99c1deff5b3f3b401128625a37d1c7ff1eb4752bde02756fb88f14e2ebba1f06

Analysis

max time kernel
149s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
10-07-2024 21:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99c1deff5b3f3b401128625a37d1c7ff1eb4752bde02756fb88f14e2ebba1f06.exe
Size

1.1MB
MD5

09fc4e2ff1c048f4fc346a8d61d6f203
SHA1

3f0743f92c439bbbd600320ab231c517e1a530fb
SHA256

99c1deff5b3f3b401128625a37d1c7ff1eb4752bde02756fb88f14e2ebba1f06
SHA512

752ed67aebbea9087122df1e8d991241707b216e0af6cfaf03561dfa7c49a5cf6e62ed08cddbb435ba0ed7fa96481cbbeb19d5981f418c66d92821cb8635715f
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qj:CcaClSFlG4ZM7QzM0

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

svchcst.exe

pid process

2324 svchcst.exe

Executes dropped EXE 24 IoCs

Processes:

svchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exe

pid	process
2324	svchcst.exe
2392	svchcst.exe
3004	svchcst.exe
1644	svchcst.exe
2304	svchcst.exe
2108	svchcst.exe
924	svchcst.exe
2572	svchcst.exe
3012	svchcst.exe
2264	svchcst.exe
2848	svchcst.exe
3032	svchcst.exe
1640	svchcst.exe
2308	svchcst.exe
348	svchcst.exe
1780	svchcst.exe
2184	svchcst.exe
1956	svchcst.exe
840	svchcst.exe
1300	svchcst.exe
2824	svchcst.exe
1100	svchcst.exe
1720	svchcst.exe
2084	svchcst.exe

Loads dropped DLL 45 IoCs

Processes:

WScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exe

pid	process
2264	WScript.exe
2264	WScript.exe
2724	WScript.exe
2724	WScript.exe
1592	WScript.exe
1592	WScript.exe
1592	WScript.exe
1412	WScript.exe
1412	WScript.exe
2200	WScript.exe
2200	WScript.exe
1416	WScript.exe
1416	WScript.exe
1656	WScript.exe
1656	WScript.exe
2280	WScript.exe
2280	WScript.exe
2712	WScript.exe
2216	WScript.exe
2392	WScript.exe
2392	WScript.exe
1720	WScript.exe
1720	WScript.exe
2576	WScript.exe
2576	WScript.exe
1760	WScript.exe
1760	WScript.exe
1000	WScript.exe
1000	WScript.exe
2364	WScript.exe
2364	WScript.exe
1480	WScript.exe
1480	WScript.exe
2124	WScript.exe
2124	WScript.exe
2412	WScript.exe
2412	WScript.exe
872	WScript.exe
872	WScript.exe
2156	WScript.exe
2156	WScript.exe
2632	WScript.exe
2632	WScript.exe
1912	WScript.exe
1912	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

99c1deff5b3f3b401128625a37d1c7ff1eb4752bde02756fb88f14e2ebba1f06.exesvchcst.exe

pid	process
1820	99c1deff5b3f3b401128625a37d1c7ff1eb4752bde02756fb88f14e2ebba1f06.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

99c1deff5b3f3b401128625a37d1c7ff1eb4752bde02756fb88f14e2ebba1f06.exe

pid process

1820 99c1deff5b3f3b401128625a37d1c7ff1eb4752bde02756fb88f14e2ebba1f06.exe

Suspicious use of SetWindowsHookEx 50 IoCs

Processes:

99c1deff5b3f3b401128625a37d1c7ff1eb4752bde02756fb88f14e2ebba1f06.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exesvchcst.exe

pid	process
1820	99c1deff5b3f3b401128625a37d1c7ff1eb4752bde02756fb88f14e2ebba1f06.exe
1820	99c1deff5b3f3b401128625a37d1c7ff1eb4752bde02756fb88f14e2ebba1f06.exe
2324	svchcst.exe
2324	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2108	svchcst.exe
2108	svchcst.exe
924	svchcst.exe
924	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
1640	svchcst.exe
1640	svchcst.exe
2308	svchcst.exe
2308	svchcst.exe
348	svchcst.exe
348	svchcst.exe
1780	svchcst.exe
1780	svchcst.exe
2184	svchcst.exe
2184	svchcst.exe
1956	svchcst.exe
1956	svchcst.exe
840	svchcst.exe
840	svchcst.exe
1300	svchcst.exe
1300	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
1100	svchcst.exe
1100	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
2084	svchcst.exe
2084	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

99c1deff5b3f3b401128625a37d1c7ff1eb4752bde02756fb88f14e2ebba1f06.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exesvchcst.exeWScript.exe

description	pid	process	target process
PID 1820 wrote to memory of 2264	1820	99c1deff5b3f3b401128625a37d1c7ff1eb4752bde02756fb88f14e2ebba1f06.exe	WScript.exe
PID 1820 wrote to memory of 2264	1820	99c1deff5b3f3b401128625a37d1c7ff1eb4752bde02756fb88f14e2ebba1f06.exe	WScript.exe
PID 1820 wrote to memory of 2264	1820	99c1deff5b3f3b401128625a37d1c7ff1eb4752bde02756fb88f14e2ebba1f06.exe	WScript.exe
PID 1820 wrote to memory of 2264	1820	99c1deff5b3f3b401128625a37d1c7ff1eb4752bde02756fb88f14e2ebba1f06.exe	WScript.exe
PID 2264 wrote to memory of 2324	2264	WScript.exe	svchcst.exe
PID 2264 wrote to memory of 2324	2264	WScript.exe	svchcst.exe
PID 2264 wrote to memory of 2324	2264	WScript.exe	svchcst.exe
PID 2264 wrote to memory of 2324	2264	WScript.exe	svchcst.exe
PID 2324 wrote to memory of 2724	2324	svchcst.exe	WScript.exe
PID 2324 wrote to memory of 2724	2324	svchcst.exe	WScript.exe
PID 2324 wrote to memory of 2724	2324	svchcst.exe	WScript.exe
PID 2324 wrote to memory of 2724	2324	svchcst.exe	WScript.exe
PID 2324 wrote to memory of 1592	2324	svchcst.exe	WScript.exe
PID 2324 wrote to memory of 1592	2324	svchcst.exe	WScript.exe
PID 2324 wrote to memory of 1592	2324	svchcst.exe	WScript.exe
PID 2324 wrote to memory of 1592	2324	svchcst.exe	WScript.exe
PID 2724 wrote to memory of 2392	2724	WScript.exe	svchcst.exe
PID 2724 wrote to memory of 2392	2724	WScript.exe	svchcst.exe
PID 2724 wrote to memory of 2392	2724	WScript.exe	svchcst.exe
PID 2724 wrote to memory of 2392	2724	WScript.exe	svchcst.exe
PID 2392 wrote to memory of 3024	2392	svchcst.exe	WScript.exe
PID 2392 wrote to memory of 3024	2392	svchcst.exe	WScript.exe
PID 2392 wrote to memory of 3024	2392	svchcst.exe	WScript.exe
PID 2392 wrote to memory of 3024	2392	svchcst.exe	WScript.exe
PID 1592 wrote to memory of 3004	1592	WScript.exe	svchcst.exe
PID 1592 wrote to memory of 3004	1592	WScript.exe	svchcst.exe
PID 1592 wrote to memory of 3004	1592	WScript.exe	svchcst.exe
PID 1592 wrote to memory of 3004	1592	WScript.exe	svchcst.exe
PID 1592 wrote to memory of 1644	1592	WScript.exe	svchcst.exe
PID 1592 wrote to memory of 1644	1592	WScript.exe	svchcst.exe
PID 1592 wrote to memory of 1644	1592	WScript.exe	svchcst.exe
PID 1592 wrote to memory of 1644	1592	WScript.exe	svchcst.exe
PID 1644 wrote to memory of 1412	1644	svchcst.exe	WScript.exe
PID 1644 wrote to memory of 1412	1644	svchcst.exe	WScript.exe
PID 1644 wrote to memory of 1412	1644	svchcst.exe	WScript.exe
PID 1644 wrote to memory of 1412	1644	svchcst.exe	WScript.exe
PID 1412 wrote to memory of 2304	1412	WScript.exe	svchcst.exe
PID 1412 wrote to memory of 2304	1412	WScript.exe	svchcst.exe
PID 1412 wrote to memory of 2304	1412	WScript.exe	svchcst.exe
PID 1412 wrote to memory of 2304	1412	WScript.exe	svchcst.exe
PID 2304 wrote to memory of 2200	2304	svchcst.exe	WScript.exe
PID 2304 wrote to memory of 2200	2304	svchcst.exe	WScript.exe
PID 2304 wrote to memory of 2200	2304	svchcst.exe	WScript.exe
PID 2304 wrote to memory of 2200	2304	svchcst.exe	WScript.exe
PID 2200 wrote to memory of 2108	2200	WScript.exe	svchcst.exe
PID 2200 wrote to memory of 2108	2200	WScript.exe	svchcst.exe
PID 2200 wrote to memory of 2108	2200	WScript.exe	svchcst.exe
PID 2200 wrote to memory of 2108	2200	WScript.exe	svchcst.exe
PID 2108 wrote to memory of 1416	2108	svchcst.exe	WScript.exe
PID 2108 wrote to memory of 1416	2108	svchcst.exe	WScript.exe
PID 2108 wrote to memory of 1416	2108	svchcst.exe	WScript.exe
PID 2108 wrote to memory of 1416	2108	svchcst.exe	WScript.exe
PID 1416 wrote to memory of 924	1416	WScript.exe	svchcst.exe
PID 1416 wrote to memory of 924	1416	WScript.exe	svchcst.exe
PID 1416 wrote to memory of 924	1416	WScript.exe	svchcst.exe
PID 1416 wrote to memory of 924	1416	WScript.exe	svchcst.exe
PID 924 wrote to memory of 1656	924	svchcst.exe	WScript.exe
PID 924 wrote to memory of 1656	924	svchcst.exe	WScript.exe
PID 924 wrote to memory of 1656	924	svchcst.exe	WScript.exe
PID 924 wrote to memory of 1656	924	svchcst.exe	WScript.exe
PID 1656 wrote to memory of 2572	1656	WScript.exe	svchcst.exe
PID 1656 wrote to memory of 2572	1656	WScript.exe	svchcst.exe
PID 1656 wrote to memory of 2572	1656	WScript.exe	svchcst.exe
PID 1656 wrote to memory of 2572	1656	WScript.exe	svchcst.exe

C:\Users\Admin\AppData\Local\Temp\99c1deff5b3f3b401128625a37d1c7ff1eb4752bde02756fb88f14e2ebba1f06.exe
"C:\Users\Admin\AppData\Local\Temp\99c1deff5b3f3b401128625a37d1c7ff1eb4752bde02756fb88f14e2ebba1f06.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2264

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
3⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2324

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2392

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
6⤵
PID:3024

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1592

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3004

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1412

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2304

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
8⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2200

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2108

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
10⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1416

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:924

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
12⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
13⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2572

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
14⤵
- Loads dropped DLL
PID:2280

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
15⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3012

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
16⤵
- Loads dropped DLL
PID:2712

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
17⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2264

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
18⤵
- Loads dropped DLL
PID:2216

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
19⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2848

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
20⤵
- Loads dropped DLL
PID:2392

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
21⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3032

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
22⤵
- Loads dropped DLL
PID:1720

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
23⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1640

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
24⤵
- Loads dropped DLL
PID:2576

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
25⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2308

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
26⤵
- Loads dropped DLL
PID:1760

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
27⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:348

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
28⤵
- Loads dropped DLL
PID:1000

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
29⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1780

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
30⤵
- Loads dropped DLL
PID:2364

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
31⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2184

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
32⤵
- Loads dropped DLL
PID:1480

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
33⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1956

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
34⤵
- Loads dropped DLL
PID:2124

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
35⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:840

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
36⤵
- Loads dropped DLL
PID:2412

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
37⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1300

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
38⤵
- Loads dropped DLL
PID:872

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
39⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2824

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
40⤵
- Loads dropped DLL
PID:2156

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
41⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1100

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
42⤵
- Loads dropped DLL
PID:2632

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
43⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1720

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
44⤵
- Loads dropped DLL
PID:1912

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
45⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2084

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
46⤵
PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
aa6d54672c103cee8d72f7771633762f

SHA1
2abbc4dcd5c7e3b48d06fcdd64ce0587c1d9d5ac

SHA256
e431a0d54cc6be0157fd38edfaaddb3ba9287fa2df017eea9029fe4e6f8e4577

SHA512
4f3318a29896c36effc35cf13a20ff808184b90057a0bbd570930c2f0277d58a1b69dbeb4938082d7e59d12b570032136c48dc7c7000c7bf51c405c0b1e9a81a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
81911744d71ed066085116eec2026095

SHA1
47cfe383cd90c80f367d20667fa26cd160507a8f

SHA256
3154f7fe0c77b8441733285f257a444605ca5badb1148288aa7275033f75d3f5

SHA512
e64925ee682737251c7d5f42a378a4f6c23a50a07a6811882547567725b59c172da356b235afc977d4c1e8209f5c1ba696b9dd54e7739f67a71c099c031d7396

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d0a7594dbfff2934bae6e22de9f233fe

SHA1
b2a276918a0f5fb2da4440d77ec65c3c644dcf74

SHA256
b5ba466f75e4b160d164ce3886c42fe86c339961f2f303cfdba40d2c711bc61d

SHA512
3d0c5b27841efaa0286d2b58d1749c1efe45ce115cbcb2af1473e29ec3791501a278c90f087e995279518b3c3aec687edca8937f77ff2520ed6b8d3dff6c0a63

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f3159db8bd483868144429c5909d280a

SHA1
a3698b1ebb0e43a564357bb77c3462539a114f87

SHA256
f31b8921a342ba1eecff8852bd1904a17e94e544a1975106b9b5533155ed044c

SHA512
328e166bbd706c7e6848c246909d96779ee2efcdf7bdb0ff47eed24e0267dcca005bb41651b60393ffafbb7b7467d94b22454e8c4be57108ffeb6238e88db916

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
9e8dca236ce949019c46b94428612ac9

SHA1
0917050afcbb7b94fce6fbb9827fb57de7432b0b

SHA256
bd9f06dbb8f2165c3b75da289ad7983f0c57328d236b2c68a2b5798188874fb3

SHA512
23ce9deba9286cbb24c1725503542b63d7e44ea7ada302e5aba6595f84398e2162008d7431f842cccfb2b8fae126216d85c566931d5fcc8c8c5625e2c05f44d6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8cb32754e88999ece2a392d94875313e

SHA1
da0ef4e297872b82db206ebdc4cafefeed2a4e3d

SHA256
3dc5ae697f3f5a3ffe053412e05a646883c49be29b179039ceadf5f71a595f9d

SHA512
a331a2472d0ef04f4d6a9b41a147020a688c96977feec8d61878f31382af8c27b8e990dc404137475d48f0155d600cc0d6ebe0a5d1cbb60b1fecf364301ebaa7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f9d25791d9949ef33ed0c208f3d11851

SHA1
1cdf525209a1d7ade65168011e4de530de7bdc5a

SHA256
d3592a18c2a195dba2db76e25fb1516b2a9ef5297e9d72716e232d3540bc4481

SHA512
efb6f3882b9c75aa5193cf1bfeeb430b0a963681bf5367f535e3eb9c4e7c796c0aa1d0e3df9803c635ba6d863dc129a9ab30c954c6d4af27803036859d3d3113

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b01deb2dadc8260c4bcb435df78599d9

SHA1
7ac78543d19aefbe54d4e7d12d045cff0e7934f0

SHA256
4f88b370f98b6357f72a7942c293827b72164112e87fbbb6c842d9b206ab53b0

SHA512
319c1925e74af3cace9d3c3fafb7ff3c28ae3240e1d67da7d05ed25b7ec523eec9a974f21ff9914e602334c192e5801a55695ad705dbaa2a32e3b08e7996bb4b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
298f56408ef5bfe14b938d85e57c843d

SHA1
691d78c4c4887333b4679d3e340a7a04caad13a3

SHA256
b5738b726b24c9d220bd7256e4abb2e97215d50416bf67983cc82dc83b46298a

SHA512
227bf6d7e70568144112dc142ef60fa38f2b5f39196e3d3377a120b78fa86382726021f024bf5413548df0ce1734bb905d28e56de4dd80c6f21c05ab2a5ef83e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
840853c0aa5a4d702a8110a0cb763b4b

SHA1
58d028e09818c3fd2a9d521c26772cf4d1a9072a

SHA256
4438df44bf53668a332407b1c60d745bd1293a3f1acab9953b1d77e5131d2728

SHA512
f2b044e4710dadb03164bc78519207bd8d39d2cf9d4568fc11c38271eabc3e57410083b1cf29e40b1f6119ffa33ed4784ef652f112e50b554c2983755a606b6a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a6c8b4be3631b07069c896f15faef3d2

SHA1
8e3eadcd80c446aa329b3f26aa5e969e4e82f7f1

SHA256
d919fb8234e4139da4f74f6ad9ed92b90d5265cbb68d053a655642b1724fdfa5

SHA512
42d7d677abe4c05bbfc4879d5a2261f2e71e29277a908f93ff45f3a327973bdd716d67817ad3819f21ca9b0fcefe89b0ebee486cdc5afb3b2a2a7f7599436f20

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
96ec817ca5f3b94ec0ad5fa759e97312

SHA1
81e35676b86c21b9f89f014c828af7ce706c08cb

SHA256
ce117efa967508c4660a3f20b183f252c348799471049e521c7551ff3b27c8e0

SHA512
ab20bd8ca675438e724f6b5e2ad042ca96fcef45e719798880b7408ddcb715c7b44dfdd649b48ef5da7cfabb3b7a8574fadd462772fcf20104f0a882bae48358

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e0e199ebe2816a3f3f9c69669a04448f

SHA1
053daa705809fafe87fc7c56852772dab45342eb

SHA256
bbfa4015edffb957b78bfdca07e074d34c17c6e96fd3c9f551f29a55274632f5

SHA512
33b60a320f5e69f106abcdce74b87b66363e21c0231b4574bf66a738072f38830cc6a4fb8b2b0c8450dff896e5cce4610a5edc757a2e03b1522312b20810b939

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
92003c0bb0e063d7247f16afc82dc759

SHA1
a83f648bd59e132fc73920932dc20a2c8c6b0235

SHA256
0545ddc164d9b4bbf997170547d0a8915e0abad544966094df53c95a9a44392c

SHA512
402569f2568a7f73968070ea864ae344decc160a608f5a00abe2778a92d4e38032bd92f3d439d8aa1621dd0a5e9e19bdcf5bd852c869cab94e2377917f000fb7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
4780cae974f4d32e11cc9a952e8ea8b2

SHA1
278532fe0edec3f427ea7e21401f0cec134578df

SHA256
a3590f976cde89e64a52bcdb4a1b1712e70697e6123cac019ae0cc53805e317f

SHA512
d316ea2993d8829c2b4abd5524c38f46671dfd5f7c062e17cce47947176905bf58724a6c12790d57409d5e1c982523bccb509fd9bf361d993d7b65041d72fdf5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
496a18b73e6364bae93dabf525e54b83

SHA1
d1ed40ec281ab8c2477163edb9ebfeb1afb77b49

SHA256
05bc6e0fc101a71ce7cb110d6b92dba5eeb750d1fa767b1076c315403abb438a

SHA512
bda18059b1536abb7076101642f4acd6224e12126c6462635d24c338f8efd4bb7f98e4709d4780e1d926231750e8294876e832f5895f9a59478918b5143f1530

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
8ac57b1b4464af6c1497d4de4e55e6c8

SHA1
63020172f02a124ec70ad697ea3eeee3e2787977

SHA256
aac472b945349a9ed143a1dd4a4fc3e4bd3831f237cf296f40027c6e626d7145

SHA512
ca21119cad97cbc76c4af49add6debf5f326dfebb7ee9d5713adf91edfc71464e7886aa793874ec3e483629a376d7663cc4fc9b54057ee3a113ccfa1ec1d49d7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c7f20b0a4bd17aafc75e8166815b139e

SHA1
44ec8e10e5eaf5dea924005b14dcef4e9001b8f6

SHA256
65b258ebd9e0f45a3f10421ebf74808c338066ca96f29a37d8667216043f344a

SHA512
26c95a1f01115f6443e1b51a9e79ea797795ca08fe2a19f55e49df196fd470c53a57b9ea24e2064727be9bac922665ae749ea9a39f48e1a6e3189b3d1f6d37f8

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1820-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download