8f558916f4103288138e3f218ce0bc916e08a72a7412a20ace1b48a40e31c607

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
10-07-2024 21:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f558916f4103288138e3f218ce0bc916e08a72a7412a20ace1b48a40e31c607.exe
Size

1.1MB
MD5

606e0fc9ec327ff94d0c0eeca1dc9024
SHA1

b9e443e375c95cc0b93fdbaa8eec9ec4ccbc169b
SHA256

8f558916f4103288138e3f218ce0bc916e08a72a7412a20ace1b48a40e31c607
SHA512

97602cea01dcf98aacb984617a8f4db638df814e912f6662440d45c29c7a8b2aa9ac35609a0c1906efc7218c99dbd150fb54df9e9fa21f1c5a34720b2adbd65b
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qw:CcaClSFlG4ZM7QzM3

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

svchcst.exe

pid process

2584 svchcst.exe

Executes dropped EXE 23 IoCs

Processes:

svchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exe

pid	process
2584	svchcst.exe
1664	svchcst.exe
592	svchcst.exe
2876	svchcst.exe
1168	svchcst.exe
2464	svchcst.exe
1444	svchcst.exe
1752	svchcst.exe
2164	svchcst.exe
1028	svchcst.exe
2832	svchcst.exe
1952	svchcst.exe
316	svchcst.exe
2080	svchcst.exe
1740	svchcst.exe
2308	svchcst.exe
2808	svchcst.exe
2716	svchcst.exe
2176	svchcst.exe
808	svchcst.exe
2528	svchcst.exe
1996	svchcst.exe
2344	svchcst.exe

Loads dropped DLL 44 IoCs

Processes:

WScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exe

pid	process
2452	WScript.exe
2452	WScript.exe
2548	WScript.exe
1976	WScript.exe
1976	WScript.exe
1976	WScript.exe
1704	WScript.exe
1704	WScript.exe
1176	WScript.exe
1176	WScript.exe
2184	WScript.exe
2184	WScript.exe
2008	WScript.exe
2008	WScript.exe
2332	WScript.exe
2332	WScript.exe
2584	WScript.exe
2584	WScript.exe
1124	WScript.exe
1124	WScript.exe
2216	WScript.exe
2216	WScript.exe
2196	WScript.exe
2196	WScript.exe
1500	WScript.exe
1500	WScript.exe
1972	WScript.exe
1972	WScript.exe
1464	WScript.exe
1464	WScript.exe
2668	WScript.exe
2668	WScript.exe
776	WScript.exe
776	WScript.exe
1816	WScript.exe
1816	WScript.exe
2780	WScript.exe
2780	WScript.exe
2588	WScript.exe
2588	WScript.exe
1924	WScript.exe
1924	WScript.exe
2652	WScript.exe
2652	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8f558916f4103288138e3f218ce0bc916e08a72a7412a20ace1b48a40e31c607.exesvchcst.exe

pid	process
2272	8f558916f4103288138e3f218ce0bc916e08a72a7412a20ace1b48a40e31c607.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

8f558916f4103288138e3f218ce0bc916e08a72a7412a20ace1b48a40e31c607.exe

pid process

2272 8f558916f4103288138e3f218ce0bc916e08a72a7412a20ace1b48a40e31c607.exe

Suspicious use of SetWindowsHookEx 48 IoCs

Processes:

8f558916f4103288138e3f218ce0bc916e08a72a7412a20ace1b48a40e31c607.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exe

pid	process
2272	8f558916f4103288138e3f218ce0bc916e08a72a7412a20ace1b48a40e31c607.exe
2272	8f558916f4103288138e3f218ce0bc916e08a72a7412a20ace1b48a40e31c607.exe
2584	svchcst.exe
2584	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
592	svchcst.exe
592	svchcst.exe
2876	svchcst.exe
2876	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
2464	svchcst.exe
2464	svchcst.exe
1444	svchcst.exe
1444	svchcst.exe
1752	svchcst.exe
1752	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
1952	svchcst.exe
1952	svchcst.exe
316	svchcst.exe
316	svchcst.exe
2080	svchcst.exe
2080	svchcst.exe
1740	svchcst.exe
1740	svchcst.exe
2308	svchcst.exe
2308	svchcst.exe
2808	svchcst.exe
2808	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
808	svchcst.exe
808	svchcst.exe
2528	svchcst.exe
2528	svchcst.exe
1996	svchcst.exe
1996	svchcst.exe
2344	svchcst.exe
2344	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8f558916f4103288138e3f218ce0bc916e08a72a7412a20ace1b48a40e31c607.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exe

description	pid	process	target process
PID 2272 wrote to memory of 2452	2272	8f558916f4103288138e3f218ce0bc916e08a72a7412a20ace1b48a40e31c607.exe	WScript.exe
PID 2272 wrote to memory of 2452	2272	8f558916f4103288138e3f218ce0bc916e08a72a7412a20ace1b48a40e31c607.exe	WScript.exe
PID 2272 wrote to memory of 2452	2272	8f558916f4103288138e3f218ce0bc916e08a72a7412a20ace1b48a40e31c607.exe	WScript.exe
PID 2272 wrote to memory of 2452	2272	8f558916f4103288138e3f218ce0bc916e08a72a7412a20ace1b48a40e31c607.exe	WScript.exe
PID 2452 wrote to memory of 2584	2452	WScript.exe	svchcst.exe
PID 2452 wrote to memory of 2584	2452	WScript.exe	svchcst.exe
PID 2452 wrote to memory of 2584	2452	WScript.exe	svchcst.exe
PID 2452 wrote to memory of 2584	2452	WScript.exe	svchcst.exe
PID 2584 wrote to memory of 2548	2584	svchcst.exe	WScript.exe
PID 2584 wrote to memory of 2548	2584	svchcst.exe	WScript.exe
PID 2584 wrote to memory of 2548	2584	svchcst.exe	WScript.exe
PID 2584 wrote to memory of 2548	2584	svchcst.exe	WScript.exe
PID 2548 wrote to memory of 1664	2548	WScript.exe	svchcst.exe
PID 2548 wrote to memory of 1664	2548	WScript.exe	svchcst.exe
PID 2548 wrote to memory of 1664	2548	WScript.exe	svchcst.exe
PID 2548 wrote to memory of 1664	2548	WScript.exe	svchcst.exe
PID 1664 wrote to memory of 1976	1664	svchcst.exe	WScript.exe
PID 1664 wrote to memory of 1976	1664	svchcst.exe	WScript.exe
PID 1664 wrote to memory of 1976	1664	svchcst.exe	WScript.exe
PID 1664 wrote to memory of 1976	1664	svchcst.exe	WScript.exe
PID 1976 wrote to memory of 592	1976	WScript.exe	svchcst.exe
PID 1976 wrote to memory of 592	1976	WScript.exe	svchcst.exe
PID 1976 wrote to memory of 592	1976	WScript.exe	svchcst.exe
PID 1976 wrote to memory of 592	1976	WScript.exe	svchcst.exe
PID 592 wrote to memory of 1436	592	svchcst.exe	WScript.exe
PID 592 wrote to memory of 1436	592	svchcst.exe	WScript.exe
PID 592 wrote to memory of 1436	592	svchcst.exe	WScript.exe
PID 592 wrote to memory of 1436	592	svchcst.exe	WScript.exe
PID 1976 wrote to memory of 2876	1976	WScript.exe	svchcst.exe
PID 1976 wrote to memory of 2876	1976	WScript.exe	svchcst.exe
PID 1976 wrote to memory of 2876	1976	WScript.exe	svchcst.exe
PID 1976 wrote to memory of 2876	1976	WScript.exe	svchcst.exe
PID 2876 wrote to memory of 1704	2876	svchcst.exe	WScript.exe
PID 2876 wrote to memory of 1704	2876	svchcst.exe	WScript.exe
PID 2876 wrote to memory of 1704	2876	svchcst.exe	WScript.exe
PID 2876 wrote to memory of 1704	2876	svchcst.exe	WScript.exe
PID 1704 wrote to memory of 1168	1704	WScript.exe	svchcst.exe
PID 1704 wrote to memory of 1168	1704	WScript.exe	svchcst.exe
PID 1704 wrote to memory of 1168	1704	WScript.exe	svchcst.exe
PID 1704 wrote to memory of 1168	1704	WScript.exe	svchcst.exe
PID 1168 wrote to memory of 1176	1168	svchcst.exe	WScript.exe
PID 1168 wrote to memory of 1176	1168	svchcst.exe	WScript.exe
PID 1168 wrote to memory of 1176	1168	svchcst.exe	WScript.exe
PID 1168 wrote to memory of 1176	1168	svchcst.exe	WScript.exe
PID 1176 wrote to memory of 2464	1176	WScript.exe	svchcst.exe
PID 1176 wrote to memory of 2464	1176	WScript.exe	svchcst.exe
PID 1176 wrote to memory of 2464	1176	WScript.exe	svchcst.exe
PID 1176 wrote to memory of 2464	1176	WScript.exe	svchcst.exe
PID 2464 wrote to memory of 2184	2464	svchcst.exe	WScript.exe
PID 2464 wrote to memory of 2184	2464	svchcst.exe	WScript.exe
PID 2464 wrote to memory of 2184	2464	svchcst.exe	WScript.exe
PID 2464 wrote to memory of 2184	2464	svchcst.exe	WScript.exe
PID 2184 wrote to memory of 1444	2184	WScript.exe	svchcst.exe
PID 2184 wrote to memory of 1444	2184	WScript.exe	svchcst.exe
PID 2184 wrote to memory of 1444	2184	WScript.exe	svchcst.exe
PID 2184 wrote to memory of 1444	2184	WScript.exe	svchcst.exe
PID 1444 wrote to memory of 2008	1444	svchcst.exe	WScript.exe
PID 1444 wrote to memory of 2008	1444	svchcst.exe	WScript.exe
PID 1444 wrote to memory of 2008	1444	svchcst.exe	WScript.exe
PID 1444 wrote to memory of 2008	1444	svchcst.exe	WScript.exe
PID 2008 wrote to memory of 1752	2008	WScript.exe	svchcst.exe
PID 2008 wrote to memory of 1752	2008	WScript.exe	svchcst.exe
PID 2008 wrote to memory of 1752	2008	WScript.exe	svchcst.exe
PID 2008 wrote to memory of 1752	2008	WScript.exe	svchcst.exe

C:\Users\Admin\AppData\Local\Temp\8f558916f4103288138e3f218ce0bc916e08a72a7412a20ace1b48a40e31c607.exe
"C:\Users\Admin\AppData\Local\Temp\8f558916f4103288138e3f218ce0bc916e08a72a7412a20ace1b48a40e31c607.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2272

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2452

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
3⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2584

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:592

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
8⤵
PID:1436

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2876

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
8⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
10⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1176

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2464

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
12⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
13⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1444

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
14⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
15⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1752

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
16⤵
- Loads dropped DLL
PID:2332

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
17⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2164

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
18⤵
- Loads dropped DLL
PID:2584

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
19⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1028

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
20⤵
- Loads dropped DLL
PID:1124

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
21⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2832

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
22⤵
- Loads dropped DLL
PID:2216

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
23⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1952

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
24⤵
- Loads dropped DLL
PID:2196

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
25⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:316

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
26⤵
- Loads dropped DLL
PID:1500

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
27⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2080

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
28⤵
- Loads dropped DLL
PID:1972

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
29⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1740

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
30⤵
- Loads dropped DLL
PID:1464

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
31⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2308

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
32⤵
- Loads dropped DLL
PID:2668

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
33⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2808

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
34⤵
- Loads dropped DLL
PID:776

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
35⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2716

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
36⤵
- Loads dropped DLL
PID:1816

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
37⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2176

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
38⤵
- Loads dropped DLL
PID:2780

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
39⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:808

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
40⤵
- Loads dropped DLL
PID:2588

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
41⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2528

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
42⤵
- Loads dropped DLL
PID:1924

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
43⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1996

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
44⤵
- Loads dropped DLL
PID:2652

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
45⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2344

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
46⤵
PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
c32d8e4ff6f6b1a41d79a2aaad6a62bc

SHA1
42e11a2d871b0c3598f07d8a31e1e7fe7338aa76

SHA256
67a623ee1c85e0695c76d226dbf0a258a18f8cbbc0616e0ebd45e8802453ea09

SHA512
9fded3b3a178f9deae8a774643530733005a08748c296a48ad571f2137a152a70a8157f14d16cb82ff69812c26f60d0893c2a1f0a11e4de007e75388353af7e7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1ac4421f71447c6f92ce3ac17a3d9d38

SHA1
97f4ebc5875af7ee54f93ba70089361ca88da8af

SHA256
615df52b00308d2a7f8aed927fd28d1e40b5ac6cf5e6da78ec69acd149618d59

SHA512
3d7d6a0124324731462a5e71d797c77e9942371fbdda8b870cb9d035db293ef1765e1890737fd89fd1b9d56941bd04745f93c95c844057830605365367ea410e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
379619305716718fbeeab2f364946c39

SHA1
b663cf106c4673549692fa39d25e9e8f4561cd64

SHA256
c844bc25686320e65c1b5259a6d0d6d47f61709f46e2c8eb2ad3f9c3b9333d84

SHA512
b2c91d0f1cbc9e253bb3bb339acbab0e31eef31188cc00132c423fee2a85c7a91132c9259b99b23a149f6ba1172b8522e2d8350f88dbb735ad8d7a32f71e2ed8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d44632a3e4cce7689f6de0096ea7b712

SHA1
62726ae2641d71b6a218793f1ca8c00c81443eda

SHA256
013ba01f27689a865f4497bdab298b8914e8c235beac2311020fa928649a7603

SHA512
ed9934194e0211fca3d30bb16802ae080086a71d4b8b065afecea339f06f4d5dc43f51786059d6ccaf7718a54dde8b050268068ed6a416dacfa6c79a8ba0881a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
427acf0d31e4c051a5ecca486df18aaa

SHA1
66ed2e8e5533846366375ce855fb7b5d574d97fc

SHA256
397aa2536df328968f7006d3c5a2d0e7e53ab1e6d2deae8bb5bc7a242b4ba012

SHA512
aa2fe9a10550076d478762ed2043437460bfa1d81c3e6b793127d1235f8a6e75dc6002aad415f8086387faf7dc75a83f1790662cdfa58aa66596c640ed35b778

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
75b8f60cfe6895a93f2d8f1b5568af94

SHA1
b80485bc82864b4e1bf0bcc44579eaa01776b1fb

SHA256
6ff47f7681e8f497470bd11b2cfd8156c5d8f1b01f48bfd89037cc4bfe0f34cc

SHA512
089e237c5309d36058e036f69d78deb4144749e91b3a8a8383f817af051a3452acfdf42227cc721517e93428cfd5d48b42e9750e9548762609e81917a4de29c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f262d0722b88145e786399f42047785d

SHA1
9f4426b6ac52bb0456945b0619fcd355d118a0b7

SHA256
f20592c5d5216a153e7d9fc67c87e2d3346f3781014162462e824a5dbc4c7aef

SHA512
da8aa8fd4f84c224f7c6f3fe483b030e2307f3313c003f17f6b9c943f9ea9d052d9d9297f93fdf49428eedd235ef6d7efe0199e1620e55cb052f2ca3cb492eb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2551ae733b39ac9061a9d5ebd2f29d98

SHA1
08247d27dd5bf959db0b29d3e5b0551dc47c9d02

SHA256
c69ee4a632cc1c351d5fa930d42546923a4125e7d9cbccb2ad9f9e3318be2b77

SHA512
a1c669cb87194c2b496a7131f7f2920b6c31156f88d6c1140e79f3b83fbca3785cd57fea2d47cb951ed576e69a1240e81746a5bc5444e65fd05fa5234125731c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
9e8dca236ce949019c46b94428612ac9

SHA1
0917050afcbb7b94fce6fbb9827fb57de7432b0b

SHA256
bd9f06dbb8f2165c3b75da289ad7983f0c57328d236b2c68a2b5798188874fb3

SHA512
23ce9deba9286cbb24c1725503542b63d7e44ea7ada302e5aba6595f84398e2162008d7431f842cccfb2b8fae126216d85c566931d5fcc8c8c5625e2c05f44d6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
68131c1f4506af5c010d5e01f031bfae

SHA1
51cc54917c040091c3a39dd33ec52fc5f4cb4c15

SHA256
d235953ddf5884a014ce05d8a26b9b93bafd580bdeda08e369e2d6e395d34a95

SHA512
69be7da57430dd6d3f1deea9c2a4f78a0ec41a74fc593f033a7944504cd9c4fe6d2f7a0be052e40238a4389b649c36a603b1725959fab050a0114714a6d65c6d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
749bd0975d9e493d7c6f1a8a71ed6883

SHA1
f56532a7429611b592e4de36e78ccb1e02973fb9

SHA256
b09e74b2917922cbaaa1e6dec8beffd4e535080ff4184aff72bbfa51e29724ff

SHA512
a3a317f6c12d51c752a486676a4f210321aac3d4ddf6995207c289f672b5fb2503e01982cd05d7b663f80542b25ce65a793cb91979d774e5f2f838e7e4380e28

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
92fd94112636ed70bd40c076e4da89b0

SHA1
21a97d92fad9fc3710b6bf9598ce6c61931e968b

SHA256
17669878c1675210204421307fee9b809373d52bc95303ffae6a938ae49d4870

SHA512
a18ddc50b412eef1f9750abced19c92e9ae7373d532292023180ac8f94af4954ee1d05aa03c12606334bcbc5847e67d273d69641d3b9e51d45360067501b68dc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
39d10a8feb188efb01ec604ea8255122

SHA1
649e68f9bd31cdd98a67ae82606701b5a9a8ca5c

SHA256
30bcbaefc7472580177313663ad9380a7c51cd07268f10fc07d80fa1b1ab78f5

SHA512
f93c9a3c21df0d09215016c95916ef965d6cd71af5955c019898525dd47847abe0a96a37a2873b70123f52ccddcaf941edbf1854ebe2c1fd4b420811e0dd71dc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ee5630ee23ef0743d2613180cbeb699a

SHA1
85bb93277ec21062fe00373bb675ad7542f138ce

SHA256
772b2d31674cbcbf24fa2cac9fa8921e450a3567f4a94099fd2d7fc4eee95127

SHA512
b9453114e64282156fabd5cae3bd4d45dbcadf0d9c439160dd01664cc0a726f10ec4bb088401f8a6258eeb8da1aad33bb2a358c81c8d9af44ddad665a93778f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
013d70225323038fda1fca6b7f14d981

SHA1
6f0b6c05ea720359887f452cda4bd3d6e05b8211

SHA256
d4056b07ab16604f2985d2d7d73e1cc24439c02726737adb8d162ab6ce0cf74f

SHA512
1564c02581f520558dd25295142905c524773f814bde2c9f583b848a40b091287db0c0362e7f2970459cabdf2a9603d20c2fc803764e37666f96f0e067b86adf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
456cc8f083f3b788d01cd1aab344ee93

SHA1
f1536672d1c285dc04e754988f4cc3ec41bbb19b

SHA256
727c5bf08e3a1e54de66d44a45ccc4684a0d91eb1a0f180ef864aef32ce2d477

SHA512
a3146af4d45a55b21c5fc2c39f0ab8f8a4fdf84cf9de4df498c8348c623d5ce9c19afb193a9ec08e651552ccf1a0ce0c01a63b4fa9faa6025f93518eb5453537

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
6f1c6c861089f54ebc914b9f9b42f40e

SHA1
cc289ac5039975081b09366ec6be5fd3b873491d

SHA256
f02a3f58edc35cbf219422ebf5b38b2a7c3c0ecf4ca1dedfe178073715c03aa6

SHA512
fb6dbe290527ca7d1596518e7e052d0419888f5ca4cbc058df23ff7d32876f0bb859892efc9a2067a951f8d82464e632dd6ae4599074b90cbf057a7551b1c305

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
3ed43177ebc5105a1769aaf3584cac4a

SHA1
af9b0d63ef34d29115c1407a45741805bd7060bd

SHA256
1c9f586a6c6e58725b64ad818f529cda4a658fdb3b53da790296bd4cdc5efb05

SHA512
fa689d5ea2af6bd5f609300a5a460590862314daa2843cac380bbe9808d0e5530b020e4b775c91f7a932f68967bea91f7cfba0233d03f78c758c2408b9eba3f5

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0a23451fe2f68addb0949cffb1330cc7

SHA1
e541df35d00e1fd5fdc6cd2fa5bfd8bfbd31d151

SHA256
d49a989c1a9ed1482b70372bde523c4fa43c169c88f559b161b4b3dcb2222d3a

SHA512
75f0dab6b8ddb601f68aec852b3d24605961c72c7e432715ba112129f56cc765b476081bc98229ce55137120f9c337a5159a860cdb16e033df302ac27d6cb2e2

Download Submit
memory/2272-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download