d802446fd978fcc9b4258802c43f90d9dee7d871420f072aec97c9285fb616c4

Analysis

max time kernel
149s
max time network
125s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10-07-2024 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d802446fd978fcc9b4258802c43f90d9dee7d871420f072aec97c9285fb616c4.exe
Size

1.1MB
MD5

5a284fcaddb721dd81e668bab6b38398
SHA1

f39aa2694448d8cee4d9eb5e79140b93805606f0
SHA256

d802446fd978fcc9b4258802c43f90d9dee7d871420f072aec97c9285fb616c4
SHA512

bb1d46a9a506cc4f02fa29f79fac20dd5f1c7cadc64521b73d08a6e9f97444a34abedd23dba7ebe1726fa25f8678bc5c0df72447e133c88f0f7a95689a6d4768
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qn:CcaClSFlG4ZM7QzMQ

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

svchcst.exe

pid process

1680 svchcst.exe

Executes dropped EXE 23 IoCs

Processes:

svchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exe

pid	process
1680	svchcst.exe
2568	svchcst.exe
2912	svchcst.exe
1188	svchcst.exe
2028	svchcst.exe
2980	svchcst.exe
1508	svchcst.exe
2832	svchcst.exe
1404	svchcst.exe
3012	svchcst.exe
2360	svchcst.exe
1012	svchcst.exe
968	svchcst.exe
1564	svchcst.exe
2388	svchcst.exe
1624	svchcst.exe
2832	svchcst.exe
1680	svchcst.exe
1752	svchcst.exe
1744	svchcst.exe
2276	svchcst.exe
2512	svchcst.exe
2532	svchcst.exe

Loads dropped DLL 43 IoCs

Processes:

WScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exe

pid	process
2988	WScript.exe
2988	WScript.exe
1504	WScript.exe
1504	WScript.exe
1744	WScript.exe
1744	WScript.exe
2276	WScript.exe
2276	WScript.exe
2448	WScript.exe
2448	WScript.exe
1396	WScript.exe
1396	WScript.exe
2552	WScript.exe
2552	WScript.exe
1820	WScript.exe
1820	WScript.exe
2904	WScript.exe
2236	WScript.exe
2236	WScript.exe
2288	WScript.exe
2288	WScript.exe
1936	WScript.exe
1936	WScript.exe
1836	WScript.exe
1836	WScript.exe
2128	WScript.exe
2128	WScript.exe
1724	WScript.exe
1724	WScript.exe
2044	WScript.exe
2044	WScript.exe
2952	WScript.exe
2952	WScript.exe
1376	WScript.exe
1376	WScript.exe
2584	WScript.exe
2584	WScript.exe
3060	WScript.exe
3060	WScript.exe
1200	WScript.exe
1200	WScript.exe
1796	WScript.exe
1796	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d802446fd978fcc9b4258802c43f90d9dee7d871420f072aec97c9285fb616c4.exesvchcst.exe

pid	process
2840	d802446fd978fcc9b4258802c43f90d9dee7d871420f072aec97c9285fb616c4.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

d802446fd978fcc9b4258802c43f90d9dee7d871420f072aec97c9285fb616c4.exe

pid process

2840 d802446fd978fcc9b4258802c43f90d9dee7d871420f072aec97c9285fb616c4.exe

Suspicious use of SetWindowsHookEx 48 IoCs

Processes:

d802446fd978fcc9b4258802c43f90d9dee7d871420f072aec97c9285fb616c4.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exe

pid	process
2840	d802446fd978fcc9b4258802c43f90d9dee7d871420f072aec97c9285fb616c4.exe
2840	d802446fd978fcc9b4258802c43f90d9dee7d871420f072aec97c9285fb616c4.exe
1680	svchcst.exe
1680	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
1188	svchcst.exe
1188	svchcst.exe
2028	svchcst.exe
2028	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
1508	svchcst.exe
1508	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
1404	svchcst.exe
1404	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
2360	svchcst.exe
2360	svchcst.exe
1012	svchcst.exe
1012	svchcst.exe
968	svchcst.exe
968	svchcst.exe
1564	svchcst.exe
1564	svchcst.exe
2388	svchcst.exe
2388	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1752	svchcst.exe
1752	svchcst.exe
1744	svchcst.exe
1744	svchcst.exe
2276	svchcst.exe
2276	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d802446fd978fcc9b4258802c43f90d9dee7d871420f072aec97c9285fb616c4.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exe

description	pid	process	target process
PID 2840 wrote to memory of 2988	2840	d802446fd978fcc9b4258802c43f90d9dee7d871420f072aec97c9285fb616c4.exe	WScript.exe
PID 2840 wrote to memory of 2988	2840	d802446fd978fcc9b4258802c43f90d9dee7d871420f072aec97c9285fb616c4.exe	WScript.exe
PID 2840 wrote to memory of 2988	2840	d802446fd978fcc9b4258802c43f90d9dee7d871420f072aec97c9285fb616c4.exe	WScript.exe
PID 2840 wrote to memory of 2988	2840	d802446fd978fcc9b4258802c43f90d9dee7d871420f072aec97c9285fb616c4.exe	WScript.exe
PID 2988 wrote to memory of 1680	2988	WScript.exe	svchcst.exe
PID 2988 wrote to memory of 1680	2988	WScript.exe	svchcst.exe
PID 2988 wrote to memory of 1680	2988	WScript.exe	svchcst.exe
PID 2988 wrote to memory of 1680	2988	WScript.exe	svchcst.exe
PID 1680 wrote to memory of 1504	1680	svchcst.exe	WScript.exe
PID 1680 wrote to memory of 1504	1680	svchcst.exe	WScript.exe
PID 1680 wrote to memory of 1504	1680	svchcst.exe	WScript.exe
PID 1680 wrote to memory of 1504	1680	svchcst.exe	WScript.exe
PID 1504 wrote to memory of 2568	1504	WScript.exe	svchcst.exe
PID 1504 wrote to memory of 2568	1504	WScript.exe	svchcst.exe
PID 1504 wrote to memory of 2568	1504	WScript.exe	svchcst.exe
PID 1504 wrote to memory of 2568	1504	WScript.exe	svchcst.exe
PID 2568 wrote to memory of 1744	2568	svchcst.exe	WScript.exe
PID 2568 wrote to memory of 1744	2568	svchcst.exe	WScript.exe
PID 2568 wrote to memory of 1744	2568	svchcst.exe	WScript.exe
PID 2568 wrote to memory of 1744	2568	svchcst.exe	WScript.exe
PID 1744 wrote to memory of 2912	1744	WScript.exe	svchcst.exe
PID 1744 wrote to memory of 2912	1744	WScript.exe	svchcst.exe
PID 1744 wrote to memory of 2912	1744	WScript.exe	svchcst.exe
PID 1744 wrote to memory of 2912	1744	WScript.exe	svchcst.exe
PID 2912 wrote to memory of 2276	2912	svchcst.exe	WScript.exe
PID 2912 wrote to memory of 2276	2912	svchcst.exe	WScript.exe
PID 2912 wrote to memory of 2276	2912	svchcst.exe	WScript.exe
PID 2912 wrote to memory of 2276	2912	svchcst.exe	WScript.exe
PID 2276 wrote to memory of 1188	2276	WScript.exe	svchcst.exe
PID 2276 wrote to memory of 1188	2276	WScript.exe	svchcst.exe
PID 2276 wrote to memory of 1188	2276	WScript.exe	svchcst.exe
PID 2276 wrote to memory of 1188	2276	WScript.exe	svchcst.exe
PID 1188 wrote to memory of 2448	1188	svchcst.exe	WScript.exe
PID 1188 wrote to memory of 2448	1188	svchcst.exe	WScript.exe
PID 1188 wrote to memory of 2448	1188	svchcst.exe	WScript.exe
PID 1188 wrote to memory of 2448	1188	svchcst.exe	WScript.exe
PID 2448 wrote to memory of 2028	2448	WScript.exe	svchcst.exe
PID 2448 wrote to memory of 2028	2448	WScript.exe	svchcst.exe
PID 2448 wrote to memory of 2028	2448	WScript.exe	svchcst.exe
PID 2448 wrote to memory of 2028	2448	WScript.exe	svchcst.exe
PID 2028 wrote to memory of 1396	2028	svchcst.exe	WScript.exe
PID 2028 wrote to memory of 1396	2028	svchcst.exe	WScript.exe
PID 2028 wrote to memory of 1396	2028	svchcst.exe	WScript.exe
PID 2028 wrote to memory of 1396	2028	svchcst.exe	WScript.exe
PID 1396 wrote to memory of 2980	1396	WScript.exe	svchcst.exe
PID 1396 wrote to memory of 2980	1396	WScript.exe	svchcst.exe
PID 1396 wrote to memory of 2980	1396	WScript.exe	svchcst.exe
PID 1396 wrote to memory of 2980	1396	WScript.exe	svchcst.exe
PID 2980 wrote to memory of 2552	2980	svchcst.exe	WScript.exe
PID 2980 wrote to memory of 2552	2980	svchcst.exe	WScript.exe
PID 2980 wrote to memory of 2552	2980	svchcst.exe	WScript.exe
PID 2980 wrote to memory of 2552	2980	svchcst.exe	WScript.exe
PID 2552 wrote to memory of 1508	2552	WScript.exe	svchcst.exe
PID 2552 wrote to memory of 1508	2552	WScript.exe	svchcst.exe
PID 2552 wrote to memory of 1508	2552	WScript.exe	svchcst.exe
PID 2552 wrote to memory of 1508	2552	WScript.exe	svchcst.exe
PID 1508 wrote to memory of 1820	1508	svchcst.exe	WScript.exe
PID 1508 wrote to memory of 1820	1508	svchcst.exe	WScript.exe
PID 1508 wrote to memory of 1820	1508	svchcst.exe	WScript.exe
PID 1508 wrote to memory of 1820	1508	svchcst.exe	WScript.exe
PID 1820 wrote to memory of 2832	1820	WScript.exe	svchcst.exe
PID 1820 wrote to memory of 2832	1820	WScript.exe	svchcst.exe
PID 1820 wrote to memory of 2832	1820	WScript.exe	svchcst.exe
PID 1820 wrote to memory of 2832	1820	WScript.exe	svchcst.exe

C:\Users\Admin\AppData\Local\Temp\d802446fd978fcc9b4258802c43f90d9dee7d871420f072aec97c9285fb616c4.exe
"C:\Users\Admin\AppData\Local\Temp\d802446fd978fcc9b4258802c43f90d9dee7d871420f072aec97c9285fb616c4.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2840

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2988

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
3⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1504

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2568

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1744

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2912

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
8⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2276

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1188

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
10⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2448

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
12⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1396

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
13⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2980

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
14⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
15⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
16⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1820

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
17⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2832

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
18⤵
- Loads dropped DLL
PID:2904

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
19⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1404

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
20⤵
- Loads dropped DLL
PID:2236

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
21⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3012

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
22⤵
PID:1768

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
21⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2360

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
22⤵
- Loads dropped DLL
PID:2288

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
23⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1012

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
24⤵
- Loads dropped DLL
PID:1936

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
25⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:968

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
26⤵
- Loads dropped DLL
PID:1836

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
27⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1564

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
28⤵
- Loads dropped DLL
PID:2128

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
29⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2388

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
30⤵
- Loads dropped DLL
PID:1724

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
31⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1624

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
32⤵
- Loads dropped DLL
PID:2044

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
33⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2832

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
34⤵
- Loads dropped DLL
PID:2952

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
35⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1680

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
36⤵
- Loads dropped DLL
PID:1376

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
37⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1752

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
38⤵
- Loads dropped DLL
PID:2584

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
39⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1744

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
40⤵
- Loads dropped DLL
PID:3060

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
41⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2276

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
42⤵
- Loads dropped DLL
PID:1200

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
43⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2512

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
44⤵
- Loads dropped DLL
PID:1796

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
45⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2532

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
46⤵
PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
ead9a3e79212d21c5ee8c42cd741ac7c

SHA1
ebc5bf6c8e706fcf9a5bb371ea10d1831bb5f8fb

SHA256
4409a5bf0660e4907e08fd29fa877aa0a842c7f5b1f6632fbd8349de67fce5d2

SHA512
6f8caee2d7f036c03ba7c179eb8c3fa33262fb3f1816bcacccb8fd8aaa9a05abb3f3d8b9182bacf7205158a3527b40e737e6716727557c49b5505e1c769a0596

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5f2a40f410e1db471d583c90bb1bf208

SHA1
1e49ed23e02976dede24633c367ab8c92fb4fd9b

SHA256
03c04fafe55862423025fe6e16bbeda1dbded8150a0c0dd363164733051fe1e4

SHA512
98a4ba3960f66728d4a286c8cff2223742d701467a647b6d4a2f118a6e2c53c9a4f6c329a36c099b151d42279ba0823ff07a8df49c87d02a7470f595052f725c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
9e8dca236ce949019c46b94428612ac9

SHA1
0917050afcbb7b94fce6fbb9827fb57de7432b0b

SHA256
bd9f06dbb8f2165c3b75da289ad7983f0c57328d236b2c68a2b5798188874fb3

SHA512
23ce9deba9286cbb24c1725503542b63d7e44ea7ada302e5aba6595f84398e2162008d7431f842cccfb2b8fae126216d85c566931d5fcc8c8c5625e2c05f44d6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6cefcde7a292edfc29b3882cdeb23dba

SHA1
3588db649319258acc78049555e0c587aae5dcf1

SHA256
4fc01d17db5185ecf506bb8ad2665dc04fbc85d9b55282b364687c5c82689251

SHA512
14f7f31813f271f8ab4c58ad06504769900ae075915db76882bce80dfaa82bb76bc6c40fa76f6eae4f3c65d2311a702d5581510ea5ade452ea8b6f957da1684c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3353d1633bca569636039038a518d927

SHA1
780e7b0504ce0c3eb7a2d5ab9cc18b9d0596bd34

SHA256
6f9daffcca457b49869f9b22fe00e63b4c232c9e13998ab908b91909aa446b8d

SHA512
66a8b0877d6c6f196b85b4e8bf7d67da20fd3749543d65b54599233fc68f476445e70f9ad8e54cb3a71676c6b8a51957f11df2442883f1283c6d526884ec0c18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
24e4a44b907089d788280d647e33c77e

SHA1
ac5a4e397dea243c0022c55319e7c7035d013905

SHA256
7fcd076a55f0b7c8e9407217aee7e68893461d15cb8d2946ac5250af35137211

SHA512
c4a8dac1c1d5dfa976cc3e8fd299e423ab620463983b8c602be8a83ecc6598eb3f1d60a7370806e1f85a52dd91e4f1337a6dff2e99459f9a1e429a1ffb65a00b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
024be950e07002e527b8dd1efbb0e4b4

SHA1
1a56034c6366027442be28a75bce7cdea55a8a98

SHA256
51f47375c2a87dc9fe8cc958432adcc166d0faf75f7d1da1322e238fb5d72893

SHA512
96864be4661feeef155d1816192852146e5d2aa3266ce5b732ec203d43a6098a5fa456a7decb9ab1bd66bc959ed85b485de32c11cea6ee6d1a48d0bea2349b6f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6a10838e65cf3aedda11230ee7f407b7

SHA1
7878e96feb82d309b74e4fe98ad256d3bfd63d08

SHA256
79b9776ab8d5f525f63ccab50ff6d79e7a7daeb47894ce971b63ab072314009e

SHA512
7fd419656935cef9e30f36f618df90399b015dc281dea6b30f12ba7bf2c07a58e7aa570ea5fd1f04b3643be33eb1d8521787c94384cb7ef0ec8d5459a8c50eaa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
68131c1f4506af5c010d5e01f031bfae

SHA1
51cc54917c040091c3a39dd33ec52fc5f4cb4c15

SHA256
d235953ddf5884a014ce05d8a26b9b93bafd580bdeda08e369e2d6e395d34a95

SHA512
69be7da57430dd6d3f1deea9c2a4f78a0ec41a74fc593f033a7944504cd9c4fe6d2f7a0be052e40238a4389b649c36a603b1725959fab050a0114714a6d65c6d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3612d3ea6472851cf27d0650f30a8461

SHA1
6deb8050a9d5911a2bcaa1dff30442b243389423

SHA256
2952c41a53b0569f4005c91e142940e5e96ab915146591fd27e380826de74370

SHA512
274ea073a41fbb585172d72f0f3c37132154378212b24cf3609f2bb450d631741c438035f81046ec36f08e62f287949079776d359cd42602ad097cfc0689f49c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d7e57302723e6adcd36bc753c7cb3d1b

SHA1
24f5af99f2988b5fa7383dae1f53347b597956a3

SHA256
abf7ef48d31eaabd0227b0a91a44e8b53e9fbadff16ef2d9c2b131776898977e

SHA512
0aee51cab495d2df1e1957f85cbfa1a8ca95fad5fa669d2f0918a0e4be4d090c868582935136684d872695bdd075523ad1386639690e9d7016201b6985a9c8a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9a0e264424d0b77155745a24165fa44d

SHA1
35a0f7f8533ecb16be5bac45e37912fd6a249685

SHA256
164c77c6966eb8681d79278a45322399cecedbbd44b9b7cfb75caf2c799c0316

SHA512
c62df990f010b5d4cb078b4b24aea0af9efccd9272f53d629e3f299abc6d9db163ef310007f24922de98272c3feef44ceeb1fd469a2f5b50fb3f46bfe37856f7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
91960902c2beb0827f742198799ccae9

SHA1
9eacd77c46527164693bd1d44ee05a7aa95448ed

SHA256
3a9268d041f93061860645ba800e0b47a1fe485327ff7525f642fec870ac5845

SHA512
6f0146014b01f4804b767b5bb367402a28aff78c4387b1b5638316f8062829bf440af75b69d2e806474bab7f8065c0fbc43519c5d8b5cf41d5635db6016c0884

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
14439ba996f9f0ee888df0c11b74252a

SHA1
8a9a2e2128db8e9ff4d1e918ca88a08760429827

SHA256
ac455fdc053f577bb6bef15caa1a126287c5a486610d97446fbda16a686755d8

SHA512
f3a66409f070008ef0094a1e8365df80c09fcc5a4b0c87f2f08f44e229c6ae6eb03f30fa4499c1860723b5da33fec8dac97241970c3d9e71789c7ba782a97754

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
794157068beb52458b02b822adeb6adc

SHA1
075b22000981b19713d29488483acbfab83c6bc0

SHA256
b52200934ba3ffac732293a08fc815b9cb867628ff3d662ff19e71c53bf17eb6

SHA512
8794626e191ad154722916c8cb7d74b2b2a365cec4048eaa573a508a46b954b147c976956eb1702964f8e636effbdbe1e58f5a8d52828aaf5787239b26643e79

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d795b367d1ceff7b3688b84f2098cf0b

SHA1
3a76a85f923fd4cbcbe9128d69696f4e9fb564a9

SHA256
fa9140f8bb7c8b1d0732f92d8352dfe3bf6fe0416fc0b7750b4ec736500cac31

SHA512
63d0a437ed7b7f76723b8b1f5d89d016f91e63299ced2639b10cae892bcb3d7757cf3704c3c556722cc0b3d0626cce0bce54b8a3444f71cababa52d203ab3243

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a2188ef2dc3888e86e37dd6c22a38317

SHA1
417531a3c3910f0b940b0bc6ffda1f850621d1c4

SHA256
cc336ef05b4d6202516236aa493a6e0e8cba0a832467c6d68f5ca08539fa58b2

SHA512
2192a4a862a92e4c4e71c446408b4e996221b4734fd1280e5c68cfc06c2f270c4a9e3c7e86517ef2ace4eee53defa41a862a2174aed25ba4b4ab1ac0fe245924

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
49a653e6a8ca76bc2b594b297d3fbcd5

SHA1
a89d4c1bb7162bfd6a5b161a2ca8608a3f2e4214

SHA256
d0239615057941f0377b2d36fb66b6b54d9a374eb5935fe2cb5112f8d46ee289

SHA512
84841909c6dfc0d9b3a8aec075b72275e8887fedf5467e5c7a5ce777efaacb0b5f08db83c8532ece924d68469771ddb915edc2132df589466244279a510973a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ded88969d9e900a33163a98d67f872ab

SHA1
4240733234295f1a46714b249de56877e46f8750

SHA256
41df68a78305a773445ee5374d44a1f878bda05e021a3109a9efbc4e83464b78

SHA512
e950636591e0d46562f9f739a506931d419de5f787e4d6466f7955b7f228de5c8d2dca8a0e6db9533c5c0999105865a02be2334ac0c1e690f74b319fc07592fd

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2840-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download