4f5033de010b82597149301962813d9f68eb149dd1db7e35e9ca72328a7097e7

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18/02/2024, 20:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f5033de010b82597149301962813d9f68eb149dd1db7e35e9ca72328a7097e7.exe
Size

1.1MB
MD5

fbe67ee0e8074b0bfdad7c46fcd26e83
SHA1

aedaa7aac0179b0f6bd2ac3622fc162363646261
SHA256

4f5033de010b82597149301962813d9f68eb149dd1db7e35e9ca72328a7097e7
SHA512

5de46a0b46d7b73c10d63983334a33e9811b5ec38969decd7c7e3dfb95a098546fde5f500a33ea589cdf4c0d0d7653df9ccbe6090c6ee6303724d8ebefdfd54c
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qr:CcaClSFlG4ZM7QzMM

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2676	svchcst.exe

Executes dropped EXE 25 IoCs

pid	Process
2472	svchcst.exe
2676	svchcst.exe
2888	svchcst.exe
2748	svchcst.exe
864	svchcst.exe
2532	svchcst.exe
2036	svchcst.exe
2384	svchcst.exe
2328	svchcst.exe
2076	svchcst.exe
2876	svchcst.exe
2544	svchcst.exe
2492	svchcst.exe
1076	svchcst.exe
2176	svchcst.exe
2604	svchcst.exe
1520	svchcst.exe
2412	svchcst.exe
2164	svchcst.exe
2328	svchcst.exe
2992	svchcst.exe
268	svchcst.exe
308	svchcst.exe
2260	svchcst.exe
1376	svchcst.exe

Loads dropped DLL 43 IoCs

pid	Process
2940	WScript.exe
2804	WScript.exe
2940	WScript.exe
2804	WScript.exe
976	WScript.exe
2940	WScript.exe
976	WScript.exe
976	WScript.exe
976	WScript.exe
1612	WScript.exe
1612	WScript.exe
1344	WScript.exe
1344	WScript.exe
1544	WScript.exe
1544	WScript.exe
2992	WScript.exe
2992	WScript.exe
1680	WScript.exe
1184	WScript.exe
2848	WScript.exe
2848	WScript.exe
1184	WScript.exe
2848	WScript.exe
1492	WScript.exe
1492	WScript.exe
1492	WScript.exe
1492	WScript.exe
1028	WScript.exe
1028	WScript.exe
772	WScript.exe
772	WScript.exe
2200	WScript.exe
2200	WScript.exe
1684	WScript.exe
1684	WScript.exe
2620	WScript.exe
2620	WScript.exe
3008	WScript.exe
3008	WScript.exe
864	WScript.exe
1416	WScript.exe
864	WScript.exe
1416	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2640	4f5033de010b82597149301962813d9f68eb149dd1db7e35e9ca72328a7097e7.exe
2640	4f5033de010b82597149301962813d9f68eb149dd1db7e35e9ca72328a7097e7.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2472	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2640	4f5033de010b82597149301962813d9f68eb149dd1db7e35e9ca72328a7097e7.exe

Suspicious use of SetWindowsHookEx 52 IoCs

pid	Process
2640	4f5033de010b82597149301962813d9f68eb149dd1db7e35e9ca72328a7097e7.exe
2640	4f5033de010b82597149301962813d9f68eb149dd1db7e35e9ca72328a7097e7.exe
2676	svchcst.exe
2676	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
864	svchcst.exe
864	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
2036	svchcst.exe
2036	svchcst.exe
2384	svchcst.exe
2384	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2076	svchcst.exe
2076	svchcst.exe
2876	svchcst.exe
2876	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
1076	svchcst.exe
1076	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2604	svchcst.exe
2604	svchcst.exe
1520	svchcst.exe
1520	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2992	svchcst.exe
2992	svchcst.exe
268	svchcst.exe
268	svchcst.exe
308	svchcst.exe
308	svchcst.exe
2260	svchcst.exe
2260	svchcst.exe
1376	svchcst.exe
1376	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2804	2640	4f5033de010b82597149301962813d9f68eb149dd1db7e35e9ca72328a7097e7.exe	28
PID 2640 wrote to memory of 2804	2640	4f5033de010b82597149301962813d9f68eb149dd1db7e35e9ca72328a7097e7.exe	28
PID 2640 wrote to memory of 2804	2640	4f5033de010b82597149301962813d9f68eb149dd1db7e35e9ca72328a7097e7.exe	28
PID 2640 wrote to memory of 2804	2640	4f5033de010b82597149301962813d9f68eb149dd1db7e35e9ca72328a7097e7.exe	28
PID 2640 wrote to memory of 2940	2640	4f5033de010b82597149301962813d9f68eb149dd1db7e35e9ca72328a7097e7.exe	29
PID 2640 wrote to memory of 2940	2640	4f5033de010b82597149301962813d9f68eb149dd1db7e35e9ca72328a7097e7.exe	29
PID 2640 wrote to memory of 2940	2640	4f5033de010b82597149301962813d9f68eb149dd1db7e35e9ca72328a7097e7.exe	29
PID 2640 wrote to memory of 2940	2640	4f5033de010b82597149301962813d9f68eb149dd1db7e35e9ca72328a7097e7.exe	29
PID 2940 wrote to memory of 2676	2940	WScript.exe	31
PID 2940 wrote to memory of 2676	2940	WScript.exe	31
PID 2940 wrote to memory of 2676	2940	WScript.exe	31
PID 2940 wrote to memory of 2676	2940	WScript.exe	31
PID 2804 wrote to memory of 2472	2804	WScript.exe	32
PID 2804 wrote to memory of 2472	2804	WScript.exe	32
PID 2804 wrote to memory of 2472	2804	WScript.exe	32
PID 2804 wrote to memory of 2472	2804	WScript.exe	32
PID 2472 wrote to memory of 976	2472	svchcst.exe	33
PID 2472 wrote to memory of 976	2472	svchcst.exe	33
PID 2472 wrote to memory of 976	2472	svchcst.exe	33
PID 2472 wrote to memory of 976	2472	svchcst.exe	33
PID 976 wrote to memory of 2888	976	WScript.exe	34
PID 976 wrote to memory of 2888	976	WScript.exe	34
PID 976 wrote to memory of 2888	976	WScript.exe	34
PID 976 wrote to memory of 2888	976	WScript.exe	34
PID 2940 wrote to memory of 2748	2940	WScript.exe	35
PID 2940 wrote to memory of 2748	2940	WScript.exe	35
PID 2940 wrote to memory of 2748	2940	WScript.exe	35
PID 2940 wrote to memory of 2748	2940	WScript.exe	35
PID 976 wrote to memory of 864	976	WScript.exe	36
PID 976 wrote to memory of 864	976	WScript.exe	36
PID 976 wrote to memory of 864	976	WScript.exe	36
PID 976 wrote to memory of 864	976	WScript.exe	36
PID 864 wrote to memory of 2248	864	svchcst.exe	37
PID 864 wrote to memory of 2248	864	svchcst.exe	37
PID 864 wrote to memory of 2248	864	svchcst.exe	37
PID 864 wrote to memory of 2248	864	svchcst.exe	37
PID 976 wrote to memory of 2532	976	WScript.exe	38
PID 976 wrote to memory of 2532	976	WScript.exe	38
PID 976 wrote to memory of 2532	976	WScript.exe	38
PID 976 wrote to memory of 2532	976	WScript.exe	38
PID 2532 wrote to memory of 1612	2532	svchcst.exe	39
PID 2532 wrote to memory of 1612	2532	svchcst.exe	39
PID 2532 wrote to memory of 1612	2532	svchcst.exe	39
PID 2532 wrote to memory of 1612	2532	svchcst.exe	39
PID 1612 wrote to memory of 2036	1612	WScript.exe	40
PID 1612 wrote to memory of 2036	1612	WScript.exe	40
PID 1612 wrote to memory of 2036	1612	WScript.exe	40
PID 1612 wrote to memory of 2036	1612	WScript.exe	40
PID 2036 wrote to memory of 1344	2036	svchcst.exe	41
PID 2036 wrote to memory of 1344	2036	svchcst.exe	41
PID 2036 wrote to memory of 1344	2036	svchcst.exe	41
PID 2036 wrote to memory of 1344	2036	svchcst.exe	41
PID 1344 wrote to memory of 2384	1344	WScript.exe	42
PID 1344 wrote to memory of 2384	1344	WScript.exe	42
PID 1344 wrote to memory of 2384	1344	WScript.exe	42
PID 1344 wrote to memory of 2384	1344	WScript.exe	42
PID 2384 wrote to memory of 1544	2384	svchcst.exe	43
PID 2384 wrote to memory of 1544	2384	svchcst.exe	43
PID 2384 wrote to memory of 1544	2384	svchcst.exe	43
PID 2384 wrote to memory of 1544	2384	svchcst.exe	43
PID 1544 wrote to memory of 2328	1544	WScript.exe	46
PID 1544 wrote to memory of 2328	1544	WScript.exe	46
PID 1544 wrote to memory of 2328	1544	WScript.exe	46
PID 1544 wrote to memory of 2328	1544	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\4f5033de010b82597149301962813d9f68eb149dd1db7e35e9ca72328a7097e7.exe
"C:\Users\Admin\AppData\Local\Temp\4f5033de010b82597149301962813d9f68eb149dd1db7e35e9ca72328a7097e7.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2472
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:976
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2888
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:864
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        
        PID:2248
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2532
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2328
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        
        PID:2992
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2076
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        
        PID:1680
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2876
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:1184
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2544
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2848
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2492
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2176
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:1492
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2604
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        
        PID:976
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1520
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:1028
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2412
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:772
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2164
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:2200
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2328
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:1684
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2992
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:2620
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:268
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:3008
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:308
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:1416
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2260
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:864
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1376
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        
        PID:2576
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1076
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2676
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
56b642f742552f48c6b8b9c099412a21

SHA1
c3cf968546d550feddcded0747d331305147e1e3

SHA256
a91e4afb0d2f495e9c4fd5031514174673505464922192f9d87832fc21ef119b

SHA512
43edab26c4c27b9458d393f139895b68ce6b230685fd112658b4046094beac5479329f63c9c836dace1e76984fc22b96aecdf0c0252cf656e6d1fe639abf403a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5465e98b54b47d65941e5d12deb27c9d

SHA1
50e5e6ced6e5e332b303de4fa146482fbdf782d5

SHA256
38f339c2f4c0d7ea1ba1500460c63bc626a2465b3ca48c4d63ee2b0f3eafb82a

SHA512
50c6bc8c7da8c036c909672ade71b08aea49bc58474c40e660d7dc23c3a9869cfad82b4dc96335057ecd5bd1011f3db712f667b4085555e3dc6fb90de56b1c3a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
75b8f60cfe6895a93f2d8f1b5568af94

SHA1
b80485bc82864b4e1bf0bcc44579eaa01776b1fb

SHA256
6ff47f7681e8f497470bd11b2cfd8156c5d8f1b01f48bfd89037cc4bfe0f34cc

SHA512
089e237c5309d36058e036f69d78deb4144749e91b3a8a8383f817af051a3452acfdf42227cc721517e93428cfd5d48b42e9750e9548762609e81917a4de29c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
d15963dbffddfab179dd66aa19d17234

SHA1
3c77b4d4147e38098b3856aad11f40d8fa914d7e

SHA256
5cde7b02b57c5fc8ede2aea560746454db37cbab4773ef78b40229fb0616bb98

SHA512
2f5ad4c00f5e39da0c320df26df1245353dfd1f1b6492ebfee5abb42fe9b604e05c35f38f89c56daae29b552e1d29cc2fa2d01deb3f44e647f3a02ecaee20613

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
cd34ba54e0dd84bc94990092afc183a9

SHA1
938feedabe63e3e7c6cbb6a405512e21a7ebe449

SHA256
44358f1aedf540acf9e56069e4cc6d4e6a2445ccba362dad9ec4e2f59e0178ab

SHA512
1c261ac13591d4d1cd3692dae12de7fb393134b014dbc766b2946b6ea983e74cef7984bb7003241d5221dea9df78e5f5fe31a839ad7d8453a79db887c8d09958

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2c3b5340da071ac89dded61dffd49fb5

SHA1
77a880658d0b70e5455379099427bfdae8cc0ae8

SHA256
d7433fbea40ea3f87e991ce54c73436c110cfbb83748d554aea8d94051a5224e

SHA512
7e69f14c55afec39149491531c2a499b6253aa71ad448e722912f239fde055826b34383bd8d14773af08ef475b5fe53451a0a93e0bcc46fbeba3872198200f3c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d04e4fa1d3c8ba67f98c8e40c157ed97

SHA1
c0d95df53f8a804370ce7230fd02b9e58f75ec22

SHA256
b0544b1226f7cfd08fbffa33537e742cae314ef9ebc6a146d9aae7ead895ae1f

SHA512
7436211ec14314df3689406a0b828f28a337929922fe1d381569b3eedc40dd9639764a73adfb033ede68ff760c5c0429de44a865e96f105cd0a2b6ec80269890

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
49586bddf88b5db5b4106eee55d7e03b

SHA1
3001fb71136b5c8d307695de4f651ccd9b4dcebc

SHA256
bf9c7a65973ae0ee9e2da4bae47ba378234e45820598034a3672edfb233e002d

SHA512
6933b416d4af6997e31e7277ddbf5820f421f01763ee6560e50a0dfb8323e8c66312511b4093d16540c17521f338b239e79d67c70fcda4ff793363e1366d4011

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c1f667683c1809dc2fa81d863ea10a4e

SHA1
dc9fdbeca32f2afbcfdc5363769ebb594fc93e44

SHA256
a0afd04975f7f5cf26533640020a9533d4dcf1b152143e69196f93bd5b49fa1e

SHA512
e4c894530934444cb97392b0180e5b6040b84ab5c639412c6b9e5355a13152412da8d881403832c2f3c601624465b16242ebd8710f6e6a4666a27e15ce759b2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
298f56408ef5bfe14b938d85e57c843d

SHA1
691d78c4c4887333b4679d3e340a7a04caad13a3

SHA256
b5738b726b24c9d220bd7256e4abb2e97215d50416bf67983cc82dc83b46298a

SHA512
227bf6d7e70568144112dc142ef60fa38f2b5f39196e3d3377a120b78fa86382726021f024bf5413548df0ce1734bb905d28e56de4dd80c6f21c05ab2a5ef83e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
99c82369839776d3d954a85361e76565

SHA1
fe01d71a20a80f468e5fa4df991eacca97e650a1

SHA256
ecfe1904a389f25b460a8eec64349498fde06733fa12cd5ae8e0c49a9699154f

SHA512
5deb6fd1534298cbc80f4653e60b9dcaba6cfd4af1f3b1e5369929472ab4f8cba7d50d3f63d7154170b5ea84f40f7511f1839f2e89340c6942fede255c93b69f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b42266100fb9f5e0b7be593aac3c37cf

SHA1
7cd55f31fd2871d09de73a6f62e3a7e1a53327b2

SHA256
1a6710caaf3886be368f3205ee8c9905e10f8ed754d80598c80f1455a700d846

SHA512
d3e5a4f7395d6196403e60214239043b2da6e546cbe080f74c3a680a6f4a7fe1374988df0a1aa84dbc0e41199efd8fb11050d1d1295f3b45811935d740a5108b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
3f53b8f7d590d6df283ca3feb95043d4

SHA1
e13a996c1b13b28ea701d3d261217e728c66fe27

SHA256
877c67a6ed77a51ad6d5a0367046af51b899ea0884f0fb3ecd0c9be2ed3859ab

SHA512
0662c62617213ddd6907c6b2469b8bc7aa037b57d748f877c95c913ee9c1f84a5dd4b608a57136b1e2bbe57bf868f204c6ae94517a8a06fda8dab543ddb7ebf3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
163KB

MD5
0acac6afe9080b3a1dae127e5ada39fe

SHA1
f4ce6059d7639347824f932d90b2d60046842e64

SHA256
fc95614b91694358d563b259a531192cb7075dc181d80a89cba3c45e47fb1ebb

SHA512
a61810e296a28ede770c74fedd58846a9a95813af958442ec219444523f0dbdcbb8bb67c33b206a56470d97f34d2def26f95efcbd39c6cbe2e1f32c99e4ae6c1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b5c50d974b69613300c9d4f645c58c70

SHA1
31e8b61e4aff94709f3c4477e31c435667f59ea9

SHA256
1ccd6e114e0ff7ab82efb135f46ac3e0e729ff87cbb6e925eda768582718fd68

SHA512
6d717012246a9b9b0898b4987e7a855251d4927153153a80b51fc90100419b02f8c36e42d5f6fb9170457b546e13c5eac09d539f627c277c5ca104dbabf8ec71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0370e542bc3300aab19ecdcca4471a6d

SHA1
1d9d55e6dc0a6646a28b00390285f98205037c68

SHA256
a2c3107e0bce98fa238d328937070b9fc9eb122543710a02afc99265f6b7854e

SHA512
af0e26c0ce44f1eacb875a488594664dacb24f60d9344936e4a7931445dbaa7621ff764e4867319bba356b60b6a6a62264d841bc09d5f0338e927ecf0e03ad35

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
576KB

MD5
d3e9e1f9dab4f778f75366640474d64a

SHA1
b0c4df0349311e48123fa0979dd999fbe5c9373c

SHA256
a78eed57e50749e5be8ccca5fa83a49ac35c79a305f32723bc1b7b47740b2afd

SHA512
5448ac4fa7c940267a755cfd10237cf4813551afbe0b9e01357092ce6ded136713ea49a065a74eca34ad4ec720b5793a7b7b77fbf5e395357ee9c591b5640242

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
537KB

MD5
d0bf98731ef083822124c8b7ee3ba2be

SHA1
242e1aaa567ffad7cca1b4af5f5a02a6d00183ae

SHA256
22b492b887760b3d9592efbd6d64736499509fbe9e36ebe33db119ed6a0fa8c2

SHA512
a7494a1bd64ab6846a3d5618a5072a4791f97d0d388d34e76e9da282f5e5af722ef3d9c243a444363717b67b4d1df6fb2707e46d8566777bf6ca19973d7c12b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
8651a93700c0853469dc3e65a95db03a

SHA1
f2c0aeb013410562ae4dda472a0523f6c5edffa5

SHA256
fc0b9accbd1644f3b5258b9653ade45fa8787d7324ef2ff60f299a9154251030

SHA512
1c5aa1ea5cc92dc17efb4097bc92a6cd73e89e25ea969e3216bf379d0a3ae72c0f741af7e6d1e1dda9ad8949a6b0a8ba7685ccb33f6a0aa1bd694604ad016800

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0529fb4643c1fe9dacd464099f55828b

SHA1
2356ffc1c76adaa97271855a8d6e027a2446897b

SHA256
1e0b9e9f0a78a42e1f4b9f573939380d85f205f9caa3e8e1cef97b5fdf1f3fdb

SHA512
f26bd35e776e56a43c1136967de80d43cc95b94723b1db13bcabe350bf511f8f51d9890cc73a461db60d05311993c668ede526fa4f374d0f131002409e833682

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
704KB

MD5
dbbd3fad2367ece4bb9928bba49188ad

SHA1
1ef2dd9662a8d837519f90dca0faf3835b16cc02

SHA256
10cfb0ebe27a346c050d534c9ef05d136510d97c412303adb127b7078371e933

SHA512
1e555333dd6d48d1e64db60b8e1ce8776ea2f109119fe6194e00bb7e64b30e903614b34e865f6742d322716eec7c9c86f2b89f066b060d1810c8195e7a77b55c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
8b23c5588f4e9e59a4af23a9e4a9e731

SHA1
b9254149974823879087ce47ee2612f24b3b335b

SHA256
bf95283d15c34d26e18febbd7a29be1ab3671ad1e251515158580a7636a48830

SHA512
b73ac219269fb9947de77e97ed601d441fb20d85eed5f39c8a1e1bfe4efc89686e8a63b8317deb550612c858b5c118f1c71ad3489077869f4bb77b9f63c673dc

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
735KB

MD5
50af27b7a13ace9ca2f530730f4663b6

SHA1
010eded106d0922ae0b6e72550ef700cf5cc3c78

SHA256
b8585fec693339456dcdbd14c6dea17e5d25146aca7d3e3d666fcabc7eb9d53f

SHA512
7442f76cd74ce17fd77875ce5f14f18924d755622359244e1dec8a7dbc1c1524cf2d68317caab24ff267a8eb07cbd03ef1ffd0854abf29d8312aebba074e8724

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
640KB

MD5
b859e049a1e2627957aa71bceac3e3bf

SHA1
30bae80b097886a4d39abd123f77d1885a9a13c9

SHA256
bacc692c7e6e5bf3cd3360ee981c7abe1d9911eb35650211a6a2060e97fdf7eb

SHA512
fa68e2341683a7c2611da6a9cab8cc4abae9f586b2e76c9b6e67425fce873615d5238763bb3c99dd666c136d4f6ad9f2104ca401d405539a25a9bec2d7789e5a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
793c1517870d1fd752573b5ed4a5e130

SHA1
7c983e4b84ff9098b37224c9aa169325f6a66c7c

SHA256
85496b2bcb6c864ec7250875e92704d506d245e94806dde0b0c0e33a1a09ddc8

SHA512
2f3bc19ec2e66a0f5ccb97384119343e7bb2614d7de5a7861367a1cda2c0c08264c456e04b17c3d415f9ead2302cddb3a9a9a3cc23e2309fb06977598233e524

Download Submit
memory/2640-4-0x0000000003FE0000-0x0000000004050000-memory.dmp

Filesize
448KB

Download