9d8114e44f2e383298e097c1a53671df65d99c48ed610d704922ada5a85a6b9c

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
10-07-2024 21:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d8114e44f2e383298e097c1a53671df65d99c48ed610d704922ada5a85a6b9c.exe
Size

1.1MB
MD5

8239e4b1405d8b7855048a00f079a1ad
SHA1

b976d994d476075d5dbd5dec6c3bccad1002af66
SHA256

9d8114e44f2e383298e097c1a53671df65d99c48ed610d704922ada5a85a6b9c
SHA512

e0ec149b46de6776cfaadb8e929caec9aa518d92902a8eb58760f17a0d6b310640c951ba2cffd026522c9271e8225acf7dc652d0865e55d63e643c20461cc36f
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Q7:CcaClSFlG4ZM7QzMM

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

svchcst.exe

pid process

2600 svchcst.exe

Executes dropped EXE 23 IoCs

Processes:

svchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exe

pid	process
2600	svchcst.exe
2944	svchcst.exe
2016	svchcst.exe
1472	svchcst.exe
1948	svchcst.exe
600	svchcst.exe
2312	svchcst.exe
2756	svchcst.exe
2800	svchcst.exe
2196	svchcst.exe
620	svchcst.exe
2256	svchcst.exe
2632	svchcst.exe
1760	svchcst.exe
296	svchcst.exe
2780	svchcst.exe
3060	svchcst.exe
2896	svchcst.exe
588	svchcst.exe
2856	svchcst.exe
2224	svchcst.exe
1828	svchcst.exe
2632	svchcst.exe

Loads dropped DLL 43 IoCs

Processes:

WScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exe

pid	process
2800	WScript.exe
2800	WScript.exe
2436	WScript.exe
840	WScript.exe
840	WScript.exe
764	WScript.exe
764	WScript.exe
2220	WScript.exe
2220	WScript.exe
856	WScript.exe
856	WScript.exe
2316	WScript.exe
2316	WScript.exe
2792	WScript.exe
2612	WScript.exe
2612	WScript.exe
2612	WScript.exe
1296	WScript.exe
1296	WScript.exe
2120	WScript.exe
2120	WScript.exe
1876	WScript.exe
1876	WScript.exe
2456	WScript.exe
2456	WScript.exe
2340	WScript.exe
2340	WScript.exe
872	WScript.exe
872	WScript.exe
2628	WScript.exe
2628	WScript.exe
2736	WScript.exe
2736	WScript.exe
2948	WScript.exe
2948	WScript.exe
2804	WScript.exe
2804	WScript.exe
1608	WScript.exe
1608	WScript.exe
2176	WScript.exe
2176	WScript.exe
1724	WScript.exe
1724	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

9d8114e44f2e383298e097c1a53671df65d99c48ed610d704922ada5a85a6b9c.exesvchcst.exe

pid	process
1424	9d8114e44f2e383298e097c1a53671df65d99c48ed610d704922ada5a85a6b9c.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

9d8114e44f2e383298e097c1a53671df65d99c48ed610d704922ada5a85a6b9c.exe

pid process

1424 9d8114e44f2e383298e097c1a53671df65d99c48ed610d704922ada5a85a6b9c.exe

Suspicious use of SetWindowsHookEx 48 IoCs

Processes:

9d8114e44f2e383298e097c1a53671df65d99c48ed610d704922ada5a85a6b9c.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exe

pid	process
1424	9d8114e44f2e383298e097c1a53671df65d99c48ed610d704922ada5a85a6b9c.exe
1424	9d8114e44f2e383298e097c1a53671df65d99c48ed610d704922ada5a85a6b9c.exe
2600	svchcst.exe
2600	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
1472	svchcst.exe
1472	svchcst.exe
1948	svchcst.exe
1948	svchcst.exe
600	svchcst.exe
600	svchcst.exe
2312	svchcst.exe
2312	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2196	svchcst.exe
2196	svchcst.exe
620	svchcst.exe
620	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
1760	svchcst.exe
1760	svchcst.exe
296	svchcst.exe
296	svchcst.exe
2780	svchcst.exe
2780	svchcst.exe
3060	svchcst.exe
3060	svchcst.exe
2896	svchcst.exe
2896	svchcst.exe
588	svchcst.exe
588	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
1828	svchcst.exe
1828	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9d8114e44f2e383298e097c1a53671df65d99c48ed610d704922ada5a85a6b9c.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exe

description	pid	process	target process
PID 1424 wrote to memory of 2800	1424	9d8114e44f2e383298e097c1a53671df65d99c48ed610d704922ada5a85a6b9c.exe	WScript.exe
PID 1424 wrote to memory of 2800	1424	9d8114e44f2e383298e097c1a53671df65d99c48ed610d704922ada5a85a6b9c.exe	WScript.exe
PID 1424 wrote to memory of 2800	1424	9d8114e44f2e383298e097c1a53671df65d99c48ed610d704922ada5a85a6b9c.exe	WScript.exe
PID 1424 wrote to memory of 2800	1424	9d8114e44f2e383298e097c1a53671df65d99c48ed610d704922ada5a85a6b9c.exe	WScript.exe
PID 2800 wrote to memory of 2600	2800	WScript.exe	svchcst.exe
PID 2800 wrote to memory of 2600	2800	WScript.exe	svchcst.exe
PID 2800 wrote to memory of 2600	2800	WScript.exe	svchcst.exe
PID 2800 wrote to memory of 2600	2800	WScript.exe	svchcst.exe
PID 2600 wrote to memory of 2436	2600	svchcst.exe	WScript.exe
PID 2600 wrote to memory of 2436	2600	svchcst.exe	WScript.exe
PID 2600 wrote to memory of 2436	2600	svchcst.exe	WScript.exe
PID 2600 wrote to memory of 2436	2600	svchcst.exe	WScript.exe
PID 2436 wrote to memory of 2944	2436	WScript.exe	svchcst.exe
PID 2436 wrote to memory of 2944	2436	WScript.exe	svchcst.exe
PID 2436 wrote to memory of 2944	2436	WScript.exe	svchcst.exe
PID 2436 wrote to memory of 2944	2436	WScript.exe	svchcst.exe
PID 2944 wrote to memory of 840	2944	svchcst.exe	WScript.exe
PID 2944 wrote to memory of 840	2944	svchcst.exe	WScript.exe
PID 2944 wrote to memory of 840	2944	svchcst.exe	WScript.exe
PID 2944 wrote to memory of 840	2944	svchcst.exe	WScript.exe
PID 840 wrote to memory of 2016	840	WScript.exe	svchcst.exe
PID 840 wrote to memory of 2016	840	WScript.exe	svchcst.exe
PID 840 wrote to memory of 2016	840	WScript.exe	svchcst.exe
PID 840 wrote to memory of 2016	840	WScript.exe	svchcst.exe
PID 2016 wrote to memory of 764	2016	svchcst.exe	WScript.exe
PID 2016 wrote to memory of 764	2016	svchcst.exe	WScript.exe
PID 2016 wrote to memory of 764	2016	svchcst.exe	WScript.exe
PID 2016 wrote to memory of 764	2016	svchcst.exe	WScript.exe
PID 764 wrote to memory of 1472	764	WScript.exe	svchcst.exe
PID 764 wrote to memory of 1472	764	WScript.exe	svchcst.exe
PID 764 wrote to memory of 1472	764	WScript.exe	svchcst.exe
PID 764 wrote to memory of 1472	764	WScript.exe	svchcst.exe
PID 1472 wrote to memory of 2220	1472	svchcst.exe	WScript.exe
PID 1472 wrote to memory of 2220	1472	svchcst.exe	WScript.exe
PID 1472 wrote to memory of 2220	1472	svchcst.exe	WScript.exe
PID 1472 wrote to memory of 2220	1472	svchcst.exe	WScript.exe
PID 2220 wrote to memory of 1948	2220	WScript.exe	svchcst.exe
PID 2220 wrote to memory of 1948	2220	WScript.exe	svchcst.exe
PID 2220 wrote to memory of 1948	2220	WScript.exe	svchcst.exe
PID 2220 wrote to memory of 1948	2220	WScript.exe	svchcst.exe
PID 1948 wrote to memory of 1888	1948	svchcst.exe	WScript.exe
PID 1948 wrote to memory of 1888	1948	svchcst.exe	WScript.exe
PID 1948 wrote to memory of 1888	1948	svchcst.exe	WScript.exe
PID 1948 wrote to memory of 1888	1948	svchcst.exe	WScript.exe
PID 1948 wrote to memory of 856	1948	svchcst.exe	WScript.exe
PID 1948 wrote to memory of 856	1948	svchcst.exe	WScript.exe
PID 1948 wrote to memory of 856	1948	svchcst.exe	WScript.exe
PID 1948 wrote to memory of 856	1948	svchcst.exe	WScript.exe
PID 856 wrote to memory of 600	856	WScript.exe	svchcst.exe
PID 856 wrote to memory of 600	856	WScript.exe	svchcst.exe
PID 856 wrote to memory of 600	856	WScript.exe	svchcst.exe
PID 856 wrote to memory of 600	856	WScript.exe	svchcst.exe
PID 600 wrote to memory of 2316	600	svchcst.exe	WScript.exe
PID 600 wrote to memory of 2316	600	svchcst.exe	WScript.exe
PID 600 wrote to memory of 2316	600	svchcst.exe	WScript.exe
PID 600 wrote to memory of 2316	600	svchcst.exe	WScript.exe
PID 2316 wrote to memory of 2312	2316	WScript.exe	svchcst.exe
PID 2316 wrote to memory of 2312	2316	WScript.exe	svchcst.exe
PID 2316 wrote to memory of 2312	2316	WScript.exe	svchcst.exe
PID 2316 wrote to memory of 2312	2316	WScript.exe	svchcst.exe
PID 2312 wrote to memory of 2792	2312	svchcst.exe	WScript.exe
PID 2312 wrote to memory of 2792	2312	svchcst.exe	WScript.exe
PID 2312 wrote to memory of 2792	2312	svchcst.exe	WScript.exe
PID 2312 wrote to memory of 2792	2312	svchcst.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\9d8114e44f2e383298e097c1a53671df65d99c48ed610d704922ada5a85a6b9c.exe
"C:\Users\Admin\AppData\Local\Temp\9d8114e44f2e383298e097c1a53671df65d99c48ed610d704922ada5a85a6b9c.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1424

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
3⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2600

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2436

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2944

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:840

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
8⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:764

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
10⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
12⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:856

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
13⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:600

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
14⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
15⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2312

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
16⤵
- Loads dropped DLL
PID:2792

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
17⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2756

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
18⤵
- Loads dropped DLL
PID:2612

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
19⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2800

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
20⤵
PID:2836

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
19⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2196

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
20⤵
- Loads dropped DLL
PID:1296

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
21⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:620

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
22⤵
- Loads dropped DLL
PID:2120

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
23⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2256

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
24⤵
- Loads dropped DLL
PID:1876

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
25⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2632

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
26⤵
- Loads dropped DLL
PID:2456

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
27⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1760

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
28⤵
- Loads dropped DLL
PID:2340

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
29⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:296

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
30⤵
- Loads dropped DLL
PID:872

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
31⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2780

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
32⤵
- Loads dropped DLL
PID:2628

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
33⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3060

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
34⤵
- Loads dropped DLL
PID:2736

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
35⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2896

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
36⤵
- Loads dropped DLL
PID:2948

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
37⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:588

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
38⤵
- Loads dropped DLL
PID:2804

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
39⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2856

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
40⤵
- Loads dropped DLL
PID:1608

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
41⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2224

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
42⤵
- Loads dropped DLL
PID:2176

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
43⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1828

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
44⤵
- Loads dropped DLL
PID:1724

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
45⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2632

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
46⤵
PID:2472

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
12⤵
PID:1888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
a7bff7ff421870cbfa1231e50451ec75

SHA1
c272ad4da1a1670c8a61b32f44782fffd62d8e77

SHA256
a362ed4c690543d1a9b6964ec1e929d0cc37cd33f9880ce343281bdef2c2e20c

SHA512
bea8bea48a1f284682b13aeffe168ab3f68d96748062a6bad90398aa2ed8a1bc784cbdf6f79e3a1df3ae7ff951a173964b0f4fb69931d74a66563270eafa8881

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
780c5b88f55c3463a252f361d53f98db

SHA1
244e739c7401ce41027d7786f4a48f4806a9939b

SHA256
d8b383df125f83a39c299a3134c88e981cf47755ddd6b44310f70231305c6bb0

SHA512
b12e3266edea4f9dff105ed8617c81a29f9873d646b6b326c5c29c0c590049dd85458b8ff7541957f9ab995896e7bfd08b171959e592ccc6edbedf998fdf1045

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
57e51d7e4374cd875109b11b9b8deb29

SHA1
aa5554bdcf8417f4b5fc9242f1de625e2fb820bf

SHA256
054ccb4671ec5693715c290f0bed875878cda62addcb38ef21257c59037fe30a

SHA512
6f58d52a71466d92d7da68e1bfdd91db03619d810eae2622b4e5623d2ad4e30e294d885c8c5405b775aa3256e3acbd0442a3bb2a4b6eb50001ee5f8848d66da3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
28167c064311357a30cc6de51b34120d

SHA1
cd6e8343bf5fa014ded5905fd8c6037eda277818

SHA256
e1a76a59c230fb740b85443e95d9db97f660e6d57f8f79060c51d3fb21f7af2a

SHA512
a8ca9a0804c9cb2c87148d82b2ffb169d766b6ea91b4106363b24d555c9a58594915364b6cb61a1757723e96f7095f06859ab83a6e1055d43c8e78e9b52c8b57

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2af86d83545125b952334759f8554ae3

SHA1
ddfef7be6fbd8d8185c772a9a78eb18617a9637b

SHA256
7dd3660d7e87e64f451b4d1882d07c1733ce38d828770910453cc1b7f457d11d

SHA512
38d2854f941ff77a2fec871ba6513df9862fe4f86778b22053b4c3e25995b192f4ab943051a2c613cc3e78d275bc543b0dff09149cb4620e307809d20beae17b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5ba8c208c5700f7f25c2e24e00d50ac8

SHA1
9838a0ab093ed94bc85a80b1feee14b68e4df8d1

SHA256
213371c33e19f6f9e28f089e3206fe50c39b190548b0500f7ba8aff869a68cd6

SHA512
065e45ebe4197cdf7e13b799928dfb29e17d4a1741e3e103000b147288b34f16300b72874ec85aefa2c04cc939df115a9fb383d5c95982c1371e75605d1a9b17

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b42266100fb9f5e0b7be593aac3c37cf

SHA1
7cd55f31fd2871d09de73a6f62e3a7e1a53327b2

SHA256
1a6710caaf3886be368f3205ee8c9905e10f8ed754d80598c80f1455a700d846

SHA512
d3e5a4f7395d6196403e60214239043b2da6e546cbe080f74c3a680a6f4a7fe1374988df0a1aa84dbc0e41199efd8fb11050d1d1295f3b45811935d740a5108b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5ef4272f4d6f345fc8cc1b2f059c81b4

SHA1
78bcb559f775d70e10396e1d6d7b95c28d2645d1

SHA256
19f8d5209b4a5789cdfd5b67cb0b9f6c3546c62912bcb1ef1c69a15602beb652

SHA512
002693255c600456d965b5a7e36f780deec4d80cd9fe56f7f974b8762e2b140002a1dabf4b059d6163c9cc00a0e1e9da71899e13347fb4bb2985bbc7058469cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f2d2f31794455ef80ea8a41b0b218045

SHA1
926c4e45922f43c6afc2cb31d96b5b35d4db3cae

SHA256
698e3bc7681704e68728030dcceb12377aae02f71e91a5fd15c12b686ba00141

SHA512
36cc2c9bd29c6bd97c2bd7eef7b9bffc512ebabf43d089a2866a66efc4f4f3f7d92b2d0719ae61ad07c38b89b1c0a4b59df57f84beef76c88bd376125048d714

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
85fa416be0b995c6e53ce5e2df106d8a

SHA1
bcffe6d0eb7594897fb6c1c1e6e409bacd04f009

SHA256
f08a191ea7850c2d2e0fa0cd1f40254eecb8dcb63a9dfa94cc8a97f609c49293

SHA512
5d92938d833d0555e94027148d0d9fc064274885bb4992f4e5840e7be03b629a3d2dc3703f9a7aa7614cb46ee19f9cfe26c69cc2e3a162f4be9045e5da18efbf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
12b9fac344efa6e5baa387ccccd336d3

SHA1
17cc235680969a31b22698dbb5edd7bb3780993f

SHA256
99600d52128fc05c75ba98a44903046ad559a77371cfc27d4c551d8a23fa5025

SHA512
7aa25d1c8fc2b2903bf553596eaf55c745c632fba2ac50d37917c4769fd57953db6d9b59419a17c4156dd1065c5b8c526b69c27488d175ff4433a1bc83758a9e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
00d912f3632441d80162bd6d2215379e

SHA1
04531deb7cf3e3e56a3459a1c3f2307aa4076b12

SHA256
37888a7ba16779edc7b26eb9684041cffc91492d5c3cd0b10bd15f66f61bae23

SHA512
8925ae819791424df01ed701a28f7d2b29c180686cd5a9d5c0c6c0bf1cc5505060c1aa10d9d9182b7cdf20dbd5de0cdf73bb36f1a6eaa25a5cadaa1b7abda348

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9fdbc9db39f5758aa15808b279831b17

SHA1
d10cbfc6d8b9f482a90a82fa66c5427eb0726314

SHA256
21f311ff85a150df54d4abf2a740178816121f4d6276d80daf805c8930ca29fd

SHA512
9f7fb357376476681bc65a180ded549b6dbcdfdcd588702c8400e57d5e0c50b3ede6d0524ab939be03bf26f8cec6b6fd717446e17151d6faee9244602d252819

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0fb242e012d43372e173707229a3bfa1

SHA1
c2946943000edee97f8222984f20d5293d79779d

SHA256
7d71687cd4c019d9d2bde84af2e997d97dec51374cad9b7f7fea8aa5de6cb73f

SHA512
642f62a2e3cf07dc15811c326ea8fe4f3d63d51f6985528221ee91c391c3606afe9b98cab3f4fd8e00f64e1015f933f896ac47476f48d30de735748b233f1129

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
98bb8de1b417fc48699009c4c1cdfd7f

SHA1
5c27df34cb128497676e9783ce12ef2db4b66dcc

SHA256
6296656e4178c0878e73c8fb3fecfd62c3a09301e5fd6f14f0a5d7a509147d03

SHA512
27d7c0dca7b0848b23bf5663d7ae061bc46bf0f9c1b550aeba096eae73d34fa156acab52dfe544c0e40b9d5bad084afd4a8fdba704c64b3e0f64bb54b17fbf9d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2f2e1a543a3e8ae8f675082645c21cda

SHA1
c5e11622a6e10c19a4ae88aa471ce7c486e8c1da

SHA256
75b24a14932d9955a3b76053d8e4cba46954af8e552e150fba12c636162dc4da

SHA512
a6c624a27cfa9387459ade871fda1917d2810eacb9c5d5ac9811d19541a240d6111387082dfc3f30cb6f1b15c69c8371040cf9076092c5f70e67f33e0de87ec4

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
5e7dc67fbfdee7d943587c72a6d3c133

SHA1
0ab5fe04b416b0ee8ceb80f02197352b55e569d5

SHA256
735d7030c3e5a9bbd13a9eb3bddfd001b779ca565e401025a74362be451a4015

SHA512
4b73da851d8fc180a76ce1dbe80097448e2867b07955a751823558abf44c2287018cc348db6f673bb99620f7cd243bc3092df44c377f9748b90fa7118951cd94

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
537677e95fce298e25cc7a15a0f65361

SHA1
db2e26acd10a3f5db7d93b7bb46836be95343d5d

SHA256
489a87e6952951d10f846eb9a7d09ab6a98e6072b9c50768419dcaae47d79824

SHA512
9901fab232c8f3c403b3963791b6e084d8c70727492d1bc532a296fdef372db125f1e11ad85bbd2c43695d3f087222f86c3c7eb3b07c272456d08e1895cb6016

Download Submit
memory/1424-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download