763eee455f7e31f207dc600d7ebe0ed6fe840c31a7812d6a46d1eed80bac3641

Analysis

max time kernel
148s
max time network
35s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04-01-2024 20:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

763eee455f7e31f207dc600d7ebe0ed6fe840c31a7812d6a46d1eed80bac3641.exe
Size

1.1MB
MD5

d0a602b81d4e8acc461d159e97c8a8bf
SHA1

d86d01574f93cf636714cbfb56cad9d1b17a866d
SHA256

763eee455f7e31f207dc600d7ebe0ed6fe840c31a7812d6a46d1eed80bac3641
SHA512

6426c2d140ae71f44905b200ff0b7281f2e071fce6260721d2245889dcd8d9b37e84ca17f04ac2b9f8260f28bb0ec05deef56cb9decf0882ee9f3a4526fe25f4
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QI:CcaClSFlG4ZM7QzMP

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2912	svchcst.exe

Executes dropped EXE 27 IoCs

pid	Process
2912	svchcst.exe
2988	svchcst.exe
1696	svchcst.exe
2844	svchcst.exe
3052	svchcst.exe
1512	svchcst.exe
952	svchcst.exe
1572	svchcst.exe
2476	svchcst.exe
1948	svchcst.exe
2296	svchcst.exe
3008	svchcst.exe
2868	svchcst.exe
2544	svchcst.exe
1628	svchcst.exe
1244	svchcst.exe
1184	svchcst.exe
1336	svchcst.exe
1672	svchcst.exe
2108	svchcst.exe
2864	svchcst.exe
1552	svchcst.exe
852	svchcst.exe
2012	svchcst.exe
1984	svchcst.exe
1344	svchcst.exe
1784	svchcst.exe

Loads dropped DLL 39 IoCs

pid	Process
2864	WScript.exe
2764	WScript.exe
2864	WScript.exe
2764	WScript.exe
2764	WScript.exe
2764	WScript.exe
1352	WScript.exe
1352	WScript.exe
2332	WScript.exe
2332	WScript.exe
2216	WScript.exe
2216	WScript.exe
2788	WScript.exe
2788	WScript.exe
3044	WScript.exe
2836	WScript.exe
2836	WScript.exe
1444	WScript.exe
2836	WScript.exe
2032	WScript.exe
2032	WScript.exe
2528	WScript.exe
2528	WScript.exe
2332	WScript.exe
2332	WScript.exe
2488	WScript.exe
2488	WScript.exe
2956	WScript.exe
2956	WScript.exe
320	WScript.exe
320	WScript.exe
2376	WScript.exe
2376	WScript.exe
2992	WScript.exe
2992	WScript.exe
3056	WScript.exe
3056	WScript.exe
1204	WScript.exe
1204	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2116	763eee455f7e31f207dc600d7ebe0ed6fe840c31a7812d6a46d1eed80bac3641.exe
2116	763eee455f7e31f207dc600d7ebe0ed6fe840c31a7812d6a46d1eed80bac3641.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2116	763eee455f7e31f207dc600d7ebe0ed6fe840c31a7812d6a46d1eed80bac3641.exe

Suspicious use of SetWindowsHookEx 56 IoCs

pid	Process
2116	763eee455f7e31f207dc600d7ebe0ed6fe840c31a7812d6a46d1eed80bac3641.exe
2116	763eee455f7e31f207dc600d7ebe0ed6fe840c31a7812d6a46d1eed80bac3641.exe
2912	svchcst.exe
2912	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
1696	svchcst.exe
1696	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
1512	svchcst.exe
1512	svchcst.exe
952	svchcst.exe
952	svchcst.exe
1572	svchcst.exe
1572	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
1948	svchcst.exe
1948	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
3008	svchcst.exe
3008	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
1244	svchcst.exe
1244	svchcst.exe
1184	svchcst.exe
1184	svchcst.exe
1336	svchcst.exe
1336	svchcst.exe
1672	svchcst.exe
1672	svchcst.exe
2108	svchcst.exe
2108	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
852	svchcst.exe
852	svchcst.exe
2012	svchcst.exe
2012	svchcst.exe
1984	svchcst.exe
1984	svchcst.exe
1344	svchcst.exe
1344	svchcst.exe
1784	svchcst.exe
1784	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2764	2116	763eee455f7e31f207dc600d7ebe0ed6fe840c31a7812d6a46d1eed80bac3641.exe	28
PID 2116 wrote to memory of 2764	2116	763eee455f7e31f207dc600d7ebe0ed6fe840c31a7812d6a46d1eed80bac3641.exe	28
PID 2116 wrote to memory of 2764	2116	763eee455f7e31f207dc600d7ebe0ed6fe840c31a7812d6a46d1eed80bac3641.exe	28
PID 2116 wrote to memory of 2764	2116	763eee455f7e31f207dc600d7ebe0ed6fe840c31a7812d6a46d1eed80bac3641.exe	28
PID 2116 wrote to memory of 2864	2116	763eee455f7e31f207dc600d7ebe0ed6fe840c31a7812d6a46d1eed80bac3641.exe	29
PID 2116 wrote to memory of 2864	2116	763eee455f7e31f207dc600d7ebe0ed6fe840c31a7812d6a46d1eed80bac3641.exe	29
PID 2116 wrote to memory of 2864	2116	763eee455f7e31f207dc600d7ebe0ed6fe840c31a7812d6a46d1eed80bac3641.exe	29
PID 2116 wrote to memory of 2864	2116	763eee455f7e31f207dc600d7ebe0ed6fe840c31a7812d6a46d1eed80bac3641.exe	29
PID 2864 wrote to memory of 2912	2864	WScript.exe	34
PID 2864 wrote to memory of 2912	2864	WScript.exe	34
PID 2864 wrote to memory of 2912	2864	WScript.exe	34
PID 2864 wrote to memory of 2912	2864	WScript.exe	34
PID 2764 wrote to memory of 2988	2764	WScript.exe	33
PID 2764 wrote to memory of 2988	2764	WScript.exe	33
PID 2764 wrote to memory of 2988	2764	WScript.exe	33
PID 2764 wrote to memory of 2988	2764	WScript.exe	33
PID 2764 wrote to memory of 1696	2764	WScript.exe	35
PID 2764 wrote to memory of 1696	2764	WScript.exe	35
PID 2764 wrote to memory of 1696	2764	WScript.exe	35
PID 2764 wrote to memory of 1696	2764	WScript.exe	35
PID 1696 wrote to memory of 616	1696	svchcst.exe	36
PID 1696 wrote to memory of 616	1696	svchcst.exe	36
PID 1696 wrote to memory of 616	1696	svchcst.exe	36
PID 1696 wrote to memory of 616	1696	svchcst.exe	36
PID 2764 wrote to memory of 2844	2764	WScript.exe	37
PID 2764 wrote to memory of 2844	2764	WScript.exe	37
PID 2764 wrote to memory of 2844	2764	WScript.exe	37
PID 2764 wrote to memory of 2844	2764	WScript.exe	37
PID 2844 wrote to memory of 1352	2844	svchcst.exe	38
PID 2844 wrote to memory of 1352	2844	svchcst.exe	38
PID 2844 wrote to memory of 1352	2844	svchcst.exe	38
PID 2844 wrote to memory of 1352	2844	svchcst.exe	38
PID 1352 wrote to memory of 3052	1352	WScript.exe	39
PID 1352 wrote to memory of 3052	1352	WScript.exe	39
PID 1352 wrote to memory of 3052	1352	WScript.exe	39
PID 1352 wrote to memory of 3052	1352	WScript.exe	39
PID 3052 wrote to memory of 2256	3052	svchcst.exe	40
PID 3052 wrote to memory of 2256	3052	svchcst.exe	40
PID 3052 wrote to memory of 2256	3052	svchcst.exe	40
PID 3052 wrote to memory of 2256	3052	svchcst.exe	40
PID 1352 wrote to memory of 1512	1352	WScript.exe	41
PID 1352 wrote to memory of 1512	1352	WScript.exe	41
PID 1352 wrote to memory of 1512	1352	WScript.exe	41
PID 1352 wrote to memory of 1512	1352	WScript.exe	41
PID 1512 wrote to memory of 2332	1512	svchcst.exe	42
PID 1512 wrote to memory of 2332	1512	svchcst.exe	42
PID 1512 wrote to memory of 2332	1512	svchcst.exe	42
PID 1512 wrote to memory of 2332	1512	svchcst.exe	42
PID 2332 wrote to memory of 952	2332	WScript.exe	43
PID 2332 wrote to memory of 952	2332	WScript.exe	43
PID 2332 wrote to memory of 952	2332	WScript.exe	43
PID 2332 wrote to memory of 952	2332	WScript.exe	43
PID 952 wrote to memory of 2352	952	svchcst.exe	44
PID 952 wrote to memory of 2352	952	svchcst.exe	44
PID 952 wrote to memory of 2352	952	svchcst.exe	44
PID 952 wrote to memory of 2352	952	svchcst.exe	44
PID 2332 wrote to memory of 1572	2332	WScript.exe	45
PID 2332 wrote to memory of 1572	2332	WScript.exe	45
PID 2332 wrote to memory of 1572	2332	WScript.exe	45
PID 2332 wrote to memory of 1572	2332	WScript.exe	45
PID 1572 wrote to memory of 2216	1572	svchcst.exe	46
PID 1572 wrote to memory of 2216	1572	svchcst.exe	46
PID 1572 wrote to memory of 2216	1572	svchcst.exe	46
PID 1572 wrote to memory of 2216	1572	svchcst.exe	46

C:\Users\Admin\AppData\Local\Temp\763eee455f7e31f207dc600d7ebe0ed6fe840c31a7812d6a46d1eed80bac3641.exe
"C:\Users\Admin\AppData\Local\Temp\763eee455f7e31f207dc600d7ebe0ed6fe840c31a7812d6a46d1eed80bac3641.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2988
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1696
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      PID:616
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1352
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3052
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        
        PID:2256
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1512
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        
        PID:2216
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2476
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        
        PID:2788
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2296
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3008
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        
        PID:2836
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2544
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        
        PID:1444
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1244
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1628
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1184
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        
        PID:2032
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1336
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:2528
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1672
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2332
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2108
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2488
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2864
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:2956
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1552
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:320
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:852
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:2376
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2012
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:2992
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1984
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:3056
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1344
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:1204
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1784
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1948
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        
        PID:3044
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2868
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
9f87870aabac31b89e8f641cc4796a67

SHA1
0e7c4d9fa14eb4afe07e0ded564229685c3cbe4b

SHA256
c5ccc91ebc3838b354e5ae05c7b3efa01813e004b427f843ba23e78ff272e695

SHA512
28c7fe3049354286831a5c2b52ea96583bef30c4a294d07bfb10c11bb9e3469b944d8029d58f73611daa616a279e280d0c14fa037d390ab34a5daa2f5a25c4f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
73dd42e0ba8cff47f0542d7d8aa40f90

SHA1
ffbb1b56415be5abcf4613aed3136768f2edbc38

SHA256
c73b4e554a4ae515ae3aa320a19d752e3d848d00ed0cd8f084081ed530b8fc3d

SHA512
efd0075f9e70dd557271bdbcd782a083ae2cde8cd5674bf7f8cf63064847951adfcbaa9c9cff91c57d19c7308d0b7bf4754bfbe8fce6ec0e41d920bde7f5a67e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
98328aa8ad181fbf0b87edfc21155dce

SHA1
3ca100ca64d5f62a5dceef47f414c0953fd4f559

SHA256
a6928cf27564f6f983d8f62358463a2dee471715b220de03db8b72ebf105f20c

SHA512
75f298c982eeebf184fdd0612436583a863beba740bd55053539dc1b1c20103a1c6f5da46b41621eb00d601cdfc86c1705080a0da08fef7756637805dcb588ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
9e8dca236ce949019c46b94428612ac9

SHA1
0917050afcbb7b94fce6fbb9827fb57de7432b0b

SHA256
bd9f06dbb8f2165c3b75da289ad7983f0c57328d236b2c68a2b5798188874fb3

SHA512
23ce9deba9286cbb24c1725503542b63d7e44ea7ada302e5aba6595f84398e2162008d7431f842cccfb2b8fae126216d85c566931d5fcc8c8c5625e2c05f44d6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ab52ce62f84a24d48d9cebec5331b1c6

SHA1
6fcb810a46e83020e55af419752f5583f9dcb9ba

SHA256
908bec6021a78b90a02c6123db4ac62b590ea738e97fa35aac7c4dce624f3244

SHA512
8823f3f60863692a8fd2be8610670b06077ea7c948b7c46f9a1ab712276b27e48c19d0a394e7f51c0fbdf753f989af4cac5dab078e4f04ee5ee6a50427368cd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a66ca64afe431b7c50358bd05ba54e34

SHA1
f34d905ac06b3c07f936352bff4db70469f5057c

SHA256
3a2a423d9df888fadef3786fdbf7fb0125eb8e1d08b22a707b6efa4bc00b7f43

SHA512
90ea8413b1fce013f8e902e0e3efbbfd1ec30c7f26ca2fb05e390a847d22a1181eeb60dccf6e3f8fec5aeff2568506977ab47018a54d328078ab14407f3eeb09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f9749c13b20bc60748c3f72c2cf20740

SHA1
227698fcf7919e5c66d91e4e0fd51a5d54ffcd6e

SHA256
2ea51d4fb5a6022d3cf66550189fa271c025d8fabd55cc24025d12e600b70594

SHA512
541c5d5e8187257adb03505430c87bd364bec53487b373ecf4f91aee21dcecc746a4855ca0ee72fbfddcf34e52fe2453770ae66183b308d6b45a0f37342e44d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0192d17fea0102bde8e142aabd30379e

SHA1
f625075beef58c06ca68d43a3ba5cc1caa8efdfd

SHA256
98e8ea7a93d93f491f56d4026b5683e7fdeff25fe26f518e2e81a1319ef49719

SHA512
43002329c61c0fedc908a1838c1868573a5f6f64b4bad3295182b341562cd4b17710ce021e75157830b5b29d29141ae394b3addae4f8c180259f02cb44648163

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
cd3670279cfd4857ab7ae976f56ad473

SHA1
2b4136cb5f5aa98e7cf48135db771fe497da942f

SHA256
9824342f00af60b70c73fd0b0b08c54f1439d6f6964ce1286a7eec748047041f

SHA512
30e7536c3209027ad3df30edd10d69b666a936c4184f3ad26ebf683ae2d066607b9eda521955af0a3cb235d6d84cc5c6fda747525bef19ec3a5016db66945889

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
df0eab47d1e82f30964889a510539535

SHA1
b57f3b72a490b8592d7b4882f866eaeaaac05bc2

SHA256
262b8fc5c95c52d2a0867a544ea90bb2f14abe5862f944faa004c444c2665aef

SHA512
ab9a457649df220a462d1762d68293114ae38688501c55d2cf5152aad3f1460f6ddd47a92def4409511e07d6dc7b9577f3fe207cd61e223e9eb19e57fbf24b2a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
234d3bd7d4c79c9f8515c4e3812a1c9b

SHA1
f0add1f9e02bad7016d7b183f6d64d4800df4e12

SHA256
c9ba84b70031261f15918f7e74bd45b7b889b8e8427efa4ff19537e3d27633d0

SHA512
3d42cb367d8ba46cff006692c69f88ab165b9b326000c0bf187e682ce181413dd6f8eb083972765f332dc4309996b3621018ce3cf22d4d944c2b3c0e51f4aea0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b42266100fb9f5e0b7be593aac3c37cf

SHA1
7cd55f31fd2871d09de73a6f62e3a7e1a53327b2

SHA256
1a6710caaf3886be368f3205ee8c9905e10f8ed754d80598c80f1455a700d846

SHA512
d3e5a4f7395d6196403e60214239043b2da6e546cbe080f74c3a680a6f4a7fe1374988df0a1aa84dbc0e41199efd8fb11050d1d1295f3b45811935d740a5108b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e74576d29f1c1a7185cdf1e12b96a260

SHA1
f76ee203cb56b7dda62a2947ff1e2fc954efa777

SHA256
e31ecb9dcf31c19fbd131b31e5191375f7aeb708ffa678363de99e118715eb65

SHA512
934e3a9171de8fe03c9b398b4e79b3eee77845750ba2b0d16c3a38bc8299d3d72643cedfbb025df848f4c5ab302f5d4b145da13c2ac3ed96bdc1658791d4f5bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
453KB

MD5
50086c318c86768de64861a6179b73c8

SHA1
4b54f9d47fb945ab7dfd6caa6aec4bcd0ddae296

SHA256
cd650e3d80c5f818d17109c0717508e8571210d982a7fac8ee63f3416994188f

SHA512
4eeff771dabf23c9460c1a043ea33bf7959c2ccbac49f21adfdfc018b75eceb99ae78f85c6440ffb37ef3056cb152ebdc8ee9bf9cde1717d532bb140a4e138a9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
15KB

MD5
d09f8a2a7a824b4a8a48ac2a3114718b

SHA1
6c14a9c1a4b8ee9a873fd8ae2c7383137b091935

SHA256
ad90ac03f00b96bbfb4651f14bdc0486b35554e581df93a0b7be22ebf1bd9410

SHA512
3f4a30bb82574846f48f645cbf79d8b2db240496f3dba3fddda9b02597cb4ab5202be7b43b8165e03a0c589f27358821f27ee3fff2af4430773878e7cfdeb9fb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
17KB

MD5
5ab347edde89ef1a28cd535202cb6b1d

SHA1
1e376c51ddcfd19c1fe3a18e98cbf84e36aefd08

SHA256
100dcbdf84c5d2c703dcacf8739b037a0f1cb233126134ca3fd0f1225bfaa826

SHA512
54fe5909e11e6986bfa1aa6bd37dfd03af1f33ae5517e52ab0af8d1c5e14d55f52d445f0966cc596ecb426e10171f375631b2d55b7bee181d3d0beddcfaa98c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
185KB

MD5
883cbe0a12a5610dea1cde56d23881ab

SHA1
cdfdd7ec8f39afb88f8712cafb684d706e6494a0

SHA256
833ff112e95de6a9fbcebe6cf4beee65b38e08f8460dfc5670d3d777a2e04c43

SHA512
a0aef8489ad9836234ada7bcee33b1e756ea32c883b6e30049e323bd2bd5dae72a08f218589128cee210f401af2879ba8562ae5be87f3607b15c29d7b4b18ca2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
149KB

MD5
34d11cec4ba1ca768c7fe7ccee6c0df3

SHA1
46b98601d11ff16ecd2ee33b2d0ffbc369e7c51e

SHA256
14cb9d21ed672feb479474d32daff68bcb5af4f397ef72851ba2f138c8c1b7ef

SHA512
aa4d55fa7f02e56733a18eb1fd098f3ce5da4649c9cb02a8f6d16fe867b4c0765ae0e399516b90b5cb7d6b9af33d0eb7f2f7ea05426475649a9ad9183aac6443

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
308KB

MD5
025facc5679ae8bd24112fc2e1d512a4

SHA1
f17f3e24c0eab1abf261d7e5fde178e2b8dd65c9

SHA256
f75bf227cd0b7ae0548626502f12444c9435bc8af68e51a92c33b201a9504657

SHA512
fdded71352e4705efc8971d0f79467f5a138aae12c040b07c0c2700708e7926290bc92ba5213df39e6bff4211f71fc23ab70939c6611e0c06c23fb87c25b97a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
107KB

MD5
f1957e3e45eb782d1985ed540a4f4d3c

SHA1
6bcde19d473c7d10b557c2d3de82c3994d012e0c

SHA256
71514dce01d59e964477743c83cbd2544d52927fd4d6d4a82a130cbf4b842a1d

SHA512
a0107143986950f566c9b5c62ed3216adf2c1bccdcded63ea5a039751d44f47361a27e3b119b35cd15aacdc5ded6c008cea1a99dee59c5b98a5839dd226eee4f

Download Submit
C:\Users\Admin\AppData\Roaming\svchcst.exe

Filesize
1.1MB

MD5
39f528b17d14b17e45f48befa3db1490

SHA1
4ce73a91a0d2fb40af587050581a1ddb15e437da

SHA256
029bce772d1bb0db803ac30e70b491915e16da85b3089de482b35875ef153ed6

SHA512
768e1e4b51dcebd8a9fd6d704ffc8ecb97f3cc09bfd738893af5fb6a664afeb2464f8002d311ef58be301a30ccda80b050bb7931da575a10ddb3f2e782fc7898

Download Submit
C:\Users\Admin\AppData\Roaming\svchcst.exe

Filesize
161KB

MD5
c6682a9e999129bcf7cc54b16e0b54a3

SHA1
bd10ebf8549712706b2b666b4a73ea7dd656371b

SHA256
155da466ec64855b05332fbcad23a68495362ab2430067bae34b65cf53b2d020

SHA512
d061c67200acaa8f0d3bf91913eed2c62b291c25a35d5491f799634df97bd745bf5a69085737a54074b5b35b21935ee9abd0574399ad7d1179c66111fb6b9afa

Download Submit
C:\Users\Admin\AppData\Roaming\svchcst.exe

Filesize
170KB

MD5
f2f89e1e039870c9b296d15745faa081

SHA1
6f9ccec98446b0ea0e369c37e9c6a7e6e55bcff2

SHA256
c7de2c900f6fd457f9832cc1ffc30be6e54783cabe50e571c6f0a54b1092b92a

SHA512
135581d2f925f30eff80899a1b6ff5b4125701687da5103747899c38767daaf867dd486ce1de8cc4ac0d2e00f9e33d166471856209abca1d3b5b8e3ae551c8a9

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
11KB

MD5
20ae90d1bdc4f7c8c7715a0aed3ab78d

SHA1
de492489d4c5012ca5fc4a4364dae8b98aced228

SHA256
112829063fcc379cebf24a9404037881329cdcfebdde6787d06cc699bcf4e144

SHA512
c7b2b8f7bd2cbac5874b6deb312eb3a55dc513039c734e678c7b00cad7627c50dfe6ba0e10717305b694ed8f707cbd8b779b46d596ad1061ead2c3ca6f8ce623

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
2KB

MD5
d4f9d630952bcce7098f674d47a87996

SHA1
d7a59d1df8d331b0e6bb4030570e0565f78f9559

SHA256
e131de80c2b92506927e07c4b6f28037a9c5c0ebae8a6881b934281c3b79bd6d

SHA512
a28290d78ed5aa6c6dde44a66bf1e155d71c1800cc754bd8768388119a86c37bde2e3927c91fda58157ff7fa357575046e28355aa670ff63b34bab8204d40ec2

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
376KB

MD5
31e61d969668777ec853ba91cdc64976

SHA1
cd6cc1076cb26232b13cf4e9872d2ea9b20a185e

SHA256
a117022cc51d034b5ee45e72fa5dad1be12242e93d7bbd2e9338a738c05c4b34

SHA512
0c26b43db94e0d556c09da0b9ca04e7be5b13f1784f6e0e5639307de47ea944caffdb2957c8ecd2ab11c80469d12a8d18d74411ab6865cffdaa8f67ae7f86167

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
2KB

MD5
fe38c44904dbb27217a5d3e9b44b62c3

SHA1
b55958a1c797b216a80602ff4a13864332fe981c

SHA256
cf906b5a3abdc7a86ae9291dbde51b67ea25ba6b2ae7cef3ee11c96a3d459b45

SHA512
1cfe460805e0f2a3e58b66f56f16375a35c3640deea8ac451e6a3c13a63972eba243178ae8d74a37d42e9b237a8fc27790e175f2b3a9226ef5a687d8865143b8

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
199KB

MD5
3160a7717a64163f22b7fce699506956

SHA1
f00f09e214f4db8159aedc572eac65090d537841

SHA256
a3f3b50d3e93ee97464bea19d42b0be1f68a2437b8defc622bccb12db12ea790

SHA512
ab98f8ee92441e5230bf9ed9a4d7d423a9ba27fc94938ca4c4a90fe95ec493e9d288f799956963f29d76913853627f8922599bcc0f3a4f5e44b5aa4bfc75811b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
152KB

MD5
8b5afd4af3d02f8b6b4067d1847d2b21

SHA1
d6e577de73e08a9860e8d7f45f748a83391327ef

SHA256
ba510a3719a6e992e0c5363bc1ced49e842ab4de91a19110c4976e42e6aa8c9f

SHA512
d5a313d822d413fae81c5b008a0ef0cadaee384f580336b45a81122861dd14b593a2f686b02f95849c01c205a256423962f79bcfbbc0c582c8ccded8280ac43a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
576KB

MD5
d3e9e1f9dab4f778f75366640474d64a

SHA1
b0c4df0349311e48123fa0979dd999fbe5c9373c

SHA256
a78eed57e50749e5be8ccca5fa83a49ac35c79a305f32723bc1b7b47740b2afd

SHA512
5448ac4fa7c940267a755cfd10237cf4813551afbe0b9e01357092ce6ded136713ea49a065a74eca34ad4ec720b5793a7b7b77fbf5e395357ee9c591b5640242

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
84KB

MD5
84fb0b0afa30bba4f796bd5167c8aff0

SHA1
9a92498f2a95636507e88ee7a65bc9ecc26b14ca

SHA256
adc890c398ceba8def5ad51f61b7dc533d1863211a8228e1fec386780bfb0207

SHA512
98ce9831d12007ef388df68ba4266846f170335503f4f9ea62b95abf74d25f89eb995f2712bd215b6129795ca689dfd118a838cc15c8e751a731d2220ecddf78

Download Submit
memory/1344-182-0x0000000004150000-0x0000000004179000-memory.dmp

Filesize
164KB

Download