91152f975cbe6a361fe5bf364f8ea6f7d45b577b208bdcea74c0e2b403338de1

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
10-07-2024 21:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

91152f975cbe6a361fe5bf364f8ea6f7d45b577b208bdcea74c0e2b403338de1.exe
Size

1.1MB
MD5

5aa11867bcfd05035fc2b2dbf1547c9a
SHA1

9d3703cff5101dc847d65c15b490440abed5c64b
SHA256

91152f975cbe6a361fe5bf364f8ea6f7d45b577b208bdcea74c0e2b403338de1
SHA512

fa8ae84ab975187889301806cd3446fe5ad6050525ec83de60725004c75ed2aedc85f34e54e93bdd639afa0b6e848abc2865212554efa421152dbfd39bce2445
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qz:CcaClSFlG4ZM7QzM0

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

svchcst.exe

pid process

2412 svchcst.exe

Executes dropped EXE 23 IoCs

Processes:

svchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exe

pid	process
2412	svchcst.exe
2716	svchcst.exe
584	svchcst.exe
2060	svchcst.exe
1944	svchcst.exe
2936	svchcst.exe
1652	svchcst.exe
3000	svchcst.exe
1524	svchcst.exe
2748	svchcst.exe
1804	svchcst.exe
2820	svchcst.exe
2376	svchcst.exe
2028	svchcst.exe
2324	svchcst.exe
2156	svchcst.exe
1564	svchcst.exe
668	svchcst.exe
3024	svchcst.exe
2716	svchcst.exe
584	svchcst.exe
2780	svchcst.exe
1736	svchcst.exe

Loads dropped DLL 44 IoCs

Processes:

WScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exe

pid	process
2100	WScript.exe
2100	WScript.exe
2944	WScript.exe
2944	WScript.exe
1952	WScript.exe
1952	WScript.exe
688	WScript.exe
688	WScript.exe
2392	WScript.exe
2392	WScript.exe
336	WScript.exe
2988	WScript.exe
872	WScript.exe
872	WScript.exe
2708	WScript.exe
2708	WScript.exe
2892	WScript.exe
2892	WScript.exe
2724	WScript.exe
2724	WScript.exe
1860	WScript.exe
1860	WScript.exe
2228	WScript.exe
2228	WScript.exe
1332	WScript.exe
1332	WScript.exe
2108	WScript.exe
2108	WScript.exe
2592	WScript.exe
2592	WScript.exe
2528	WScript.exe
2528	WScript.exe
2428	WScript.exe
2428	WScript.exe
2408	WScript.exe
2408	WScript.exe
772	WScript.exe
772	WScript.exe
1764	WScript.exe
1764	WScript.exe
2816	WScript.exe
2816	WScript.exe
1888	WScript.exe
1888	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

91152f975cbe6a361fe5bf364f8ea6f7d45b577b208bdcea74c0e2b403338de1.exesvchcst.exesvchcst.exe

pid	process
656	91152f975cbe6a361fe5bf364f8ea6f7d45b577b208bdcea74c0e2b403338de1.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2716	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

91152f975cbe6a361fe5bf364f8ea6f7d45b577b208bdcea74c0e2b403338de1.exe

pid process

656 91152f975cbe6a361fe5bf364f8ea6f7d45b577b208bdcea74c0e2b403338de1.exe

Suspicious use of SetWindowsHookEx 48 IoCs

Processes:

91152f975cbe6a361fe5bf364f8ea6f7d45b577b208bdcea74c0e2b403338de1.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exe

pid	process
656	91152f975cbe6a361fe5bf364f8ea6f7d45b577b208bdcea74c0e2b403338de1.exe
656	91152f975cbe6a361fe5bf364f8ea6f7d45b577b208bdcea74c0e2b403338de1.exe
2412	svchcst.exe
2412	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
584	svchcst.exe
584	svchcst.exe
2060	svchcst.exe
2060	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
1652	svchcst.exe
1652	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
1524	svchcst.exe
1524	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
1804	svchcst.exe
1804	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2376	svchcst.exe
2376	svchcst.exe
2028	svchcst.exe
2028	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
1564	svchcst.exe
1564	svchcst.exe
668	svchcst.exe
668	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
584	svchcst.exe
584	svchcst.exe
2780	svchcst.exe
2780	svchcst.exe
1736	svchcst.exe
1736	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

91152f975cbe6a361fe5bf364f8ea6f7d45b577b208bdcea74c0e2b403338de1.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exe

description	pid	process	target process
PID 656 wrote to memory of 2100	656	91152f975cbe6a361fe5bf364f8ea6f7d45b577b208bdcea74c0e2b403338de1.exe	WScript.exe
PID 656 wrote to memory of 2100	656	91152f975cbe6a361fe5bf364f8ea6f7d45b577b208bdcea74c0e2b403338de1.exe	WScript.exe
PID 656 wrote to memory of 2100	656	91152f975cbe6a361fe5bf364f8ea6f7d45b577b208bdcea74c0e2b403338de1.exe	WScript.exe
PID 656 wrote to memory of 2100	656	91152f975cbe6a361fe5bf364f8ea6f7d45b577b208bdcea74c0e2b403338de1.exe	WScript.exe
PID 2100 wrote to memory of 2412	2100	WScript.exe	svchcst.exe
PID 2100 wrote to memory of 2412	2100	WScript.exe	svchcst.exe
PID 2100 wrote to memory of 2412	2100	WScript.exe	svchcst.exe
PID 2100 wrote to memory of 2412	2100	WScript.exe	svchcst.exe
PID 2412 wrote to memory of 2944	2412	svchcst.exe	WScript.exe
PID 2412 wrote to memory of 2944	2412	svchcst.exe	WScript.exe
PID 2412 wrote to memory of 2944	2412	svchcst.exe	WScript.exe
PID 2412 wrote to memory of 2944	2412	svchcst.exe	WScript.exe
PID 2944 wrote to memory of 2716	2944	WScript.exe	svchcst.exe
PID 2944 wrote to memory of 2716	2944	WScript.exe	svchcst.exe
PID 2944 wrote to memory of 2716	2944	WScript.exe	svchcst.exe
PID 2944 wrote to memory of 2716	2944	WScript.exe	svchcst.exe
PID 2716 wrote to memory of 1952	2716	svchcst.exe	WScript.exe
PID 2716 wrote to memory of 1952	2716	svchcst.exe	WScript.exe
PID 2716 wrote to memory of 1952	2716	svchcst.exe	WScript.exe
PID 2716 wrote to memory of 1952	2716	svchcst.exe	WScript.exe
PID 1952 wrote to memory of 584	1952	WScript.exe	svchcst.exe
PID 1952 wrote to memory of 584	1952	WScript.exe	svchcst.exe
PID 1952 wrote to memory of 584	1952	WScript.exe	svchcst.exe
PID 1952 wrote to memory of 584	1952	WScript.exe	svchcst.exe
PID 584 wrote to memory of 688	584	svchcst.exe	WScript.exe
PID 584 wrote to memory of 688	584	svchcst.exe	WScript.exe
PID 584 wrote to memory of 688	584	svchcst.exe	WScript.exe
PID 584 wrote to memory of 688	584	svchcst.exe	WScript.exe
PID 688 wrote to memory of 2060	688	WScript.exe	svchcst.exe
PID 688 wrote to memory of 2060	688	WScript.exe	svchcst.exe
PID 688 wrote to memory of 2060	688	WScript.exe	svchcst.exe
PID 688 wrote to memory of 2060	688	WScript.exe	svchcst.exe
PID 2060 wrote to memory of 2392	2060	svchcst.exe	WScript.exe
PID 2060 wrote to memory of 2392	2060	svchcst.exe	WScript.exe
PID 2060 wrote to memory of 2392	2060	svchcst.exe	WScript.exe
PID 2060 wrote to memory of 2392	2060	svchcst.exe	WScript.exe
PID 2392 wrote to memory of 1944	2392	WScript.exe	svchcst.exe
PID 2392 wrote to memory of 1944	2392	WScript.exe	svchcst.exe
PID 2392 wrote to memory of 1944	2392	WScript.exe	svchcst.exe
PID 2392 wrote to memory of 1944	2392	WScript.exe	svchcst.exe
PID 1944 wrote to memory of 336	1944	svchcst.exe	WScript.exe
PID 1944 wrote to memory of 336	1944	svchcst.exe	WScript.exe
PID 1944 wrote to memory of 336	1944	svchcst.exe	WScript.exe
PID 1944 wrote to memory of 336	1944	svchcst.exe	WScript.exe
PID 336 wrote to memory of 2936	336	WScript.exe	svchcst.exe
PID 336 wrote to memory of 2936	336	WScript.exe	svchcst.exe
PID 336 wrote to memory of 2936	336	WScript.exe	svchcst.exe
PID 336 wrote to memory of 2936	336	WScript.exe	svchcst.exe
PID 2936 wrote to memory of 2988	2936	svchcst.exe	WScript.exe
PID 2936 wrote to memory of 2988	2936	svchcst.exe	WScript.exe
PID 2936 wrote to memory of 2988	2936	svchcst.exe	WScript.exe
PID 2936 wrote to memory of 2988	2936	svchcst.exe	WScript.exe
PID 2988 wrote to memory of 1652	2988	WScript.exe	svchcst.exe
PID 2988 wrote to memory of 1652	2988	WScript.exe	svchcst.exe
PID 2988 wrote to memory of 1652	2988	WScript.exe	svchcst.exe
PID 2988 wrote to memory of 1652	2988	WScript.exe	svchcst.exe
PID 1652 wrote to memory of 872	1652	svchcst.exe	WScript.exe
PID 1652 wrote to memory of 872	1652	svchcst.exe	WScript.exe
PID 1652 wrote to memory of 872	1652	svchcst.exe	WScript.exe
PID 1652 wrote to memory of 872	1652	svchcst.exe	WScript.exe
PID 872 wrote to memory of 3000	872	WScript.exe	svchcst.exe
PID 872 wrote to memory of 3000	872	WScript.exe	svchcst.exe
PID 872 wrote to memory of 3000	872	WScript.exe	svchcst.exe
PID 872 wrote to memory of 3000	872	WScript.exe	svchcst.exe

C:\Users\Admin\AppData\Local\Temp\91152f975cbe6a361fe5bf364f8ea6f7d45b577b208bdcea74c0e2b403338de1.exe
"C:\Users\Admin\AppData\Local\Temp\91152f975cbe6a361fe5bf364f8ea6f7d45b577b208bdcea74c0e2b403338de1.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:656

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
3⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2412

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2716

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:584

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
8⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:688

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2060

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
10⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
12⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:336

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
13⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2936

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
14⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2988

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
15⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
16⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:872

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
17⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3000

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
18⤵
- Loads dropped DLL
PID:2708

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
19⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1524

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
20⤵
- Loads dropped DLL
PID:2892

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
21⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2748

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
22⤵
- Loads dropped DLL
PID:2724

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
23⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1804

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
24⤵
- Loads dropped DLL
PID:1860

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
25⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2820

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
26⤵
- Loads dropped DLL
PID:2228

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
27⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2376

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
28⤵
- Loads dropped DLL
PID:1332

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
29⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2028

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
30⤵
- Loads dropped DLL
PID:2108

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
31⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2324

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
32⤵
- Loads dropped DLL
PID:2592

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
33⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2156

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
34⤵
- Loads dropped DLL
PID:2528

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
35⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1564

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
36⤵
- Loads dropped DLL
PID:2428

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
37⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:668

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
38⤵
- Loads dropped DLL
PID:2408

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
39⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3024

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
40⤵
- Loads dropped DLL
PID:772

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
41⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2716

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
42⤵
- Loads dropped DLL
PID:1764

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
43⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:584

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
44⤵
- Loads dropped DLL
PID:2816

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
45⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2780

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
46⤵
- Loads dropped DLL
PID:1888

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
47⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1736

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
48⤵
PID:1380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
b7514164d23f825023107651a5af7c68

SHA1
031444070658808392f32e04bdf264ba529ae583

SHA256
9bebd6ef8fc535b4b4cbbdffd9743ae6c3422e2e7e017ecffd55a87284f8758a

SHA512
dd4609bcb14a323150e4d2af0337b0832053e4df8e2c61ddd32df308cc3466a0672f2b084acfeed5a2308fa5f155bb8db0b0393403f1a478adbcf7d879d9ae2a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
56b642f742552f48c6b8b9c099412a21

SHA1
c3cf968546d550feddcded0747d331305147e1e3

SHA256
a91e4afb0d2f495e9c4fd5031514174673505464922192f9d87832fc21ef119b

SHA512
43edab26c4c27b9458d393f139895b68ce6b230685fd112658b4046094beac5479329f63c9c836dace1e76984fc22b96aecdf0c0252cf656e6d1fe639abf403a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1a9d2727f5157f704f57fb2f0e0a7939

SHA1
4085542ccb9a53b29208916307ee515880d6410f

SHA256
46c5d3b8a158fe319dfd325df66634b1bdef724bab79b7007f565e44beb34f31

SHA512
7ec52df630965769dae3e05a1b9fd489c7d5413ea77b28cbe2435e839f80d7eabdbbcc74af4cf544b9f0f57403a505501b08753ffeaec8cf6c32972fc3e72d68

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
08e59d2d672728796d1d263f61b8e693

SHA1
e2cf49b43ffba5735bf7d9aa4e1da8c5a1a4a243

SHA256
f0504a6142a9709ba8612a4e55816d410dc92778bedea66d34316e77edd2f923

SHA512
328bc5a9404388f3ef192bb0e4da20cc34b9eacd974299461b5cc2f37ce7d7f9bb494e933fe7e8bca0baa037b40778b06965e76ce258b596b60e88bd6b2f4253

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f68761d0622df41d256ee6fc39583d8a

SHA1
2dd40e574a86ff4b4be5e6aca6fda4d7fcc33d56

SHA256
b4bf1092c76497e935596e32fcb9119a44acab11e9b80b660ecea53867655245

SHA512
fd70e0b445bcd24117b449853c98a4996063d49f774a55bc5aca087b44cdb5381974551c4fcd2d3d1c82cd708fcb616009519f3914267ea5c37cdda4d31ea3a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
152cdcb10a0dcbdcaeb00bd4b08b2f94

SHA1
d957bd7eff64e6b13d3a088c0ae764eaeedf0ad2

SHA256
5525126f60e1b6cf4d353d30db46873836712e3964020d1dbca2694b6dc3d599

SHA512
c2e61516af9e5c14978792ec3b5e20aa84d5f6d9607322575d2f0448a67b6a10911ebf350f51e24e19f40840897251c891cda2c651c0881fccc9e0006d1a2f99

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5d0d203da02edb604545d3d826c88b42

SHA1
9be0cfd40b48d4e6041e00827047a8b0d877d4a1

SHA256
5f341c2f1ff381eecedbf6fcbe549724323c30c05728132a98ea55f607bc3e81

SHA512
a3e01552a9576ba8dd9aa9f65211f74a69588a316d984b8887e740c6c174e19df2056dc0138d5af26bd927e192ec2c7d355fc8b4092e30d55de910e932fbd49f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8364c7b31d7cc2ff033d43e692633d35

SHA1
8c51dd902e1739104aff48093aecb669522fea1f

SHA256
7ac0c74de647ef78ef6fffba49310f3c9c1b7d9ad19121d3502ec03c6e412a42

SHA512
0615c03be93f2b8cadfa7f0fca0ec6a790728d61980a9cd5edc372c99d3d73c5bdd1e6abfc055d4bd7ff2a2aa67f6fd5221c0d0479e33ac6736522fdc0572571

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ab52ce62f84a24d48d9cebec5331b1c6

SHA1
6fcb810a46e83020e55af419752f5583f9dcb9ba

SHA256
908bec6021a78b90a02c6123db4ac62b590ea738e97fa35aac7c4dce624f3244

SHA512
8823f3f60863692a8fd2be8610670b06077ea7c948b7c46f9a1ab712276b27e48c19d0a394e7f51c0fbdf753f989af4cac5dab078e4f04ee5ee6a50427368cd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e0e0a1f6d22e3905753a9c1ed053cbff

SHA1
52c11b8049f4015d7825fc1fcbd0d5eadb29a6e4

SHA256
2eca9ba67f160c00268003e7239f9cfc5da0f10b6a0b3c82538ef2a0874b871d

SHA512
3eb98287cc8115cb648626272eaa6cc77cb57fcd614f0e969d3af3977a8e09e0f7f6f3ee6ef9322e096bf0cec546f681a6983030a10e972b538d42e2bd17740c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
dac7c0a2b21b48d0a42546bc1fc71ea5

SHA1
76105defbbae913493c7c5dd2d9ea34a88f9035a

SHA256
253a35895bb535dbb5c375d072210c9f464e68481835959b205f5503fb394e67

SHA512
8b7b9998e90c5f738cc6d226b004788c468f5f783931258fa36df80583d60c2a308e58b7b268430b9eb58009e2f47b5289cc9430465b2dc6d9e0d296eb4ee300

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
892d5f76bd731ce94e189c1ee5602a3b

SHA1
5d406b18d808ea4ff1628fb947e1d147bfa383a4

SHA256
46d1863b58b62b0a584bdf3560484fe56afda978a1ce21f878f762a9a675c3a2

SHA512
9d651f4b0f1fabafcaecd43c16e9dc29423bd79a1d900e0d34c3509002dd4f51357b979bceaf6da0a1390779c7ea5b0f7c3f050957e8db98811fe288a25da843

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0357391a9d2db544adfe933b66a4785f

SHA1
2e730586dcfe75710c1efac6ad557f8ef092cf09

SHA256
8a674d8022927da6754f4d19d0ae7287e5a962105771660fb6f315bd3f1ad492

SHA512
cd5d4aca4ae0340755845e068cc9cb93020b9c9abf68a7477326c4a29cadff9cc47b46319d1fab9cbddddffa998edadd4f4a29289fb69c8ae54b4eb4ad1f5928

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
20e589101c5efcc7e614ac7bb155066b

SHA1
f43191e9e580217ea0db39b35f65d357d5789e1a

SHA256
c8fe28dea811570cab011a3d86cbfba5210aa5c260040cf12a599759c88ebf96

SHA512
b163116e45c6dabe567de6f93bc80938681a27f7f102782de72366495da34862f212bfe1348b13a66fceee4cad5788b279d2e06cb97f6cd1b2062e20dbc18515

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
8a76bd15d45e6b03629d8f1386979e38

SHA1
b636f1235dff90e61e36673116e32a650a88fd54

SHA256
db8aeed6b7b03e44d783a8fb8a8ab6809b8b5dee444d29e257db3e2c951046cd

SHA512
f2a4f87d0c899034fdd499a3fafa2b07d560835244ea35bb27e15857e478ba3699e7e90f80ebcdd49738cc42ab8508b4f7b4cef8169b85a874f08799003090f5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a7080faf6a045c07afa0e3cc2e79e151

SHA1
42eed5c759ab8fe2ab647907dc8ad667fa1ad484

SHA256
ff0b8fbc120780cf313c3f17bd9b4080006eada901d9bb83a8468304eff2bd98

SHA512
c1c2319440abac5c0ced5aba35440c52b76b5903f28cb8ed3df61a395d58ac5f6dd590111a5106bc0b88c63ba5b0500ffdab9a52f73586aa668a2d1217e11c37

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2c40b6384fd42eb8683875d90374d367

SHA1
df12e9b24ba30bee094aa388a1b19e12ea874bb0

SHA256
f21220f407f69838116eae03b6a6f5124fabe5307c28dd944b9d3b15ffbc5c68

SHA512
e4e356a80671c37ec4c1729b2843e7e2b7ef2e10fa2c04e8cbdf4ea5160cac77d77de7ce262149aeda0998da61884e1acf54b1c91c0f084a3212cdf3d8a6ce07

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
3ad0231fd3d6053b9281b2354115d9ae

SHA1
3abd90f76fcac714bf97ef1c94b1eb4a32943e0d

SHA256
47af1d1ed4635c0598c0a7ffe5a011ddeedc6591d2e0c89f73c4303582de36db

SHA512
db1102c662db421aa4402fa99262fb533d5fa88404da83067c1e694433324e8fcd972fb113b907230ac78ea2dda309c606dc557019e6c22f19fb6a423e82a784

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
762127fa9c985dfd5eb37fec128cbcd1

SHA1
62c3b2863741eac166b52bd0690029fbbf0b0256

SHA256
1b22cc136aa119d1fd70f39906e1e5274467500263024aa7733865b35f9265d9

SHA512
1772ffdb5b38aeb7057b30469fe548dddb38134f019980372ca293fcc1b34750bb073fdeb59d2f45f0293fed356c55d6fb591b4c999926219a88aa586a7ca1c5

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/656-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download