caa8efdfd

SHA256
98e8ea7a93d93f491f56d4026b5683e7fdeff25fe26f518e2e81a1319ef49719

SHA512
43002329c61c0fedc908a1838c1868573a5f6f64b4bad3295182b341562cd4b17710ce021e75157830b5b29d29141ae394b3addae4f8c180259f02cb44648163

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5465e98b54b47d65941e5d12deb27c9d

SHA1
50e5e6ced6e5e332b303de4fa146482fbdf782d5

SHA256
38f339c2f4c0d7ea1ba1500460c63bc626a2465b3ca48c4d63ee2b0f3eafb82a

SHA512
50c6bc8c7da8c036c909672ade71b08aea49bc58474c40e660d7dc23c3a9869cfad82b4dc96335057ecd5bd1011f3db712f667b4085555e3dc6fb90de56b1c3a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f76c7cf504b872903a1325a57e8baaf9

SHA1
896ac9d8338b41c7673781f07915612c538c385f

SHA256
46436b128cbdb907e9666c1aa6257164f7e5a2ebe1c79b9198b36e50115a8163

SHA512
59c0e9f508682af572185dd2578ad1e62abb99297a99018af7638bc8d2f6693fe00900bd739e00a912088f77624f08034dba041ce1677e2924cb8ab3196b6054

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
4e9605159361f93230fef3cc5ad4301c

SHA1
64e6d5673487e049cc4e96650b507641062ca1bf

SHA256
2abd0c0ae088f6c911f23add50e985c447f1c62c8a45f848698b08d6e6dd20e7

SHA512
5cf02982826cc6e08ea33c4ce5d186ad4277493480cf08c2df56a7deea87e58a6df3a95097c96409a89317528933e0999d4ccddc2403024bd04b6e1c312f42fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
da08c91fa3eaa83f7dd819ef5fabc17b

SHA1
1271a26d42e9292bb3c4fb0eb18e87d48a3a220e

SHA256
fb23f18e778c8fdb642a7dc6ff04eb82d066457c1d510858dfc4a225104ac5c6

SHA512
1d7ff89b2609b7ced46738095ec50acbc5ac832b14f095536abfdc3c0dd6668274484ddd6f802570ef1bef5695059de7187e3339b23216969f10c4d8cb00eedb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0829d84db98cc99bc2db5f6de6efd5a5

SHA1
7140d2de27060760c496259ee149421eada9720c

SHA256
c80d9bcdf7dec79f4f56aa5683ebd4a2628927f88d7612ad8269f3e8d12578be

SHA512
bed52312664600fe221fb574e09e05c5e912d43d3636f47e4a97fb5da7bef17aa753d4440c73065a88505443be8173404605d02b28f47fb7a9d0326a41c2babf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
699be52d2ea7b3a4bb949a035c0fe068

SHA1
61f3b087a828afaad0bc5d657cf39b92857a3d23

SHA256
d940b2f0030c41ce3284800683d2319d0b8349c9b5d5e51ab99b3a445b8bb936

SHA512
32e32916daf74b0d6378c29116decd37668003106b961cbb4ced96ea7fbf77edf4378c9f87ae73e16cc810a3bb19b1ff97125631f003b30c000ad0339ed6da86

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2743a0a980e002c04431122a0e35820f

SHA1
fb47e0fe15b0830f5564a1dfe821a93661ea4ad8

SHA256
36531e9b204a21d0050b8c6adf48316810c327badf5f7c67c28a180290458761

SHA512
75eb9286b480880d03844ab6c2b85bc307ada5bb27a5f2e1ca14d7e105ce4a213c84af8233c00f9a7fdebd34f727f8f66182d63ab735f0482359cf145b076a8f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0d4d32e2b17aa60ba28090b637160815

SHA1
f143089d9c59519725e3a7af81b44a78f8485e6e

SHA256
f7a79737b74c2f0681bf1e41fb94b6b05ef6745dd571913a510a30598158f879

SHA512
3c29f0db29d19c3279dde9bac87caf17d96c741304b81a0eef4a0a10d27d8ec987fc4f77e03270994962662352d65ccf636f94560a3611e2f5515603e6b0a44d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
87fb624803d95990bed7c0415bab1402

SHA1
6f7623809f3787125826252c0d80bb835bffc58e

SHA256
37e51590e4cf5cddf57be7497dc55734d5e48cc7476a3d4081685a25fdf25389

SHA512
deae1f211c493b07605fd67b1f36166b414a6b2a14544b51ec223899f5098013febfdb3d2832ddcb8ec105238a16fd9644b917b2dfc00e73cde2dabc930c1189

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d6239898724dc419bcb2e3c108e11620

SHA1
227cbf6c7ead1c50586a8e2f534df4316026c8b7

SHA256
98669fefc2525053a80115a3788440f470169975cdde04817554052d765f84cd

SHA512
9bff9570dd9bdd25422b3dd49a0e71393ce36eac419d3e77d4c0beac89b1b82d60bd582c414eea8c77accddf2f40b3aa2adb253dcfbde8147aed7d52231c0e43

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
70a218e051989af03e673195d438656c

SHA1
81604f60c691afae58e7b80496d510724148b30a

SHA256
f10394d37e7fada6d1a45bf8b0b1e46496aedc4ca1c5d23dca71e1f4cb232b72

SHA512
db297b98e7205256a7bf374f05cbd865a42a2fa33ad80375a826aacb2cc3f941ed2dc67321e11ac67861d24861aaa7841f1d4a1d8faae6f6443cab154f489199

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
43846678d85f3b49cc24db121de17ed7

SHA1
f972986aaa0ad5d48344667eaa14dd13fb68c3c2

SHA256
f6907948894752f1bb052bdfc60fe4ea007eec377c9766e59461b8a65b6d1e8d

SHA512
2aa664eb76ed8a41ae5e11302906f9acf8014cc47e97e372fd71c82c0d80662021fea060edc7abe02a4936d76e53845841339682bc75a2ff8465d9ff1ee63bd6

Download Submit
memory/3068-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download