11869cc57796310d3a4927fc1406fb74374ebaed636ad1416b146dd95ee93137

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19/12/2023, 12:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

11869cc57796310d3a4927fc1406fb74374ebaed636ad1416b146dd95ee93137.exe
Size

1.1MB
MD5

c45d4d45af155c297dc48f0c39bed81a
SHA1

39db4da384702e3597bdb0a5c887d499aac09202
SHA256

11869cc57796310d3a4927fc1406fb74374ebaed636ad1416b146dd95ee93137
SHA512

bc4ab5871c8420d280ec5267aea3befdfcfff6f0cff204e0abf8ec02abcb4a5814b0ac1b3eadcee3df612bea943c1d72385ddbbbba85439725a5411b23454466
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QY:CcaClSFlG4ZM7QzMf

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2144	svchcst.exe

Executes dropped EXE 25 IoCs

pid	Process
2144	svchcst.exe
2848	svchcst.exe
2952	svchcst.exe
2080	svchcst.exe
1144	svchcst.exe
2216	svchcst.exe
1608	svchcst.exe
2352	svchcst.exe
1104	svchcst.exe
1508	svchcst.exe
2916	svchcst.exe
768	svchcst.exe
1320	svchcst.exe
1944	svchcst.exe
772	svchcst.exe
1900	svchcst.exe
3004	svchcst.exe
2984	svchcst.exe
2888	svchcst.exe
1072	svchcst.exe
1596	svchcst.exe
1484	svchcst.exe
1772	svchcst.exe
1608	svchcst.exe
2708	svchcst.exe

Loads dropped DLL 42 IoCs

pid	Process
2760	WScript.exe
2760	WScript.exe
872	WScript.exe
2844	WScript.exe
1596	WScript.exe
1596	WScript.exe
3052	WScript.exe
944	WScript.exe
1300	WScript.exe
2812	WScript.exe
1960	WScript.exe
1960	WScript.exe
272	WScript.exe
272	WScript.exe
1076	WScript.exe
3060	WScript.exe
1204	WScript.exe
1204	WScript.exe
3060	WScript.exe
3060	WScript.exe
2228	WScript.exe
2228	WScript.exe
1744	WScript.exe
1744	WScript.exe
3012	WScript.exe
3012	WScript.exe
328	WScript.exe
328	WScript.exe
2384	WScript.exe
2384	WScript.exe
1680	WScript.exe
1680	WScript.exe
2072	WScript.exe
2072	WScript.exe
2044	WScript.exe
2044	WScript.exe
1864	WScript.exe
1864	WScript.exe
2204	WScript.exe
2204	WScript.exe
680	WScript.exe
680	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2416	11869cc57796310d3a4927fc1406fb74374ebaed636ad1416b146dd95ee93137.exe
2416	11869cc57796310d3a4927fc1406fb74374ebaed636ad1416b146dd95ee93137.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2848	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2416	11869cc57796310d3a4927fc1406fb74374ebaed636ad1416b146dd95ee93137.exe

Suspicious use of SetWindowsHookEx 52 IoCs

pid	Process
2416	11869cc57796310d3a4927fc1406fb74374ebaed636ad1416b146dd95ee93137.exe
2416	11869cc57796310d3a4927fc1406fb74374ebaed636ad1416b146dd95ee93137.exe
2144	svchcst.exe
2144	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2080	svchcst.exe
2080	svchcst.exe
1144	svchcst.exe
1144	svchcst.exe
2216	svchcst.exe
2216	svchcst.exe
1608	svchcst.exe
1608	svchcst.exe
2352	svchcst.exe
2352	svchcst.exe
1104	svchcst.exe
1104	svchcst.exe
1508	svchcst.exe
1508	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
768	svchcst.exe
768	svchcst.exe
1944	svchcst.exe
1320	svchcst.exe
1944	svchcst.exe
1320	svchcst.exe
772	svchcst.exe
772	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
2984	svchcst.exe
2984	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
1072	svchcst.exe
1072	svchcst.exe
1596	svchcst.exe
1596	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
1772	svchcst.exe
1772	svchcst.exe
1608	svchcst.exe
1608	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2696	2416	11869cc57796310d3a4927fc1406fb74374ebaed636ad1416b146dd95ee93137.exe	28
PID 2416 wrote to memory of 2696	2416	11869cc57796310d3a4927fc1406fb74374ebaed636ad1416b146dd95ee93137.exe	28
PID 2416 wrote to memory of 2696	2416	11869cc57796310d3a4927fc1406fb74374ebaed636ad1416b146dd95ee93137.exe	28
PID 2416 wrote to memory of 2696	2416	11869cc57796310d3a4927fc1406fb74374ebaed636ad1416b146dd95ee93137.exe	28
PID 2416 wrote to memory of 2760	2416	11869cc57796310d3a4927fc1406fb74374ebaed636ad1416b146dd95ee93137.exe	29
PID 2416 wrote to memory of 2760	2416	11869cc57796310d3a4927fc1406fb74374ebaed636ad1416b146dd95ee93137.exe	29
PID 2416 wrote to memory of 2760	2416	11869cc57796310d3a4927fc1406fb74374ebaed636ad1416b146dd95ee93137.exe	29
PID 2416 wrote to memory of 2760	2416	11869cc57796310d3a4927fc1406fb74374ebaed636ad1416b146dd95ee93137.exe	29
PID 2760 wrote to memory of 2144	2760	WScript.exe	31
PID 2760 wrote to memory of 2144	2760	WScript.exe	31
PID 2760 wrote to memory of 2144	2760	WScript.exe	31
PID 2760 wrote to memory of 2144	2760	WScript.exe	31
PID 2144 wrote to memory of 872	2144	svchcst.exe	32
PID 2144 wrote to memory of 872	2144	svchcst.exe	32
PID 2144 wrote to memory of 872	2144	svchcst.exe	32
PID 2144 wrote to memory of 872	2144	svchcst.exe	32
PID 2144 wrote to memory of 1460	2144	svchcst.exe	33
PID 2144 wrote to memory of 1460	2144	svchcst.exe	33
PID 2144 wrote to memory of 1460	2144	svchcst.exe	33
PID 2144 wrote to memory of 1460	2144	svchcst.exe	33
PID 872 wrote to memory of 2848	872	WScript.exe	34
PID 872 wrote to memory of 2848	872	WScript.exe	34
PID 872 wrote to memory of 2848	872	WScript.exe	34
PID 872 wrote to memory of 2848	872	WScript.exe	34
PID 2848 wrote to memory of 2844	2848	svchcst.exe	35
PID 2848 wrote to memory of 2844	2848	svchcst.exe	35
PID 2848 wrote to memory of 2844	2848	svchcst.exe	35
PID 2848 wrote to memory of 2844	2848	svchcst.exe	35
PID 2844 wrote to memory of 2952	2844	WScript.exe	36
PID 2844 wrote to memory of 2952	2844	WScript.exe	36
PID 2844 wrote to memory of 2952	2844	WScript.exe	36
PID 2844 wrote to memory of 2952	2844	WScript.exe	36
PID 2952 wrote to memory of 1596	2952	svchcst.exe	37
PID 2952 wrote to memory of 1596	2952	svchcst.exe	37
PID 2952 wrote to memory of 1596	2952	svchcst.exe	37
PID 2952 wrote to memory of 1596	2952	svchcst.exe	37
PID 1596 wrote to memory of 2080	1596	WScript.exe	38
PID 1596 wrote to memory of 2080	1596	WScript.exe	38
PID 1596 wrote to memory of 2080	1596	WScript.exe	38
PID 1596 wrote to memory of 2080	1596	WScript.exe	38
PID 2080 wrote to memory of 3052	2080	svchcst.exe	39
PID 2080 wrote to memory of 3052	2080	svchcst.exe	39
PID 2080 wrote to memory of 3052	2080	svchcst.exe	39
PID 2080 wrote to memory of 3052	2080	svchcst.exe	39
PID 3052 wrote to memory of 1144	3052	WScript.exe	40
PID 3052 wrote to memory of 1144	3052	WScript.exe	40
PID 3052 wrote to memory of 1144	3052	WScript.exe	40
PID 3052 wrote to memory of 1144	3052	WScript.exe	40
PID 1144 wrote to memory of 944	1144	svchcst.exe	41
PID 1144 wrote to memory of 944	1144	svchcst.exe	41
PID 1144 wrote to memory of 944	1144	svchcst.exe	41
PID 1144 wrote to memory of 944	1144	svchcst.exe	41
PID 944 wrote to memory of 2216	944	WScript.exe	44
PID 944 wrote to memory of 2216	944	WScript.exe	44
PID 944 wrote to memory of 2216	944	WScript.exe	44
PID 944 wrote to memory of 2216	944	WScript.exe	44
PID 2216 wrote to memory of 1300	2216	svchcst.exe	45
PID 2216 wrote to memory of 1300	2216	svchcst.exe	45
PID 2216 wrote to memory of 1300	2216	svchcst.exe	45
PID 2216 wrote to memory of 1300	2216	svchcst.exe	45
PID 1300 wrote to memory of 1608	1300	WScript.exe	46
PID 1300 wrote to memory of 1608	1300	WScript.exe	46
PID 1300 wrote to memory of 1608	1300	WScript.exe	46
PID 1300 wrote to memory of 1608	1300	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\11869cc57796310d3a4927fc1406fb74374ebaed636ad1416b146dd95ee93137.exe
"C:\Users\Admin\AppData\Local\Temp\11869cc57796310d3a4927fc1406fb74374ebaed636ad1416b146dd95ee93137.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:2696
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2144
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:872
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2848
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:944
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1608
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:2812
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2352
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:1960
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1104
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:272
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1508
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:1076
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2916
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:3060
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:768
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:1204
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1320
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:2228
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:772
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:1744
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1900
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:3012
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3004
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:328
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2984
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:2384
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2888
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:1680
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1072
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:2072
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1596
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:2044
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1484
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        
        PID:1864
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1772
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        
        PID:2204
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1608
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        Loads dropped DLL
        
        PID:680
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2708
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        50⤵
        
        PID:944
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        50⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1944
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      PID:1460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
25741fab0bc335b1ed971b3134b0edd3

SHA1
9849046efa3f20662f73cefd0d090bef480c9835

SHA256
05963c6d3a7cc5421377a784df6474456fcbd2f95c7190f2ddb4a9ccbfbe7f98

SHA512
6e772baf90739a76c5c477780e2d158502b55d9c898e69402b0a3bfb840949959c6779f9b291c0503a4fcad95369be55b5f3233ded9329d49d5cde3f1a8369e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
75df758b5b40006d5e67d01f93182501

SHA1
4fd3a62a360739bd5d21dbc1191bc6965fcde44c

SHA256
54de8a1a9244e7e9937c43d84089bcbb9d4b97699f2478b567a31d978e8ca9c9

SHA512
3206a4c21dd28a38d0da8d3b5db48c18c6c84bc7a2b76b0befb94eb557bec6156ddea3d8383a6a34a577d86f59697b37950d46b84162d0015d13a173e5f576d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
780c5b88f55c3463a252f361d53f98db

SHA1
244e739c7401ce41027d7786f4a48f4806a9939b

SHA256
d8b383df125f83a39c299a3134c88e981cf47755ddd6b44310f70231305c6bb0

SHA512
b12e3266edea4f9dff105ed8617c81a29f9873d646b6b326c5c29c0c590049dd85458b8ff7541957f9ab995896e7bfd08b171959e592ccc6edbedf998fdf1045

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c0b5050d31a3c3086d56cf03dbf39e65

SHA1
2f16721133b7efffc3b7c495803a409b47223c1f

SHA256
4eed6a5c4f010b8604f822c91683ba0cf9c2c1f7fd803bcd9c05bfd36d84f37a

SHA512
be8a9ade498e5b54e7ca07bb3f9f114962847942d282e46e2b4f3e53704b27b47853c7bc60e5fdfc777b6e1fa2f8d34aa0d3321354c8a6b81d1640ce7780d9d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
951aaea1269f2a203f3dd7cd181c5d34

SHA1
3623d216764b24aa0b02cbc136287252bf5b412a

SHA256
228b66ed4c4a1270fe5a6655cdd849de937351e95974b96acafa59b8107b7dd4

SHA512
cd84967ad43a13c3cd57cc80f6533a9e9fd93a5eddf4807825b8d19883da4acda3e7b4ff963f23209c579050fedf834382d8e718386c852ceaf350b2b0f91816

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c94fda6716d92036e02a0e70b433735f

SHA1
eb4e57b1461e03a201dbfd20dd308ca88694e55d

SHA256
ca8d32856a5ad76e2bf41249ee83a498c238f51d9d3addbd5ca456ee6a6108ba

SHA512
bf4b3613a4d6d2854f7750a73f84579a3022c2aaae770c392c3d4b273cbb2b493028f8109856ba66ee4636bcfac53b61b7f9b689002858a040b62b47d097d24f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1a94fff9bade36e4d067e0fcefb1a8f5

SHA1
1713c3fc499a56cd97035e44405e0b5e1a0a586b

SHA256
1977a5ac15e88252efdd11b9aace6de92383e71132a94273b0e890e92ae91048

SHA512
89a7dd6811f9491a14bf49f1cbce3e869107d2e0d410fa3d3c867ce68d573d6f8e6ada98ac3635fc620c96c61676b5cef2563b5fbea14f617c1fa61bce4f3ac7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5ba8c208c5700f7f25c2e24e00d50ac8

SHA1
9838a0ab093ed94bc85a80b1feee14b68e4df8d1

SHA256
213371c33e19f6f9e28f089e3206fe50c39b190548b0500f7ba8aff869a68cd6

SHA512
065e45ebe4197cdf7e13b799928dfb29e17d4a1741e3e103000b147288b34f16300b72874ec85aefa2c04cc939df115a9fb383d5c95982c1371e75605d1a9b17

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6cc9dd78b42e2ca0e1deb237988b6ae2

SHA1
6ec16a7e43a4c558a19f125758d56ed9a180e6ee

SHA256
11367ac6f6a1b237ca69aeeb571a435181256f8836d6910f036beb90e160f7b2

SHA512
331f0ae896c0fb9906dd2fc2e3d58860073af97deb31cdb2184cc4bd104e2e066bfec6bdef0e16a8eda3d5605875fe7c03480b1e2d68bc9d7e3a2b237a3020a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
48e04b8c794b661550560f9e02af5bb4

SHA1
973d939e48bc7713c0338e95966219616bd415d0

SHA256
f3bfe9c6c363e0ef4e22d9990175cb4c1c5d7d087aa5a2cff9f912d5ac6676da

SHA512
23ca46c09e1c2c320c7c79e71056dc6cb78d1dbaa75f4cee92e63626fe1eef268d91c519a8a0219f816049d2babd0276d27471ccc57a05825ce339ea88eea778

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
298f56408ef5bfe14b938d85e57c843d

SHA1
691d78c4c4887333b4679d3e340a7a04caad13a3

SHA256
b5738b726b24c9d220bd7256e4abb2e97215d50416bf67983cc82dc83b46298a

SHA512
227bf6d7e70568144112dc142ef60fa38f2b5f39196e3d3377a120b78fa86382726021f024bf5413548df0ce1734bb905d28e56de4dd80c6f21c05ab2a5ef83e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
18daeaff7fc134fc2edabbaea7e7e9f0

SHA1
a6a3002f7828141bac042e08241df957ef348bb4

SHA256
56a26505482cb65715785a972070bd6b72ad56c09ec26f7a97d7b0ac5bf52303

SHA512
6a91ececa4ca5ffbd12c7ca83888a63a7baf2be281610d9b0d83ee9dfcb8f6d04c1466de5ac1b53abe3daaf2998ec40b4b3a1a1d6fc271f35d25523358bd3df0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ae75c3a96c26ddc15e3c678434b18374

SHA1
7abb4cd173f5c8565c891bc5305922439e880fed

SHA256
1b84f073d7c021672b1951a420b183f570b94f4d7c14c86698b22bbd353bf965

SHA512
e817ab91d4d73840a290ff2e999a5136328b315afa16ec831b6ddabea08cf07d8dd61b332cbeded13bde712e7c87538228ff8d163c0f659da84134f04e5a3b7e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d44632a3e4cce7689f6de0096ea7b712

SHA1
62726ae2641d71b6a218793f1ca8c00c81443eda

SHA256
013ba01f27689a865f4497bdab298b8914e8c235beac2311020fa928649a7603

SHA512
ed9934194e0211fca3d30bb16802ae080086a71d4b8b065afecea339f06f4d5dc43f51786059d6ccaf7718a54dde8b050268068ed6a416dacfa6c79a8ba0881a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
37a4bce81de61af644ff583d0d85c30a

SHA1
dbd1f7727dde376446d89cc68e827b6f5b1429f3

SHA256
92ebfeadc195a34887faeb2aafbddb097f85fcd124cfe53a0319208cf7b34620

SHA512
db2ea8bf753ea6c72967de85e790646baebe78fa134548ac0eab30a6163d85e902769a527f402e99bd81bd424aaa1e2bf0b2ce1b5adecb09a22bcbd4ea054f6b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2ea77882b7d4dc0261eb90e578708558

SHA1
51cd4b41931239999cdf30a9de9e93b26202372d

SHA256
0eff6da59c85cfa32e0697d690487507b4b877e5611a9b104a3d0374e15d7d8c

SHA512
90c3d50421bd83d19621b7d10418e65edaa952be19d15fcf7792d8b5e6497f56bc2004c1a175c734a48598b7a959e777b7ed494a069e23653996d20af9c1b9cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
933KB

MD5
65791cb13ef9fdc22d1e6cf28356a44a

SHA1
ffe192c3fcbd67b4703a25e38df480d1a1a3b650

SHA256
6e9f38687bb13a76b7493842a6c525b873673100fcdb455b733a6a8b9f10fc05

SHA512
564a44a7a5e37961e08003918fe722830a9b13bc670796d090ea026aee06e3a3f5b1089895898b4f0cbe91ec428185367c30d8efd11e7c2c3a9285ba400f51fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0eca1c4bf05c5e80bc2c0c101d7daca0

SHA1
ff3f4b8086fe50abd99d1d2f4cbb0dd150f0753f

SHA256
e2f3dc775e616eb1118c8da1b9a119985087e0c56bf16cca357031004cd8697b

SHA512
33a51c73b2b89b2445c34519fcee6a9de5f0ed1006552273ea6a2fe91ce1bc9640eba3f7fbde8d4181fca75b3aec6453b9fbac22d99e23dd08d314688d358450

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7a61548a5c21860f159886537bb0fafa

SHA1
5fb2fe774e1edde8158c48d84d934a6ade80548f

SHA256
b2b4de06b9953935b391e53b5a9efba7b10b0acef6dd86b5240df938673c15fb

SHA512
c4d3ef117cf1c3f348d97cb97d4e7b0f03f87a06169fdf306151022040e0dddd15383ddecf697a756a0e09008d597f713178dbcc44a12f8835ef243a3c93b265

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
941665dcf49b53f9cffb3bf5cd7bad58

SHA1
47c95aba4cbdb31a10e192108cc0ee19967dc2b6

SHA256
03707e6bcb38a9571dd001c2a15e75fdd4408e9b223a6416a2dabb110c49218f

SHA512
f68094e605747c2013e7126a19394ec32d7501e49c42d28b2a6b353399bad87e58901496773e12943069ef43b24e18b984d52301679587c2812247862fb1bca9

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
658KB

MD5
08fb6b571deb1da954cd78fccdea4f68

SHA1
2781c80cce8d1f555954b6434190f8fee030ff60

SHA256
48e3bce7d05b85e0f6f45251e52c76fe583ce995fb554d387c23cd6e7c4500ff

SHA512
53e290b38ead66927278e62eb264e2109d7155f2704a3c98003c45f0c5f359de15c02fff160b5903acfee24a8c7e78cbbd24d392df44ecb7a8b6ac04744b6974

Download Submit