da24cd1f87cf77baf60271e71cff299b4274c6c7ce145addc196d7216dacc7d6

Analysis

max time kernel
149s
max time network
125s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
10-07-2024 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da24cd1f87cf77baf60271e71cff299b4274c6c7ce145addc196d7216dacc7d6.exe
Size

1.1MB
MD5

24b190b5e94f3882295e64f1469c3e89
SHA1

df1d9faf8fd384bf2c6701477cf472966d616884
SHA256

da24cd1f87cf77baf60271e71cff299b4274c6c7ce145addc196d7216dacc7d6
SHA512

6a7f4ff860c4cbfe1f7ded981decef6163443ea5c7fd6bcb6efb9c6fd6975ec4a4c10971c4a66f22deea4e191e28db57173b6cbcdbff3f518bcbbe2cddb8c4e4
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Q1:CcaClSFlG4ZM7QzMO

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

svchcst.exe

pid process

3056 svchcst.exe

Executes dropped EXE 23 IoCs

Processes:

svchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exe

pid	process
3056	svchcst.exe
1432	svchcst.exe
328	svchcst.exe
1668	svchcst.exe
1868	svchcst.exe
1960	svchcst.exe
2992	svchcst.exe
2952	svchcst.exe
2984	svchcst.exe
2876	svchcst.exe
1760	svchcst.exe
1332	svchcst.exe
112	svchcst.exe
2904	svchcst.exe
2536	svchcst.exe
2752	svchcst.exe
3056	svchcst.exe
2984	svchcst.exe
2308	svchcst.exe
1280	svchcst.exe
3064	svchcst.exe
1372	svchcst.exe
2096	svchcst.exe

Loads dropped DLL 46 IoCs

Processes:

WScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exe

pid	process
2592	WScript.exe
2592	WScript.exe
2640	WScript.exe
2640	WScript.exe
876	WScript.exe
876	WScript.exe
2668	WScript.exe
2668	WScript.exe
1524	WScript.exe
1524	WScript.exe
1036	WScript.exe
1036	WScript.exe
2156	WScript.exe
2156	WScript.exe
2440	WScript.exe
2440	WScript.exe
2660	WScript.exe
2660	WScript.exe
1252	WScript.exe
1252	WScript.exe
1848	WScript.exe
1848	WScript.exe
2060	WScript.exe
2060	WScript.exe
1088	WScript.exe
1088	WScript.exe
560	WScript.exe
560	WScript.exe
1960	WScript.exe
1960	WScript.exe
2580	WScript.exe
2580	WScript.exe
2672	WScript.exe
2672	WScript.exe
2792	WScript.exe
2792	WScript.exe
2188	WScript.exe
2188	WScript.exe
776	WScript.exe
776	WScript.exe
932	WScript.exe
932	WScript.exe
2612	WScript.exe
2612	WScript.exe
1028	WScript.exe
1028	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

da24cd1f87cf77baf60271e71cff299b4274c6c7ce145addc196d7216dacc7d6.exesvchcst.exe

pid	process
3036	da24cd1f87cf77baf60271e71cff299b4274c6c7ce145addc196d7216dacc7d6.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

da24cd1f87cf77baf60271e71cff299b4274c6c7ce145addc196d7216dacc7d6.exe

pid process

3036 da24cd1f87cf77baf60271e71cff299b4274c6c7ce145addc196d7216dacc7d6.exe

Suspicious use of SetWindowsHookEx 48 IoCs

Processes:

da24cd1f87cf77baf60271e71cff299b4274c6c7ce145addc196d7216dacc7d6.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exe

pid	process
3036	da24cd1f87cf77baf60271e71cff299b4274c6c7ce145addc196d7216dacc7d6.exe
3036	da24cd1f87cf77baf60271e71cff299b4274c6c7ce145addc196d7216dacc7d6.exe
3056	svchcst.exe
3056	svchcst.exe
1432	svchcst.exe
1432	svchcst.exe
328	svchcst.exe
328	svchcst.exe
1668	svchcst.exe
1668	svchcst.exe
1868	svchcst.exe
1868	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
2992	svchcst.exe
2992	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2984	svchcst.exe
2984	svchcst.exe
2876	svchcst.exe
2876	svchcst.exe
1760	svchcst.exe
1760	svchcst.exe
1332	svchcst.exe
1332	svchcst.exe
112	svchcst.exe
112	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2536	svchcst.exe
2536	svchcst.exe
2752	svchcst.exe
2752	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
2984	svchcst.exe
2984	svchcst.exe
2308	svchcst.exe
2308	svchcst.exe
1280	svchcst.exe
1280	svchcst.exe
3064	svchcst.exe
3064	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
2096	svchcst.exe
2096	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

da24cd1f87cf77baf60271e71cff299b4274c6c7ce145addc196d7216dacc7d6.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exe

description	pid	process	target process
PID 3036 wrote to memory of 2592	3036	da24cd1f87cf77baf60271e71cff299b4274c6c7ce145addc196d7216dacc7d6.exe	WScript.exe
PID 3036 wrote to memory of 2592	3036	da24cd1f87cf77baf60271e71cff299b4274c6c7ce145addc196d7216dacc7d6.exe	WScript.exe
PID 3036 wrote to memory of 2592	3036	da24cd1f87cf77baf60271e71cff299b4274c6c7ce145addc196d7216dacc7d6.exe	WScript.exe
PID 3036 wrote to memory of 2592	3036	da24cd1f87cf77baf60271e71cff299b4274c6c7ce145addc196d7216dacc7d6.exe	WScript.exe
PID 2592 wrote to memory of 3056	2592	WScript.exe	svchcst.exe
PID 2592 wrote to memory of 3056	2592	WScript.exe	svchcst.exe
PID 2592 wrote to memory of 3056	2592	WScript.exe	svchcst.exe
PID 2592 wrote to memory of 3056	2592	WScript.exe	svchcst.exe
PID 3056 wrote to memory of 2640	3056	svchcst.exe	WScript.exe
PID 3056 wrote to memory of 2640	3056	svchcst.exe	WScript.exe
PID 3056 wrote to memory of 2640	3056	svchcst.exe	WScript.exe
PID 3056 wrote to memory of 2640	3056	svchcst.exe	WScript.exe
PID 2640 wrote to memory of 1432	2640	WScript.exe	svchcst.exe
PID 2640 wrote to memory of 1432	2640	WScript.exe	svchcst.exe
PID 2640 wrote to memory of 1432	2640	WScript.exe	svchcst.exe
PID 2640 wrote to memory of 1432	2640	WScript.exe	svchcst.exe
PID 1432 wrote to memory of 876	1432	svchcst.exe	WScript.exe
PID 1432 wrote to memory of 876	1432	svchcst.exe	WScript.exe
PID 1432 wrote to memory of 876	1432	svchcst.exe	WScript.exe
PID 1432 wrote to memory of 876	1432	svchcst.exe	WScript.exe
PID 876 wrote to memory of 328	876	WScript.exe	svchcst.exe
PID 876 wrote to memory of 328	876	WScript.exe	svchcst.exe
PID 876 wrote to memory of 328	876	WScript.exe	svchcst.exe
PID 876 wrote to memory of 328	876	WScript.exe	svchcst.exe
PID 328 wrote to memory of 2668	328	svchcst.exe	WScript.exe
PID 328 wrote to memory of 2668	328	svchcst.exe	WScript.exe
PID 328 wrote to memory of 2668	328	svchcst.exe	WScript.exe
PID 328 wrote to memory of 2668	328	svchcst.exe	WScript.exe
PID 2668 wrote to memory of 1668	2668	WScript.exe	svchcst.exe
PID 2668 wrote to memory of 1668	2668	WScript.exe	svchcst.exe
PID 2668 wrote to memory of 1668	2668	WScript.exe	svchcst.exe
PID 2668 wrote to memory of 1668	2668	WScript.exe	svchcst.exe
PID 1668 wrote to memory of 1524	1668	svchcst.exe	WScript.exe
PID 1668 wrote to memory of 1524	1668	svchcst.exe	WScript.exe
PID 1668 wrote to memory of 1524	1668	svchcst.exe	WScript.exe
PID 1668 wrote to memory of 1524	1668	svchcst.exe	WScript.exe
PID 1524 wrote to memory of 1868	1524	WScript.exe	svchcst.exe
PID 1524 wrote to memory of 1868	1524	WScript.exe	svchcst.exe
PID 1524 wrote to memory of 1868	1524	WScript.exe	svchcst.exe
PID 1524 wrote to memory of 1868	1524	WScript.exe	svchcst.exe
PID 1868 wrote to memory of 1036	1868	svchcst.exe	WScript.exe
PID 1868 wrote to memory of 1036	1868	svchcst.exe	WScript.exe
PID 1868 wrote to memory of 1036	1868	svchcst.exe	WScript.exe
PID 1868 wrote to memory of 1036	1868	svchcst.exe	WScript.exe
PID 1036 wrote to memory of 1960	1036	WScript.exe	svchcst.exe
PID 1036 wrote to memory of 1960	1036	WScript.exe	svchcst.exe
PID 1036 wrote to memory of 1960	1036	WScript.exe	svchcst.exe
PID 1036 wrote to memory of 1960	1036	WScript.exe	svchcst.exe
PID 1960 wrote to memory of 2156	1960	svchcst.exe	WScript.exe
PID 1960 wrote to memory of 2156	1960	svchcst.exe	WScript.exe
PID 1960 wrote to memory of 2156	1960	svchcst.exe	WScript.exe
PID 1960 wrote to memory of 2156	1960	svchcst.exe	WScript.exe
PID 2156 wrote to memory of 2992	2156	WScript.exe	svchcst.exe
PID 2156 wrote to memory of 2992	2156	WScript.exe	svchcst.exe
PID 2156 wrote to memory of 2992	2156	WScript.exe	svchcst.exe
PID 2156 wrote to memory of 2992	2156	WScript.exe	svchcst.exe
PID 2992 wrote to memory of 2440	2992	svchcst.exe	WScript.exe
PID 2992 wrote to memory of 2440	2992	svchcst.exe	WScript.exe
PID 2992 wrote to memory of 2440	2992	svchcst.exe	WScript.exe
PID 2992 wrote to memory of 2440	2992	svchcst.exe	WScript.exe
PID 2440 wrote to memory of 2952	2440	WScript.exe	svchcst.exe
PID 2440 wrote to memory of 2952	2440	WScript.exe	svchcst.exe
PID 2440 wrote to memory of 2952	2440	WScript.exe	svchcst.exe
PID 2440 wrote to memory of 2952	2440	WScript.exe	svchcst.exe

C:\Users\Admin\AppData\Local\Temp\da24cd1f87cf77baf60271e71cff299b4274c6c7ce145addc196d7216dacc7d6.exe
"C:\Users\Admin\AppData\Local\Temp\da24cd1f87cf77baf60271e71cff299b4274c6c7ce145addc196d7216dacc7d6.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3036

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
3⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3056

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1432

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:876

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:328

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
8⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
10⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1524

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
12⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1036

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
13⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
14⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
15⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2992

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
16⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2440

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
17⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2952

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
18⤵
- Loads dropped DLL
PID:2660

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
19⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2984

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
20⤵
- Loads dropped DLL
PID:1252

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
21⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2876

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
22⤵
- Loads dropped DLL
PID:1848

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
23⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1760

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
24⤵
- Loads dropped DLL
PID:2060

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
25⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1332

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
26⤵
- Loads dropped DLL
PID:1088

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
27⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:112

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
28⤵
- Loads dropped DLL
PID:560

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
29⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2904

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
30⤵
- Loads dropped DLL
PID:1960

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
31⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2536

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
32⤵
- Loads dropped DLL
PID:2580

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
33⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2752

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
34⤵
- Loads dropped DLL
PID:2672

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
35⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3056

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
36⤵
- Loads dropped DLL
PID:2792

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
37⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2984

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
38⤵
- Loads dropped DLL
PID:2188

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
39⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2308

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
40⤵
- Loads dropped DLL
PID:776

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
41⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1280

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
42⤵
- Loads dropped DLL
PID:932

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
43⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3064

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
44⤵
- Loads dropped DLL
PID:2612

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
45⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1372

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
46⤵
- Loads dropped DLL
PID:1028

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
47⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2096

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
48⤵
PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
63ecb1b2834db051e8af6e5f651c585d

SHA1
1dc3a30a508b12528fc46e03d3a37ccb87a2f350

SHA256
7007be4a0a75a256cf97a820b24574185f1b303b2068ac5429fb169f6b22f506

SHA512
7653b4b64e40c161cb2b130134b589b287f1daa8c6c24ec9e10e83ecb7f05288f01952baa3de41848d65ac3d54120865a9a1b3a1ce561bde9b73aafbee90b995

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
06a252a9516053e44ec8e64f1ebf0533

SHA1
29ac97e0cdade946c4feb81ad3f78d70953a2277

SHA256
6b8a799c3d4b977adb7220f6790b2ac09080ca3ccde5a2c33c83b33ea905928c

SHA512
0775aabeef7c910e03efc40f96143025a2ee3544dd656c78d09ef63c85d040037752aabe72fdf3b636ee31422ae8de01b73c85e27247203d5efc1635eaf15b2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1931659cf1a0b565c26fde26192e60ea

SHA1
290204916cf2bd320dd6af5de4fea33f4b987a23

SHA256
8d4ff60de30d55f81dda162ccf8ad556e3a1c9a9e20260d8a767def90595191a

SHA512
9a90635a350ecaf5d4f9c5787f4079e90d6e2983b87e8dc6db38a2d0121e68422d2fc8c7e322c0b6556cd92870713380edf55950260e9369350e96d4603f390e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7e30bbf5f589f6ae6e5daf322f9f4c63

SHA1
4078c36ab68538c4d3aa3996b3a218fa786e5813

SHA256
9ed68f0cb63b2fca99956af2a550eb26ac99a883afef4ea6dc1236c14593266b

SHA512
63bb07bfbef6c96b50bbcb60d7f805930aaeefd6eadaa39dcb3e591c84636c670257a7f544bb0565174578a517d06de29a6c086812ef5cfb3039aea1917fb4b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d6998fa6acf02bf81ca3b787bf2aac86

SHA1
c3c08503b40c243120c2815bec43823d1457c93f

SHA256
5f2a7d05a52819de3a4caa28c4b355ca484eea50de6ed9ce8078d244de25e365

SHA512
068536d1ae495d6610534c4536f6024b33bac2e935cb37f99668affefcb8d1fcd8c420e150b6e5807a58157eec83b24cc9017e7cb7b597a7523decdfbaf2a8e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
379619305716718fbeeab2f364946c39

SHA1
b663cf106c4673549692fa39d25e9e8f4561cd64

SHA256
c844bc25686320e65c1b5259a6d0d6d47f61709f46e2c8eb2ad3f9c3b9333d84

SHA512
b2c91d0f1cbc9e253bb3bb339acbab0e31eef31188cc00132c423fee2a85c7a91132c9259b99b23a149f6ba1172b8522e2d8350f88dbb735ad8d7a32f71e2ed8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2af86d83545125b952334759f8554ae3

SHA1
ddfef7be6fbd8d8185c772a9a78eb18617a9637b

SHA256
7dd3660d7e87e64f451b4d1882d07c1733ce38d828770910453cc1b7f457d11d

SHA512
38d2854f941ff77a2fec871ba6513df9862fe4f86778b22053b4c3e25995b192f4ab943051a2c613cc3e78d275bc543b0dff09149cb4620e307809d20beae17b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f988db0382571319f9b0af53097c2376

SHA1
fd83936b61f5d4256a899610d5c13c5a9b24e625

SHA256
8557443470cff4b30c533603a8e73dd9b9c55af2bae1ed0a7ce86d860fe4953c

SHA512
8f0df896cf7432ac5248f1149a79cc721e40e80dc1ced770f830725c00e64bb96944bbdd375aa25587e0574dba32375934cbf99bf99f33267296c1e605ac8703

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d04e4fa1d3c8ba67f98c8e40c157ed97

SHA1
c0d95df53f8a804370ce7230fd02b9e58f75ec22

SHA256
b0544b1226f7cfd08fbffa33537e742cae314ef9ebc6a146d9aae7ead895ae1f

SHA512
7436211ec14314df3689406a0b828f28a337929922fe1d381569b3eedc40dd9639764a73adfb033ede68ff760c5c0429de44a865e96f105cd0a2b6ec80269890

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5c256ba320c7487a2c3cdb62bea97bb5

SHA1
2a28e5d7bd4483a40fb6035f1ec6fcf1d66cb2fc

SHA256
854aeaf6ba44537fc01088f8c336552a1aab4c6df84938d241c8616b6f0802e4

SHA512
bb55f293471dda9b074664d4cf2dad094f8f0c2479c1fd754dd85199d1d1b1012cfa3b050711ac0b59368d6bf1756cfcadcaff1e47d4f103a093a0b77782fdc0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
bc2966d3f3eb5043b22b3a48cf4ea883

SHA1
33b2847026f153ffc9ff21975b846dccbf9cf8d4

SHA256
4f09bb986cac85210ccce98643bf8bbc21cc342bf19c7893c3d185b3f8d81a4d

SHA512
18e50c9ee06051100d1a213dc885ddb2b121079252b3a44442ad64f71c117ec4068e40e1671a367aac9819287289903d3f9ba1f3fbae2b86fde14236ca3ed3dc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f255f1fdd162bd1b305d58ac26afeb5e

SHA1
c5efad38553da12aa14bf587a6b8f2dc44c1d96f

SHA256
3c0ac5ebfbbc67c2b9d4ec92af8da82c77cdce1a8814367c7c95e70ce7d93088

SHA512
957bbda662cb9c4b9df94d8c9b98e1ff48618876c26f303f564d1934466bab092845639b810cc87b1b04e26a464ec7e707125be20f80310d1fd96976d934be01

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b49a6d228f37d9d9b1749e0b9355d3be

SHA1
d452cd17ce4d49c64e16dfdb6a89363b9ed33bd1

SHA256
a30b625481dd0c345567c3684437d1bc050e384365f55f661207601062dc520e

SHA512
f770cc5a4191eb0c4a3facaa96a6c17b6a3234dcf91f0bd32267812da35c1095cee79a198d9f086c8e9081ef29309c54d89223e5f05b7dc26dda5fff1c4cb6f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
00395983dbd9253596ee55934580d708

SHA1
a062f28b0d3504c90dc2a4f4fc1b50aa66a70662

SHA256
bb67ac45cc0326eed933623909f8c0ce121ed32f1d65a06f18eb012f4640a0f4

SHA512
9474185be1e738d13fccba5d5a9fa6352de0b481c42b30461deaf55354b860a2f3a648dd161482fc879eec8c31bb6ce75c96bc89d72729b73c9f33d54aa160e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d0612d07d3cedcbcd2d38edbbf91885d

SHA1
59712c3e7c4b9cda66bed6a0f033c40fe2cf3b4b

SHA256
b94b9bc9c881f014c1684119884738bf059b95dbf9311531df0043f4e5cb547a

SHA512
9f767a8c44929b8213e91c85e5901f62c6befe1953ff7af5283adf4ac6c31b42317bd6d843b2ef2266a5dceca6f52f87af3cbe0b8d22126696879466008cff4c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
092608783a776f09b32c02f6cb104444

SHA1
0b91b29828f4391b84322285182fb4cb97d44368

SHA256
a10e45d2a3a763b43d119e92c51c7a41b9b5b81d92c46560212dae4d01d4137c

SHA512
c3afa70bfbce5c41b4305470ca761e1a8811a517097982fcd90df35878e0c49fa8afd8c3ad47044d914fcd512469b5135ddd5bd4511b6ec0248a2b1d2e8dea32

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c904dd0d1dd6fe16ff57308a79203937

SHA1
b1ce8002ac2087e97bee9eca5b35b4d408b9ba24

SHA256
7799f02399332e9bf50821910f0b2c8192b0d99220b0d96ce5b5b5ee1b411c75

SHA512
e8c14786b745ea5adf94f4efb60a5fcbeb78f22c1cbf70e5be674ab0c6fa5efa38539610351a1c489352eed6e3abcfc814f41b2bdcb88177db2be685c5bc7880

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c8cc9519728dd201049d7c20e9e17e00

SHA1
8b7d75ff1f7c79d8f71032838022c1903ebde5f3

SHA256
25e27cd53357accae42d6f2c39770dcbe44455da38c98650142392c56ec17cd3

SHA512
92d2929fd5d3a738a4e35bd0503416e5dcfd8eb087495d23c5a3ac7beb7bb13e891cb5a09d9ac20d94f2479711ebcdb4720846a593bab6286637f2fc1a517839

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b2013a28f7275d3673e04f941d5026bc

SHA1
5a71ffe1d7781a920701c7cb8229059a0dc68eaf

SHA256
d0b6481e616080f8e1ca69be6f3f22870a5c7d897273546f5be65a76a10dc50c

SHA512
df3431b7e3970af1318940614232cab2d88cde70ad0bbd5fe5b64e1135c3bf6961430e6dc7e9e8c5ba2d1641d17df78f0437abfbf0b3e3cd60cbbebd1df38cbc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c42f9f2a8b95fae1db68d42a257afa1a

SHA1
3f44259ffd0e0d72c55241a8f2b687575e15cb31

SHA256
b52c1cb2e3c3168602e1c6d989552b07262a6b3e018dbcc8b3200360ec2a9ae0

SHA512
480e9c451c8942ed01f803910ab32abe94a235a0ef9877a29bfb6d8685d5bbbd9ef2dcb5735f235cc56b6e362cb8b32f774b596f0febfbead3a63a68a68e144a

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3036-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download