64be3e95b574c728d106ddfdd55696824ed287b5eaf580a6021a7df4287f56bc

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08-05-2024 03:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64be3e95b574c728d106ddfdd55696824ed287b5eaf580a6021a7df4287f56bc.exe
Size

1.1MB
MD5

e6f73055d0118c3d516fc0fca9c19286
SHA1

0ecbe66acf9a809784c0f569cc3ca7c68cc98dd7
SHA256

64be3e95b574c728d106ddfdd55696824ed287b5eaf580a6021a7df4287f56bc
SHA512

1eea6918b35f31a3dea547aa87e29975f263bf38f4ae32ab2e995b3630f4c5df4c542f57ceafc38998174192c403c3a08e998705fc406b008251ef8f4beba705
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QM:CcaClSFlG4ZM7QzML

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2408	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2408	svchcst.exe
2640	svchcst.exe
956	svchcst.exe
2268	svchcst.exe
348	svchcst.exe
452	svchcst.exe
2004	svchcst.exe
1676	svchcst.exe
2576	svchcst.exe
3000	svchcst.exe
2800	svchcst.exe
1668	svchcst.exe
2628	svchcst.exe
1280	svchcst.exe
2816	svchcst.exe
320	svchcst.exe
1848	svchcst.exe
2632	svchcst.exe
2764	svchcst.exe
2804	svchcst.exe
1484	svchcst.exe
608	svchcst.exe
1596	svchcst.exe

Loads dropped DLL 33 IoCs

pid	Process
2540	WScript.exe
2540	WScript.exe
2580	WScript.exe
1500	WScript.exe
1500	WScript.exe
2648	WScript.exe
2648	WScript.exe
1492	WScript.exe
1492	WScript.exe
2544	WScript.exe
2544	WScript.exe
2900	WScript.exe
1472	WScript.exe
2264	WScript.exe
1376	WScript.exe
2368	WScript.exe
2368	WScript.exe
888	WScript.exe
888	WScript.exe
1052	WScript.exe
1052	WScript.exe
2556	WScript.exe
2556	WScript.exe
2412	WScript.exe
2412	WScript.exe
2976	WScript.exe
2976	WScript.exe
2032	WScript.exe
2032	WScript.exe
1456	WScript.exe
1456	WScript.exe
604	WScript.exe
604	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1632	64be3e95b574c728d106ddfdd55696824ed287b5eaf580a6021a7df4287f56bc.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1632	64be3e95b574c728d106ddfdd55696824ed287b5eaf580a6021a7df4287f56bc.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
1632	64be3e95b574c728d106ddfdd55696824ed287b5eaf580a6021a7df4287f56bc.exe
1632	64be3e95b574c728d106ddfdd55696824ed287b5eaf580a6021a7df4287f56bc.exe
2408	svchcst.exe
2408	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
956	svchcst.exe
956	svchcst.exe
2268	svchcst.exe
2268	svchcst.exe
348	svchcst.exe
348	svchcst.exe
452	svchcst.exe
452	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
1676	svchcst.exe
1676	svchcst.exe
2576	svchcst.exe
2576	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
1668	svchcst.exe
1668	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
1280	svchcst.exe
1280	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
320	svchcst.exe
320	svchcst.exe
1848	svchcst.exe
1848	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2764	svchcst.exe
2764	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
608	svchcst.exe
608	svchcst.exe
1596	svchcst.exe
1596	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 2540	1632	64be3e95b574c728d106ddfdd55696824ed287b5eaf580a6021a7df4287f56bc.exe	28
PID 1632 wrote to memory of 2540	1632	64be3e95b574c728d106ddfdd55696824ed287b5eaf580a6021a7df4287f56bc.exe	28
PID 1632 wrote to memory of 2540	1632	64be3e95b574c728d106ddfdd55696824ed287b5eaf580a6021a7df4287f56bc.exe	28
PID 1632 wrote to memory of 2540	1632	64be3e95b574c728d106ddfdd55696824ed287b5eaf580a6021a7df4287f56bc.exe	28
PID 2540 wrote to memory of 2408	2540	WScript.exe	30
PID 2540 wrote to memory of 2408	2540	WScript.exe	30
PID 2540 wrote to memory of 2408	2540	WScript.exe	30
PID 2540 wrote to memory of 2408	2540	WScript.exe	30
PID 2408 wrote to memory of 2580	2408	svchcst.exe	31
PID 2408 wrote to memory of 2580	2408	svchcst.exe	31
PID 2408 wrote to memory of 2580	2408	svchcst.exe	31
PID 2408 wrote to memory of 2580	2408	svchcst.exe	31
PID 2580 wrote to memory of 2640	2580	WScript.exe	32
PID 2580 wrote to memory of 2640	2580	WScript.exe	32
PID 2580 wrote to memory of 2640	2580	WScript.exe	32
PID 2580 wrote to memory of 2640	2580	WScript.exe	32
PID 2640 wrote to memory of 1500	2640	svchcst.exe	33
PID 2640 wrote to memory of 1500	2640	svchcst.exe	33
PID 2640 wrote to memory of 1500	2640	svchcst.exe	33
PID 2640 wrote to memory of 1500	2640	svchcst.exe	33
PID 1500 wrote to memory of 956	1500	WScript.exe	34
PID 1500 wrote to memory of 956	1500	WScript.exe	34
PID 1500 wrote to memory of 956	1500	WScript.exe	34
PID 1500 wrote to memory of 956	1500	WScript.exe	34
PID 956 wrote to memory of 2628	956	svchcst.exe	35
PID 956 wrote to memory of 2628	956	svchcst.exe	35
PID 956 wrote to memory of 2628	956	svchcst.exe	35
PID 956 wrote to memory of 2628	956	svchcst.exe	35
PID 1500 wrote to memory of 2268	1500	WScript.exe	36
PID 1500 wrote to memory of 2268	1500	WScript.exe	36
PID 1500 wrote to memory of 2268	1500	WScript.exe	36
PID 1500 wrote to memory of 2268	1500	WScript.exe	36
PID 2268 wrote to memory of 2648	2268	svchcst.exe	37
PID 2268 wrote to memory of 2648	2268	svchcst.exe	37
PID 2268 wrote to memory of 2648	2268	svchcst.exe	37
PID 2268 wrote to memory of 2648	2268	svchcst.exe	37
PID 2648 wrote to memory of 348	2648	WScript.exe	38
PID 2648 wrote to memory of 348	2648	WScript.exe	38
PID 2648 wrote to memory of 348	2648	WScript.exe	38
PID 2648 wrote to memory of 348	2648	WScript.exe	38
PID 348 wrote to memory of 2940	348	svchcst.exe	39
PID 348 wrote to memory of 2940	348	svchcst.exe	39
PID 348 wrote to memory of 2940	348	svchcst.exe	39
PID 348 wrote to memory of 2940	348	svchcst.exe	39
PID 2648 wrote to memory of 452	2648	WScript.exe	40
PID 2648 wrote to memory of 452	2648	WScript.exe	40
PID 2648 wrote to memory of 452	2648	WScript.exe	40
PID 2648 wrote to memory of 452	2648	WScript.exe	40
PID 452 wrote to memory of 1492	452	svchcst.exe	41
PID 452 wrote to memory of 1492	452	svchcst.exe	41
PID 452 wrote to memory of 1492	452	svchcst.exe	41
PID 452 wrote to memory of 1492	452	svchcst.exe	41
PID 1492 wrote to memory of 2004	1492	WScript.exe	42
PID 1492 wrote to memory of 2004	1492	WScript.exe	42
PID 1492 wrote to memory of 2004	1492	WScript.exe	42
PID 1492 wrote to memory of 2004	1492	WScript.exe	42
PID 2004 wrote to memory of 2336	2004	svchcst.exe	43
PID 2004 wrote to memory of 2336	2004	svchcst.exe	43
PID 2004 wrote to memory of 2336	2004	svchcst.exe	43
PID 2004 wrote to memory of 2336	2004	svchcst.exe	43
PID 1492 wrote to memory of 1676	1492	WScript.exe	46
PID 1492 wrote to memory of 1676	1492	WScript.exe	46
PID 1492 wrote to memory of 1676	1492	WScript.exe	46
PID 1492 wrote to memory of 1676	1492	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\64be3e95b574c728d106ddfdd55696824ed287b5eaf580a6021a7df4287f56bc.exe
"C:\Users\Admin\AppData\Local\Temp\64be3e95b574c728d106ddfdd55696824ed287b5eaf580a6021a7df4287f56bc.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2408
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2580
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2640
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:956
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:348
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1676
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        
        PID:2544
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2576
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3000
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        
        PID:2900
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2800
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:1472
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1668
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2264
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2628
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:1376
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1280
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:2368
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2816
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:888
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:320
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:1052
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1848
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:2556
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2632
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:2412
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2764
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:2976
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2804
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:2032
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1484
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:1456
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:608
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:604
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1596
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        
        PID:788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
232b3efdc4d5401f9693870d22b787d3

SHA1
f4f2b32e48110097b9a563e1d1132311ce0d518d

SHA256
1515d8b514ad3c597aa074644093fc3fcf89a058e04e29104af17fff892c22c0

SHA512
32e54c3e0618e2148aa2b2390014818e54d3bd754d69f9a817302efb62afd8477da94b32d6caf42ed9d1e085b0ab4ed5f49321dcf2f436c14fc8c732e1a7d3a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
53586000e76ee6942df430b8716b4616

SHA1
97afd48071b6043c0a04b823875956b98a8d33bd

SHA256
486e66f5aafdb179f41e1d1f39c8fb5662bfad43d5d53dfa89405a04b0d42d69

SHA512
3a9a94289a667899d5ba7db41486854b9234929ecaa9d9aaff3188740cc084c0a633702be218f4b1a8afbfbd8a4e1a892eebbdfde1a7d3fb9c27c3482aa03bd7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
619955d43a58558c766025119a5a66cb

SHA1
cfb43d2b9cb68699667ca8d4929e71b25ed115ab

SHA256
a129bff17a859b7b2d6681f519c985c661797dd508ac249d30f02a0a78858cee

SHA512
20f9499cddf2fb824365830736255a1dce689da0e94fa8e999ee4e28883e65637410710ea01204b5f3d48213f697461288da2b7a535511da87f848b1e6e83bc6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0667072f0b99c114be29b17a58be850a

SHA1
8ec8d5ba1f5842c2f07a4332fb04ba60b0bc7143

SHA256
002841eff29a50e5cf34cf60cfb5bbbf780c4d2f8809016ab22a0e084fc10d07

SHA512
5e0c61897463fd935f2e0420389e4d7c6b08232e63175ccc96db2b6f3d294e9196bc5efd6445ccc8f460efc0791c13ea040b36ce3130f12e414a3ab7b678dfd9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0d7287608e57c918d75f595179c5fa29

SHA1
d16c5add83d14855a0d674ca2d287ef0233e7062

SHA256
539b077eb4ef610403f7c3cdec3fd11482b2a0c4f3c254c2e8f6f2a51905c9d1

SHA512
0050624a5937e196a1e7d08318d9a499ea706cf8023bf7c6b1ba42a671e98e202ab83723740e9aab99bd6c17c3895ca1f2b17f6e94dd81d1d01c064b997c8bff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7c92f92a39b74a1a62d4e78cab1e85ce

SHA1
12be3de5566511f06ef1d1354ce14e74381ef078

SHA256
919b452d34117c54e6e79cf6c3d338679c3553dd3ef1bb8d750da8738f6f4166

SHA512
ad945215baeb1b488a43705d18520fea653a881632cfcd8bc79182ce2863d7167e8631043bdea1ee1071eabfb87f7ce63f460becf63c9c2060e51a30fc8171b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
4e9605159361f93230fef3cc5ad4301c

SHA1
64e6d5673487e049cc4e96650b507641062ca1bf

SHA256
2abd0c0ae088f6c911f23add50e985c447f1c62c8a45f848698b08d6e6dd20e7

SHA512
5cf02982826cc6e08ea33c4ce5d186ad4277493480cf08c2df56a7deea87e58a6df3a95097c96409a89317528933e0999d4ccddc2403024bd04b6e1c312f42fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e94e88174ec781f873054a1341dde3c1

SHA1
1bfcc1fd57262661e3e17db7f582004d481e95d9

SHA256
83a3606b4d4b48761b768ff2bd5668a599025f46b5d31b73bd0b014f6f95e225

SHA512
10dd4c89ea250920267a33317f693093471b805e33f18b38ffd7e3b9fb12624047f6bca7c82b0a2c83a3d6cead4d289f3da723b249a7ab6a9c40b339977fe7f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8cb32754e88999ece2a392d94875313e

SHA1
da0ef4e297872b82db206ebdc4cafefeed2a4e3d

SHA256
3dc5ae697f3f5a3ffe053412e05a646883c49be29b179039ceadf5f71a595f9d

SHA512
a331a2472d0ef04f4d6a9b41a147020a688c96977feec8d61878f31382af8c27b8e990dc404137475d48f0155d600cc0d6ebe0a5d1cbb60b1fecf364301ebaa7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3436c1c6420b4dd3e950884257e8b45d

SHA1
4889f8460c4c1b1fc3f357a03df6ca7fac272fbf

SHA256
88d11bc6a0ed417ee8dbbc8ec0894c9b616480afec00a30256ca41150aab17b8

SHA512
7960190b3738a018b0c04804e673662b6227bc397fa6a6ca2b1b1041ed7403f4dbe80f7aa6d63484f1f49c98361f27dd425b95b4c6fafedafb5f1e864b3adeb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
03088ab16e4136b8d3a3366505b767ed

SHA1
e1d73c9dc7e6009659519b33b3dd80f3011adad8

SHA256
b31956814f1bc7c1e47a025622160df37664a3ee8e6d2016ce8919f1fba63a59

SHA512
0c841cc8236b405951c5bdf0ea7c620ef32ab930077442e5c1f2eca9fe474c113e1377829e8072afdbfd9a0f0b2797cf156b2f861395d14b851abc7b365ec11a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f2d2f31794455ef80ea8a41b0b218045

SHA1
926c4e45922f43c6afc2cb31d96b5b35d4db3cae

SHA256
698e3bc7681704e68728030dcceb12377aae02f71e91a5fd15c12b686ba00141

SHA512
36cc2c9bd29c6bd97c2bd7eef7b9bffc512ebabf43d089a2866a66efc4f4f3f7d92b2d0719ae61ad07c38b89b1c0a4b59df57f84beef76c88bd376125048d714

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
be85ce7bb02d959078db568ee3a8905d

SHA1
e3598468f1db49d961a98da4deda91a619b56985

SHA256
4d76969f7a746574f6be0eca7b1939230ca7607610f12f82b670f4b7bf829806

SHA512
8ffd0d9432c57b2a445afb0701de88903bee1df5295b7ec14042623bfd5d72d0d3cdf198bbdce55be06439c8ac594ddc9bcf53f425bf9e9c9ebb299f6d8150cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f262d0722b88145e786399f42047785d

SHA1
9f4426b6ac52bb0456945b0619fcd355d118a0b7

SHA256
f20592c5d5216a153e7d9fc67c87e2d3346f3781014162462e824a5dbc4c7aef

SHA512
da8aa8fd4f84c224f7c6f3fe483b030e2307f3313c003f17f6b9c943f9ea9d052d9d9297f93fdf49428eedd235ef6d7efe0199e1620e55cb052f2ca3cb492eb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
33923002ff087d4e9d20dc9167bf4b6f

SHA1
cd218dc8073081f7329889f96e1159c6d11fb8a1

SHA256
f24781ed9f535b0d29cbef666b2e299ee84ab75c48fd47bfdf0e9c2beaa0796e

SHA512
628c465e3ebed9b3ad689a6fa1fe38d3194c69a7446320408c28667acd49a157b853f734325e828a1577810393d0f9e69b6719bd7c201816ef0f06219a26534c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
514d031ab2c2edbd9438e32f9de768ce

SHA1
4225a0133cdab571da9434a1b91cb0e7c008253e

SHA256
4a976905993f437d15f4017ea20644295ae336b4287b4cf9e0b0f21aad1d260f

SHA512
9cec7775e686439eb9dd8156954ff83b4b3324cd49cab6549a8ceba34dd3f5a1fd18a0e7eadca837bc3e05636bb2f8f1930c552a9dd9bb130fedf10b54a95d6e

Download Submit
memory/1632-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download