b3fc04b343629f20e3585c8b9df5796d27db479607a3c86ca838b56234d2d8a9

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10-07-2024 21:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3fc04b343629f20e3585c8b9df5796d27db479607a3c86ca838b56234d2d8a9.exe
Size

1.1MB
MD5

579b0058d6e634e57449ca00f9e5fdab
SHA1

77e81ea389e7aa91bd0f0f3edf7c5216f72950e3
SHA256

b3fc04b343629f20e3585c8b9df5796d27db479607a3c86ca838b56234d2d8a9
SHA512

391cd5d9bc1ed28ec8e4dc108ee80cc5adb8394399a66655584633187d902803c85bef1da24826c89580dc5a13a15621a521a154686e06f08960248bbc357443
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qh:CcaClSFlG4ZM7QzMC

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

svchcst.exe

pid process

2304 svchcst.exe

Executes dropped EXE 24 IoCs

Processes:

svchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exe

pid	process
2304	svchcst.exe
2556	svchcst.exe
2820	svchcst.exe
3064	svchcst.exe
1860	svchcst.exe
2332	svchcst.exe
2680	svchcst.exe
2784	svchcst.exe
580	svchcst.exe
2296	svchcst.exe
2016	svchcst.exe
2460	svchcst.exe
836	svchcst.exe
1096	svchcst.exe
1748	svchcst.exe
2780	svchcst.exe
572	svchcst.exe
580	svchcst.exe
584	svchcst.exe
2688	svchcst.exe
1612	svchcst.exe
1812	svchcst.exe
2008	svchcst.exe
956	svchcst.exe

Loads dropped DLL 48 IoCs

Processes:

WScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exe

pid	process
2708	WScript.exe
2708	WScript.exe
2924	WScript.exe
2924	WScript.exe
2688	WScript.exe
2688	WScript.exe
1948	WScript.exe
1948	WScript.exe
668	WScript.exe
668	WScript.exe
956	WScript.exe
956	WScript.exe
2432	WScript.exe
2432	WScript.exe
1256	WScript.exe
1256	WScript.exe
2884	WScript.exe
2884	WScript.exe
2936	WScript.exe
2936	WScript.exe
2964	WScript.exe
2964	WScript.exe
2260	WScript.exe
2260	WScript.exe
2672	WScript.exe
2672	WScript.exe
2464	WScript.exe
2464	WScript.exe
2504	WScript.exe
2504	WScript.exe
2852	WScript.exe
2852	WScript.exe
984	WScript.exe
984	WScript.exe
2316	WScript.exe
2316	WScript.exe
1844	WScript.exe
1844	WScript.exe
2924	WScript.exe
2924	WScript.exe
2284	WScript.exe
2284	WScript.exe
2964	WScript.exe
2964	WScript.exe
1188	WScript.exe
1188	WScript.exe
2036	WScript.exe
2036	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b3fc04b343629f20e3585c8b9df5796d27db479607a3c86ca838b56234d2d8a9.exesvchcst.exe

pid	process
2056	b3fc04b343629f20e3585c8b9df5796d27db479607a3c86ca838b56234d2d8a9.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

b3fc04b343629f20e3585c8b9df5796d27db479607a3c86ca838b56234d2d8a9.exe

pid process

2056 b3fc04b343629f20e3585c8b9df5796d27db479607a3c86ca838b56234d2d8a9.exe

Suspicious use of SetWindowsHookEx 50 IoCs

Processes:

b3fc04b343629f20e3585c8b9df5796d27db479607a3c86ca838b56234d2d8a9.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exe

pid	process
2056	b3fc04b343629f20e3585c8b9df5796d27db479607a3c86ca838b56234d2d8a9.exe
2056	b3fc04b343629f20e3585c8b9df5796d27db479607a3c86ca838b56234d2d8a9.exe
2304	svchcst.exe
2304	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
3064	svchcst.exe
3064	svchcst.exe
1860	svchcst.exe
1860	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
580	svchcst.exe
580	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2460	svchcst.exe
2460	svchcst.exe
836	svchcst.exe
836	svchcst.exe
1096	svchcst.exe
1096	svchcst.exe
1748	svchcst.exe
1748	svchcst.exe
2780	svchcst.exe
2780	svchcst.exe
572	svchcst.exe
572	svchcst.exe
580	svchcst.exe
580	svchcst.exe
584	svchcst.exe
584	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
1612	svchcst.exe
1612	svchcst.exe
1812	svchcst.exe
1812	svchcst.exe
2008	svchcst.exe
2008	svchcst.exe
956	svchcst.exe
956	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b3fc04b343629f20e3585c8b9df5796d27db479607a3c86ca838b56234d2d8a9.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exe

description	pid	process	target process
PID 2056 wrote to memory of 2708	2056	b3fc04b343629f20e3585c8b9df5796d27db479607a3c86ca838b56234d2d8a9.exe	WScript.exe
PID 2056 wrote to memory of 2708	2056	b3fc04b343629f20e3585c8b9df5796d27db479607a3c86ca838b56234d2d8a9.exe	WScript.exe
PID 2056 wrote to memory of 2708	2056	b3fc04b343629f20e3585c8b9df5796d27db479607a3c86ca838b56234d2d8a9.exe	WScript.exe
PID 2056 wrote to memory of 2708	2056	b3fc04b343629f20e3585c8b9df5796d27db479607a3c86ca838b56234d2d8a9.exe	WScript.exe
PID 2708 wrote to memory of 2304	2708	WScript.exe	svchcst.exe
PID 2708 wrote to memory of 2304	2708	WScript.exe	svchcst.exe
PID 2708 wrote to memory of 2304	2708	WScript.exe	svchcst.exe
PID 2708 wrote to memory of 2304	2708	WScript.exe	svchcst.exe
PID 2304 wrote to memory of 2924	2304	svchcst.exe	WScript.exe
PID 2304 wrote to memory of 2924	2304	svchcst.exe	WScript.exe
PID 2304 wrote to memory of 2924	2304	svchcst.exe	WScript.exe
PID 2304 wrote to memory of 2924	2304	svchcst.exe	WScript.exe
PID 2924 wrote to memory of 2556	2924	WScript.exe	svchcst.exe
PID 2924 wrote to memory of 2556	2924	WScript.exe	svchcst.exe
PID 2924 wrote to memory of 2556	2924	WScript.exe	svchcst.exe
PID 2924 wrote to memory of 2556	2924	WScript.exe	svchcst.exe
PID 2556 wrote to memory of 2688	2556	svchcst.exe	WScript.exe
PID 2556 wrote to memory of 2688	2556	svchcst.exe	WScript.exe
PID 2556 wrote to memory of 2688	2556	svchcst.exe	WScript.exe
PID 2556 wrote to memory of 2688	2556	svchcst.exe	WScript.exe
PID 2688 wrote to memory of 2820	2688	WScript.exe	svchcst.exe
PID 2688 wrote to memory of 2820	2688	WScript.exe	svchcst.exe
PID 2688 wrote to memory of 2820	2688	WScript.exe	svchcst.exe
PID 2688 wrote to memory of 2820	2688	WScript.exe	svchcst.exe
PID 2820 wrote to memory of 1948	2820	svchcst.exe	WScript.exe
PID 2820 wrote to memory of 1948	2820	svchcst.exe	WScript.exe
PID 2820 wrote to memory of 1948	2820	svchcst.exe	WScript.exe
PID 2820 wrote to memory of 1948	2820	svchcst.exe	WScript.exe
PID 1948 wrote to memory of 3064	1948	WScript.exe	svchcst.exe
PID 1948 wrote to memory of 3064	1948	WScript.exe	svchcst.exe
PID 1948 wrote to memory of 3064	1948	WScript.exe	svchcst.exe
PID 1948 wrote to memory of 3064	1948	WScript.exe	svchcst.exe
PID 3064 wrote to memory of 668	3064	svchcst.exe	WScript.exe
PID 3064 wrote to memory of 668	3064	svchcst.exe	WScript.exe
PID 3064 wrote to memory of 668	3064	svchcst.exe	WScript.exe
PID 3064 wrote to memory of 668	3064	svchcst.exe	WScript.exe
PID 668 wrote to memory of 1860	668	WScript.exe	svchcst.exe
PID 668 wrote to memory of 1860	668	WScript.exe	svchcst.exe
PID 668 wrote to memory of 1860	668	WScript.exe	svchcst.exe
PID 668 wrote to memory of 1860	668	WScript.exe	svchcst.exe
PID 1860 wrote to memory of 956	1860	svchcst.exe	WScript.exe
PID 1860 wrote to memory of 956	1860	svchcst.exe	WScript.exe
PID 1860 wrote to memory of 956	1860	svchcst.exe	WScript.exe
PID 1860 wrote to memory of 956	1860	svchcst.exe	WScript.exe
PID 956 wrote to memory of 2332	956	WScript.exe	svchcst.exe
PID 956 wrote to memory of 2332	956	WScript.exe	svchcst.exe
PID 956 wrote to memory of 2332	956	WScript.exe	svchcst.exe
PID 956 wrote to memory of 2332	956	WScript.exe	svchcst.exe
PID 2332 wrote to memory of 2432	2332	svchcst.exe	WScript.exe
PID 2332 wrote to memory of 2432	2332	svchcst.exe	WScript.exe
PID 2332 wrote to memory of 2432	2332	svchcst.exe	WScript.exe
PID 2332 wrote to memory of 2432	2332	svchcst.exe	WScript.exe
PID 2432 wrote to memory of 2680	2432	WScript.exe	svchcst.exe
PID 2432 wrote to memory of 2680	2432	WScript.exe	svchcst.exe
PID 2432 wrote to memory of 2680	2432	WScript.exe	svchcst.exe
PID 2432 wrote to memory of 2680	2432	WScript.exe	svchcst.exe
PID 2680 wrote to memory of 1256	2680	svchcst.exe	WScript.exe
PID 2680 wrote to memory of 1256	2680	svchcst.exe	WScript.exe
PID 2680 wrote to memory of 1256	2680	svchcst.exe	WScript.exe
PID 2680 wrote to memory of 1256	2680	svchcst.exe	WScript.exe
PID 1256 wrote to memory of 2784	1256	WScript.exe	svchcst.exe
PID 1256 wrote to memory of 2784	1256	WScript.exe	svchcst.exe
PID 1256 wrote to memory of 2784	1256	WScript.exe	svchcst.exe
PID 1256 wrote to memory of 2784	1256	WScript.exe	svchcst.exe

C:\Users\Admin\AppData\Local\Temp\b3fc04b343629f20e3585c8b9df5796d27db479607a3c86ca838b56234d2d8a9.exe
"C:\Users\Admin\AppData\Local\Temp\b3fc04b343629f20e3585c8b9df5796d27db479607a3c86ca838b56234d2d8a9.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2056

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
3⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2304

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2556

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2820

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
8⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1948

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3064

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
10⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:668

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1860

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
12⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:956

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
13⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2332

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
14⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2432

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
15⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
16⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1256

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
17⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2784

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
18⤵
- Loads dropped DLL
PID:2884

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
19⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:580

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
20⤵
- Loads dropped DLL
PID:2936

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
21⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2296

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
22⤵
- Loads dropped DLL
PID:2964

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
23⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2016

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
24⤵
- Loads dropped DLL
PID:2260

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
25⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2460

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
26⤵
- Loads dropped DLL
PID:2672

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
27⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:836

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
28⤵
- Loads dropped DLL
PID:2464

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
29⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1096

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
30⤵
- Loads dropped DLL
PID:2504

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
31⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1748

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
32⤵
- Loads dropped DLL
PID:2852

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
33⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2780

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
34⤵
- Loads dropped DLL
PID:984

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
35⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:572

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
36⤵
- Loads dropped DLL
PID:2316

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
37⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:580

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
38⤵
- Loads dropped DLL
PID:1844

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
39⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:584

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
40⤵
- Loads dropped DLL
PID:2924

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
41⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2688

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
42⤵
- Loads dropped DLL
PID:2964

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
43⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1812

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
44⤵
- Loads dropped DLL
PID:1188

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
45⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2008

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
46⤵
- Loads dropped DLL
PID:2036

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
47⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:956

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
48⤵
PID:1932

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
44⤵
PID:1680

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
42⤵
- Loads dropped DLL
PID:2284

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
43⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
849ebc39ccb2276156390d0aeb6ba0b4

SHA1
abf72bc86b21835e1f68bc73a28e6c426c7684f1

SHA256
b0334e26978ff2dd1c6ebf0d5e8062225c8b1e5656b5f15b11c1676a3a6c9923

SHA512
7cbae5da5ec40ab3858bea3989156c1671ce09ef95a2a7f8858c3afbc235f9da44e9ce83a7a2ad41037e48e153eeb27e38b501d12297852b2c75ce1003e5543b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
632419f9e97777f0bcd1af67443cadae

SHA1
52edb2e30a2b1156ff9f77c0fe7435bc1a616ac8

SHA256
50e39163065b39c8cac4f381ff35c00972adde6c6fcd6d9cf555d1b0b8b68554

SHA512
b9b188d33cab5023dd410c0d6c01b5b200c003b432d44fe47da9b6ca1d4a5fa6fd3e869baeac6c8f5d7fae063e6128ee9c96b9258e10e550093e199cccaca2b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6cefcde7a292edfc29b3882cdeb23dba

SHA1
3588db649319258acc78049555e0c587aae5dcf1

SHA256
4fc01d17db5185ecf506bb8ad2665dc04fbc85d9b55282b364687c5c82689251

SHA512
14f7f31813f271f8ab4c58ad06504769900ae075915db76882bce80dfaa82bb76bc6c40fa76f6eae4f3c65d2311a702d5581510ea5ade452ea8b6f957da1684c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
80ebf5d44551af5680e6faa0b57e8c8b

SHA1
2e17219fbf9ac0ffaf25efb6a11dfe6e9e404798

SHA256
ca82157de4bf3edea1ce728fea480f64259153ea391b2be7b5f59864c0ae7a53

SHA512
a96c9d64087a4b9eccb235e9e1b19da6adfa1adc40ea11eca5cca69cc7b57eb4c3a299eb2103768398d99aee534c3eced7e76099917c52d1499ea9af07ba2ca8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f9d25791d9949ef33ed0c208f3d11851

SHA1
1cdf525209a1d7ade65168011e4de530de7bdc5a

SHA256
d3592a18c2a195dba2db76e25fb1516b2a9ef5297e9d72716e232d3540bc4481

SHA512
efb6f3882b9c75aa5193cf1bfeeb430b0a963681bf5367f535e3eb9c4e7c796c0aa1d0e3df9803c635ba6d863dc129a9ab30c954c6d4af27803036859d3d3113

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2c3b5340da071ac89dded61dffd49fb5

SHA1
77a880658d0b70e5455379099427bfdae8cc0ae8

SHA256
d7433fbea40ea3f87e991ce54c73436c110cfbb83748d554aea8d94051a5224e

SHA512
7e69f14c55afec39149491531c2a499b6253aa71ad448e722912f239fde055826b34383bd8d14773af08ef475b5fe53451a0a93e0bcc46fbeba3872198200f3c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
22ee4efbc67fc70b9f9d483cf169e846

SHA1
5e0a01490f92c7a77457c1df61c009cdc5c641dd

SHA256
abd4fb5ee308e65770cced9ea111c1dcfc48e0571cfcb79284f4fbbab293e161

SHA512
7638f6551734a6256e6d7666a9811368ee2894afeb442f65c6da0680fe8134059c52f552e36b2539774c4e3e5fc0cc1ae027e3ef872b5bb5d4b8e0f6687ce238

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1ca638ab56e1883ffe75969d1d8c4a61

SHA1
2f32fe1ad07a21f4aade2693ef174e30427e4f26

SHA256
ab716890ffa3b303c706ba2fc2ff48ba57e82b94b3bb3198cbb5700d74218c9d

SHA512
91f259046507902e077ac73aa23005f33cb3f93b6822e325bf3dd785b7616128bae36e13ba016f6a67cdddedef644d9cf44d49bba7d989dc5e59b93d446d626c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
51b2348c37bbedcb127fa176820f5ea2

SHA1
6e70ca09179127890e64c4ffa345b2af573c39fa

SHA256
7b37f5580068bfba5583d762d9b64c8ee6468a9e064547f230757c4be595bd02

SHA512
0f9755ae0408b0dd6e1279bfa8c5dfbe63b3775a81a3c5b342c5e56e7521d292b0c4e94053e6fa0c3da233f3af60aae2dc28749f991ea81fd9bf2627698a343e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
fb757130836576e5f952cb011021776c

SHA1
68f6351ef6dd363f67e76b91e7d8150050948698

SHA256
2d8143967be00cc4d6f3a1b8671885498b80e57ec52a84e19eaf136e64980e5b

SHA512
6f7311c6964be509733152377344d37f311021a6638946d275d282aa1b0212d8d790175b8c4e61fba6f5f4299c0e5da3307b69b03f619273462edd5c3cfce0d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e4e96c55460da5fa5643648177198d56

SHA1
da09b8271cfd09349b8e79bd8856671e6124d6a0

SHA256
6ca56d2034da62f3a82f84935631e9d90430875cfd9b95382fdf1210758ba761

SHA512
23da2c3c87c8e52aab70931c7ca6f0d04f453cff01bda2fe078a060468d9d7b9e544635eb11976541246eaed2e4cac06e0ed7ed86bce775f95ff5d5f40c5d1bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
774844b08b364b32d1209ef0d962d2fd

SHA1
967a30d076aa269a5cef321d36ac1f5c1eb180cb

SHA256
c9beda5ae7965cd968f1e6b1e11f17b1b443b8fc6dddb9ad0fe830aafe35ae3a

SHA512
2bab1d82f2cf484029722e64dd75516645e3f2dc6028153b65479757a3d33bbe883a1ac97771f1a9dfff1927cbfc58b5460f0c21a3ce01a4eae32b205772c4ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7ad8eee39282878488be26e528242020

SHA1
afe15f35aac28fa82fb321d7b619ec8f66fd01dd

SHA256
4971f7d34db1aa34cf3dff7f24dbaeae3b9e00996db20d7d75fb4520795cc3c5

SHA512
4bcbce1ac3fe98784cfc1355d49dedef2bf5e190fd1c90072429e405b5ea5647adb666f796d9af85a5f2bf1f6e687b8da120bf04001e58730d30326c541b4f51

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c21263d75ac5eef11ce6cf78ba130dc0

SHA1
8ab17688b389e86e181c27cb12b11eb068ccf2ab

SHA256
df4f86bb7727a010a60582a0c5b717ee710b9fbd8e69b351e463ae93d7b4e812

SHA512
a062b0db9097269c0d55645f4a4bb42ea968b52ba83b83869e8663a51f49ba17b60b48f1360792253aa57149db409f2aa3d9afb5a39edea6462e72becb90eab0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e865eee995782b8bfa69a7220cbf4b64

SHA1
a865d85b6e9b3eb417892c2624d343f87ff271d5

SHA256
24ea478e811ace722bc4af0840cf5ed24260dd3d437d76bf48619bbcc9f9e663

SHA512
2460dc1b8109e5c72efa87deec9d1e24a4a5ba83d046da3f1418843a7d3a6f473914c33ad1684696ded410569775a3e8e1adf9d45602a636886f69284364f0cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
281772f95c0b1e29fe93729540b57c45

SHA1
e31be9d5fb326ec768d4e1fe2e5b9c636c91963c

SHA256
05287953636e21c178738dcb43bf246918a882c4118d535f4e18040be8859efb

SHA512
9af8115aa0bcc4bfd8c4cc8787c970f1d9b6f2098f3004966f3b484030a9812bd61002b16118ed6aec3afeb25159155b1d66dff20e7cdf93ca11777c6cb7aa36

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d3a846ed3ec9f2af9c5cd9f31f79031d

SHA1
07f6f52584827d5c9b4752bd040d6ca04438faac

SHA256
10fc2a02fc7b6b235b0221c9917adac441d7b1d838d4f6e6aa206c500eeea9b3

SHA512
2cc1f42432ee0c7826c0497a3588d085bb7f2a5859ea744e313a5f5b70eab82ae2b794e743d10f2459da1b9e6c266a7ae4327091086cb4393c40aa9f75d01b0a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
06b4411a31b8fe4b933eee606fe55901

SHA1
57ce01414b3445f4be6e26b8ffd746ede551c0fd

SHA256
a006d804653a031572d5451cd865649edee182c6f99cd5346172b61dbefb4644

SHA512
a677e551b99e706f69bdd90c60762cce7d354414ac7bc47425d0244e4ac452c814df0b00f7704e4770a2c33a5beb48712e31a0ed703e1b2680587bb13f2a6e03

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e8b3362e3665bbbb4400e73625214cc5

SHA1
ee22cf914cd37978b7e387d6154e37d05a987985

SHA256
cfe13818ffc38be595f8bf93efe5b8c6e25d2c2b2516771843f65597cc826616

SHA512
0fcd486b1bd33a0269e0c14af8a8b9d2612c2e19b7b2e4fa7d445087653c8c894e2894fbeeebda1156fe3d8a3c0f1282b47177db7721cdc1d9ee1e91f41e66b0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
75a2d5ba7309ed07df3a7165fce625f2

SHA1
d3943e0ce20e5609a3bf838d0230390190df40f0

SHA256
95e824ed5eb8ff80956a90f679e2ffa17745fc7cd089d5e7bfe899df9cdc15ee

SHA512
834cb66fd4f2881505a841704bcbde2224a5507b3147d20a16f86ca9f1a6f9372767ed985e03b952e307cb24242e57ce09d57367688c32ad03d8980f7ccdaa4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
bb361cb0dec8f5322bc659f9cee4b673

SHA1
b31efa3029ece4ca33c65c8f17d26db1ef918062

SHA256
06ac7919843fc7d37c60b10184ebb7ed3adfea2649c0d3dcaea79b0a9a7116b2

SHA512
8f50ee3072ce76fe23f640397432622a5b8547d5bff1ee7b4c89e788d0d5becf9b747726fcc6562a664a2b6bb3e95627a0e881608c16907f11da19855f41cc2c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
724611fa5adccb7bd19084b08f0f44d6

SHA1
64b48a6051489a1ca0bc69aa44f0fece05bf5d49

SHA256
3278b597f5a370f39949f27ad8efb845197fe4aa1b52b21c37fd724ef91f206b

SHA512
8fc369968a68487917058ca1587c6f70d72f4e665234c1ffbae758b6c829df6ecf87da028512cee3231683491cf6bfabcbc6ceb10698f749247d8ec5e44d2bdd

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2056-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download