cf057990fd5778b984ed6aebc6736f0b89c3abde8370ed9bf18dfb7f9933b528

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
09/07/2024, 00:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf057990fd5778b984ed6aebc6736f0b89c3abde8370ed9bf18dfb7f9933b528.exe
Size

1.1MB
MD5

efe61464d183fd6502a4a3c52c26bc48
SHA1

68d9b9958126bffb9ec4bfff7f86fbace579d136
SHA256

cf057990fd5778b984ed6aebc6736f0b89c3abde8370ed9bf18dfb7f9933b528
SHA512

0a112921f7ea1908d71833a0ec11cb69afaaefd3db4c5f2583c48aff463063d39115d18b7572b01dc6de90a62bcb4b05824cbf2b6583ccdd4017bc1406c2196b
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qe:CcaClSFlG4ZM7QzMF

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1688	svchcst.exe

Executes dropped EXE 24 IoCs

pid	Process
3044	svchcst.exe
1688	svchcst.exe
1980	svchcst.exe
2224	svchcst.exe
1064	svchcst.exe
1912	svchcst.exe
1892	svchcst.exe
2344	svchcst.exe
2772	svchcst.exe
2936	svchcst.exe
896	svchcst.exe
1168	svchcst.exe
544	svchcst.exe
3032	svchcst.exe
1628	svchcst.exe
2428	svchcst.exe
2120	svchcst.exe
936	svchcst.exe
2256	svchcst.exe
2848	svchcst.exe
2860	svchcst.exe
816	svchcst.exe
1544	svchcst.exe
1564	svchcst.exe

Loads dropped DLL 46 IoCs

pid	Process
2136	WScript.exe
2608	WScript.exe
2608	WScript.exe
2136	WScript.exe
2692	WScript.exe
616	WScript.exe
2500	WScript.exe
2500	WScript.exe
1960	WScript.exe
1960	WScript.exe
292	WScript.exe
292	WScript.exe
2380	WScript.exe
2380	WScript.exe
1220	WScript.exe
1220	WScript.exe
2664	WScript.exe
2664	WScript.exe
2744	WScript.exe
2744	WScript.exe
1160	WScript.exe
1160	WScript.exe
1604	WScript.exe
1604	WScript.exe
1876	WScript.exe
1876	WScript.exe
1416	WScript.exe
1416	WScript.exe
2348	WScript.exe
2348	WScript.exe
2060	WScript.exe
2060	WScript.exe
2624	WScript.exe
2624	WScript.exe
2532	WScript.exe
2532	WScript.exe
2824	WScript.exe
2824	WScript.exe
2648	WScript.exe
2648	WScript.exe
2304	WScript.exe
2304	WScript.exe
616	WScript.exe
616	WScript.exe
2076	WScript.exe
2076	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2164	cf057990fd5778b984ed6aebc6736f0b89c3abde8370ed9bf18dfb7f9933b528.exe
2164	cf057990fd5778b984ed6aebc6736f0b89c3abde8370ed9bf18dfb7f9933b528.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe
1688	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2164	cf057990fd5778b984ed6aebc6736f0b89c3abde8370ed9bf18dfb7f9933b528.exe

Suspicious use of SetWindowsHookEx 50 IoCs

pid	Process
2164	cf057990fd5778b984ed6aebc6736f0b89c3abde8370ed9bf18dfb7f9933b528.exe
2164	cf057990fd5778b984ed6aebc6736f0b89c3abde8370ed9bf18dfb7f9933b528.exe
1688	svchcst.exe
1688	svchcst.exe
3044	svchcst.exe
3044	svchcst.exe
1980	svchcst.exe
1980	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
1064	svchcst.exe
1064	svchcst.exe
1912	svchcst.exe
1912	svchcst.exe
1892	svchcst.exe
1892	svchcst.exe
2344	svchcst.exe
2344	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
896	svchcst.exe
896	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
544	svchcst.exe
544	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2120	svchcst.exe
2120	svchcst.exe
936	svchcst.exe
936	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2860	svchcst.exe
2860	svchcst.exe
816	svchcst.exe
816	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1564	svchcst.exe
1564	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2608	2164	cf057990fd5778b984ed6aebc6736f0b89c3abde8370ed9bf18dfb7f9933b528.exe	31
PID 2164 wrote to memory of 2608	2164	cf057990fd5778b984ed6aebc6736f0b89c3abde8370ed9bf18dfb7f9933b528.exe	31
PID 2164 wrote to memory of 2608	2164	cf057990fd5778b984ed6aebc6736f0b89c3abde8370ed9bf18dfb7f9933b528.exe	31
PID 2164 wrote to memory of 2608	2164	cf057990fd5778b984ed6aebc6736f0b89c3abde8370ed9bf18dfb7f9933b528.exe	31
PID 2164 wrote to memory of 2136	2164	cf057990fd5778b984ed6aebc6736f0b89c3abde8370ed9bf18dfb7f9933b528.exe	32
PID 2164 wrote to memory of 2136	2164	cf057990fd5778b984ed6aebc6736f0b89c3abde8370ed9bf18dfb7f9933b528.exe	32
PID 2164 wrote to memory of 2136	2164	cf057990fd5778b984ed6aebc6736f0b89c3abde8370ed9bf18dfb7f9933b528.exe	32
PID 2164 wrote to memory of 2136	2164	cf057990fd5778b984ed6aebc6736f0b89c3abde8370ed9bf18dfb7f9933b528.exe	32
PID 2608 wrote to memory of 3044	2608	WScript.exe	35
PID 2608 wrote to memory of 3044	2608	WScript.exe	35
PID 2608 wrote to memory of 3044	2608	WScript.exe	35
PID 2608 wrote to memory of 3044	2608	WScript.exe	35
PID 2136 wrote to memory of 1688	2136	WScript.exe	34
PID 2136 wrote to memory of 1688	2136	WScript.exe	34
PID 2136 wrote to memory of 1688	2136	WScript.exe	34
PID 2136 wrote to memory of 1688	2136	WScript.exe	34
PID 3044 wrote to memory of 2692	3044	svchcst.exe	36
PID 3044 wrote to memory of 2692	3044	svchcst.exe	36
PID 3044 wrote to memory of 2692	3044	svchcst.exe	36
PID 3044 wrote to memory of 2692	3044	svchcst.exe	36
PID 2692 wrote to memory of 1980	2692	WScript.exe	37
PID 2692 wrote to memory of 1980	2692	WScript.exe	37
PID 2692 wrote to memory of 1980	2692	WScript.exe	37
PID 2692 wrote to memory of 1980	2692	WScript.exe	37
PID 1980 wrote to memory of 616	1980	svchcst.exe	38
PID 1980 wrote to memory of 616	1980	svchcst.exe	38
PID 1980 wrote to memory of 616	1980	svchcst.exe	38
PID 1980 wrote to memory of 616	1980	svchcst.exe	38
PID 616 wrote to memory of 2224	616	WScript.exe	39
PID 616 wrote to memory of 2224	616	WScript.exe	39
PID 616 wrote to memory of 2224	616	WScript.exe	39
PID 616 wrote to memory of 2224	616	WScript.exe	39
PID 2224 wrote to memory of 2500	2224	svchcst.exe	40
PID 2224 wrote to memory of 2500	2224	svchcst.exe	40
PID 2224 wrote to memory of 2500	2224	svchcst.exe	40
PID 2224 wrote to memory of 2500	2224	svchcst.exe	40
PID 2500 wrote to memory of 1064	2500	WScript.exe	41
PID 2500 wrote to memory of 1064	2500	WScript.exe	41
PID 2500 wrote to memory of 1064	2500	WScript.exe	41
PID 2500 wrote to memory of 1064	2500	WScript.exe	41
PID 1064 wrote to memory of 1960	1064	svchcst.exe	42
PID 1064 wrote to memory of 1960	1064	svchcst.exe	42
PID 1064 wrote to memory of 1960	1064	svchcst.exe	42
PID 1064 wrote to memory of 1960	1064	svchcst.exe	42
PID 1960 wrote to memory of 1912	1960	WScript.exe	43
PID 1960 wrote to memory of 1912	1960	WScript.exe	43
PID 1960 wrote to memory of 1912	1960	WScript.exe	43
PID 1960 wrote to memory of 1912	1960	WScript.exe	43
PID 1912 wrote to memory of 292	1912	svchcst.exe	44
PID 1912 wrote to memory of 292	1912	svchcst.exe	44
PID 1912 wrote to memory of 292	1912	svchcst.exe	44
PID 1912 wrote to memory of 292	1912	svchcst.exe	44
PID 292 wrote to memory of 1892	292	WScript.exe	45
PID 292 wrote to memory of 1892	292	WScript.exe	45
PID 292 wrote to memory of 1892	292	WScript.exe	45
PID 292 wrote to memory of 1892	292	WScript.exe	45
PID 1892 wrote to memory of 2380	1892	svchcst.exe	46
PID 1892 wrote to memory of 2380	1892	svchcst.exe	46
PID 1892 wrote to memory of 2380	1892	svchcst.exe	46
PID 1892 wrote to memory of 2380	1892	svchcst.exe	46
PID 2380 wrote to memory of 2344	2380	WScript.exe	47
PID 2380 wrote to memory of 2344	2380	WScript.exe	47
PID 2380 wrote to memory of 2344	2380	WScript.exe	47
PID 2380 wrote to memory of 2344	2380	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\cf057990fd5778b984ed6aebc6736f0b89c3abde8370ed9bf18dfb7f9933b528.exe
"C:\Users\Admin\AppData\Local\Temp\cf057990fd5778b984ed6aebc6736f0b89c3abde8370ed9bf18dfb7f9933b528.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3044
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1980
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:616
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:292
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2344
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:1220
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2772
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2664
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2936
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2744
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:896
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:1160
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1168
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:1604
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:544
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:1876
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3032
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:1416
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1628
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:2348
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2428
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:2060
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2120
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:2624
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:936
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:2532
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2256
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:2824
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2848
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:2648
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2860
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:2304
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:816
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        
        PID:616
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1544
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        
        PID:2076
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1564
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        
        PID:2444
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
915a42a58e9c294f8cb151b662a13a84

SHA1
354125ad3045b11f846d9df32ed48b88befc45c6

SHA256
126a4c3a038bff4dca3e59bc012108680b86fcdb58286a955634e1f6a63bf01f

SHA512
96cc9b5337092b621ab7641fa67fe1dab50425af8384d417c3308004be50c7533fe9abab5b7aa646f70997dd9eff72b75edb8c3b6d37fcde86d8ca3da2460ced

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
780c5b88f55c3463a252f361d53f98db

SHA1
244e739c7401ce41027d7786f4a48f4806a9939b

SHA256
d8b383df125f83a39c299a3134c88e981cf47755ddd6b44310f70231305c6bb0

SHA512
b12e3266edea4f9dff105ed8617c81a29f9873d646b6b326c5c29c0c590049dd85458b8ff7541957f9ab995896e7bfd08b171959e592ccc6edbedf998fdf1045

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0667072f0b99c114be29b17a58be850a

SHA1
8ec8d5ba1f5842c2f07a4332fb04ba60b0bc7143

SHA256
002841eff29a50e5cf34cf60cfb5bbbf780c4d2f8809016ab22a0e084fc10d07

SHA512
5e0c61897463fd935f2e0420389e4d7c6b08232e63175ccc96db2b6f3d294e9196bc5efd6445ccc8f460efc0791c13ea040b36ce3130f12e414a3ab7b678dfd9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6d7f7c489889b75561316023d3e8b801

SHA1
222906d8a273e49d99b9107d388856ba8e6a5400

SHA256
3c01dd72d85883db4a345c0092b799f8deb31d43fde226e7df011c64d95202a7

SHA512
7238e65f9b93ee3be8828f01b54fbb6acaeaaf31e2b62af398356b02fa80d615acc3f41139fb001b9c1e8855e5cfa467f2883acda663a08194955cadb409a24a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
75b8f60cfe6895a93f2d8f1b5568af94

SHA1
b80485bc82864b4e1bf0bcc44579eaa01776b1fb

SHA256
6ff47f7681e8f497470bd11b2cfd8156c5d8f1b01f48bfd89037cc4bfe0f34cc

SHA512
089e237c5309d36058e036f69d78deb4144749e91b3a8a8383f817af051a3452acfdf42227cc721517e93428cfd5d48b42e9750e9548762609e81917a4de29c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e4e96c55460da5fa5643648177198d56

SHA1
da09b8271cfd09349b8e79bd8856671e6124d6a0

SHA256
6ca56d2034da62f3a82f84935631e9d90430875cfd9b95382fdf1210758ba761

SHA512
23da2c3c87c8e52aab70931c7ca6f0d04f453cff01bda2fe078a060468d9d7b9e544635eb11976541246eaed2e4cac06e0ed7ed86bce775f95ff5d5f40c5d1bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d5a26bd3b4366107ffbb4663050f6576

SHA1
09a5b81e452620340fcc2343a146ac5469576d44

SHA256
6e6abc76efb5447d4e9b20d07396db93d0368e6f81f558217f81a4dedc437eef

SHA512
527fe34594e983df77843639208f832c63f24a23e6e72fabc3e27eb1cce2e08e4306f3a5ebd288142f9684c6730431fe09f2c60f699a0825dc8270e961abbb10

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
28167c064311357a30cc6de51b34120d

SHA1
cd6e8343bf5fa014ded5905fd8c6037eda277818

SHA256
e1a76a59c230fb740b85443e95d9db97f660e6d57f8f79060c51d3fb21f7af2a

SHA512
a8ca9a0804c9cb2c87148d82b2ffb169d766b6ea91b4106363b24d555c9a58594915364b6cb61a1757723e96f7095f06859ab83a6e1055d43c8e78e9b52c8b57

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e5bba46683440caa1508061b6e638120

SHA1
538ff5b7cb3ca90cee3e60bae0b487f4b78912de

SHA256
9b324dbd185a14c0ebfd2cd2731f6bb32c501dfefa7aef4f65b137357502c65d

SHA512
466f00fee10e323273e5d1151062e9fcc36f5657a404c6dd3c0c9ecb56e5205930087e612b13a9c6d1a56df7e05a2bd9c14e95debd5e5aed96ad2ef867e8de4d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5771c014296ebb077452c34a3ea54708

SHA1
6e6ff6d4e62db0f7295883fcdf1b10a4f69b2b58

SHA256
8abb3ec990928dfb09f067bb1f8b7e99a9487f039c9a5f80ab5306006c746859

SHA512
642db2534af82e398285770d5b6564603b457e1e4e0853cb46322aa24f7a880223a839875e7022d5c21f5eb01730df4e4dffdb426ef6e6c81defeb5f5f774ac5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1c0ff223574a58a062d6e26c4b0bb7cd

SHA1
b61341ae86f6fd2a2e76592a2fc693479b62f37c

SHA256
b9baaa35fb2544dd650a875b31c12ae5393b345528009fc8c438296ac71da48b

SHA512
b89b388955e99d95ea0a6be87df42a49823ca71ab65505e19689b8ecc56484246bc36abaac9b7b76874b8c287a33645932573b90786886e0289dff05a6874cc5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e84735bdf3f0dba993a912c80bf2af9b

SHA1
7c64084c8116a6c29e1953326fea252828dad7bc

SHA256
e0abbcd112f462c4caff8e2b64a686c33aa8cd55f68aee8add4dcde2252c003f

SHA512
1b567b0fa10b6a68519a52ea70f35ec0201ef0a3a5fc280e819045aeb4f6720ee5c90a22501257840f6abefaf0aff4f247a600ba763bae330de5ef0d308cab57

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
131e864eb492ad57b68bfb705747f6a2

SHA1
4f24ba36cbe8f06d4624c77fdcc2f642ec89bd9b

SHA256
ec07ef130b0da6fae2120119b7111f311f866dc51e1da2ac7e8b084232a2135c

SHA512
fac07c86f1b4d0112e4838d4084f03dd7686f824190b3232faa1c7267e4ebea2ba016ec77054dbb11a32f1d240bca5d6dafe59422e0b11e8c6c53e7e1dd947f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
5e416d7d6de317117390fa96157ddb00

SHA1
7ab70db58b8911c2bb09ec9d45d0f2c2e89dd97a

SHA256
ee595afe6272166488e414274900c6b9b80f8fc6558d37740a03a64f471d6d0b

SHA512
c252a15ec4a36f2d00bbfe37e8f51bf8740acd8d2b3f4ae5ab7f1ed87472ec62593379c6d9bc29dfa1710b53c681b0c17ec6be35665df953cfbee9e58185638a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0fea67ca5c826b4d8cd24c39ac838245

SHA1
a8893aa3f357bb3cb9f355fd84bb426d6f84dd1e

SHA256
12c2802c8633c3f583819d7e5d510e98eefe44b226bd8b71f4c7391ba507ffad

SHA512
b35e4f681ed660eeaa6191286f2fb5b02fc8f828d0425ffc762db4a4f86fc140a571bcca1ea53ae498d85c390d0275687065c8a33b7fe55af7218d41ff816849

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
defd5683a949a94b22ef09cf3e41da2a

SHA1
be9f480b103924eb3c4e4d05df4dbf3991ac6d7b

SHA256
29a9f7c521655f4cc2e3e801a9434a08c43c59ec2ca610715f28d37f1d09aab3

SHA512
9c858c56cbf40d7535981395bd0b2b563e89e4e84c7ad877a628e66c2b5ca130b4ad91044130c4ba9e612c2c1d26a92be8fe1d7769d970ec93ed1fdac6403c6e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
3edb3f01f8c708117685fd347eb5c11a

SHA1
ad1f23e9e177daa675c3c683251c865dc6b5346c

SHA256
58d649c99209dc8c843cdde9260b2163315403abedfc35a936ebb481353c80e6

SHA512
40ea12e01d83a6bf932b56b1d7fc92804f7394dcb9bebd488bc366f0e91e1f47d0731bafaa28992adc391ab61160c45b990d1ae8f4952864d20f575bc42c3ff4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ee23544683021de7e131edd706f408b7

SHA1
edb764c53f84ddc1288d811d8ed57fbf5b62274f

SHA256
5ae7fc5320e59d5fcae8953130ce99e2bfd0df44cbb7f91b77b61c54a752569c

SHA512
4d7abdfbecc4d2b459d9dd08736651149444a63075d097d1c7bcd4d33a280a6153cf02f3bfc6ab7baabb56c55072c85557a92d2fe5ddef8e533c754b8e396508

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2232fe8ad25a9c1aecc9c52de54c27a2

SHA1
1470a17dff0812da4d32772f638f8a0555d9c4ed

SHA256
c5432fa59e3c8356c9ee65d33a2d71753a68a97fea1af5d20af7726be52a9663

SHA512
7a6d96900fe111b248e7070414238239201a887a2a26871bdafbfa8055c3f20991452b6082a9a294388b7dd32988bf8d50bc95038a5c6f4e11c19ea4eee7c095

Download Submit
memory/2164-10-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download