bf0e0f456990806edfcdd0094952a648e76ecc64ef7c34dbd7f46409c9b3a55e

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22/12/2023, 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf0e0f456990806edfcdd0094952a648e76ecc64ef7c34dbd7f46409c9b3a55e.exe
Size

1.1MB
MD5

3f0576e166dbb3d3a5978985a594ea64
SHA1

71c3b51076738d22e1f02fcb4371ff4dff2e5a86
SHA256

bf0e0f456990806edfcdd0094952a648e76ecc64ef7c34dbd7f46409c9b3a55e
SHA512

77abe8925d6f301b2bafd9879eebcebebde86dec3e895638852b6b52c2e422855facd2d5defa58dd657dea601d10e0d22c80b78d6c370781b0ad5212f46c4225
SSDEEP

24576:gRW3N/0f/oAPoRBchI5anfOlAUAi1K6oElG4lBujFAvCyR0:g5ApamAUAQ/lG4lBmFAvZ0

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2912	svchcst.exe

Executes dropped EXE 25 IoCs

pid	Process
2912	svchcst.exe
3000	svchcst.exe
2480	svchcst.exe
1644	svchcst.exe
2324	svchcst.exe
1536	svchcst.exe
1804	svchcst.exe
2788	svchcst.exe
2968	svchcst.exe
2976	svchcst.exe
2640	svchcst.exe
372	svchcst.exe
832	svchcst.exe
2772	svchcst.exe
1856	svchcst.exe
1144	svchcst.exe
272	svchcst.exe
2284	svchcst.exe
2928	svchcst.exe
2780	svchcst.exe
564	svchcst.exe
868	svchcst.exe
2068	svchcst.exe
1484	svchcst.exe
3060	svchcst.exe

Loads dropped DLL 38 IoCs

pid	Process
2980	WScript.exe
2980	WScript.exe
2960	WScript.exe
2644	WScript.exe
784	WScript.exe
2088	WScript.exe
2088	WScript.exe
1144	WScript.exe
776	WScript.exe
1752	WScript.exe
2984	WScript.exe
2984	WScript.exe
1688	WScript.exe
2944	WScript.exe
2832	WScript.exe
3060	WScript.exe
3060	WScript.exe
3060	WScript.exe
1972	WScript.exe
1972	WScript.exe
2568	WScript.exe
2568	WScript.exe
1708	WScript.exe
1708	WScript.exe
1608	WScript.exe
1608	WScript.exe
1620	WScript.exe
1620	WScript.exe
3004	WScript.exe
3004	WScript.exe
676	WScript.exe
676	WScript.exe
2248	WScript.exe
2248	WScript.exe
996	WScript.exe
996	WScript.exe
1004	WScript.exe
1004	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2956	bf0e0f456990806edfcdd0094952a648e76ecc64ef7c34dbd7f46409c9b3a55e.exe
2956	bf0e0f456990806edfcdd0094952a648e76ecc64ef7c34dbd7f46409c9b3a55e.exe
2956	bf0e0f456990806edfcdd0094952a648e76ecc64ef7c34dbd7f46409c9b3a55e.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2956	bf0e0f456990806edfcdd0094952a648e76ecc64ef7c34dbd7f46409c9b3a55e.exe

Suspicious use of SetWindowsHookEx 52 IoCs

pid	Process
2956	bf0e0f456990806edfcdd0094952a648e76ecc64ef7c34dbd7f46409c9b3a55e.exe
2956	bf0e0f456990806edfcdd0094952a648e76ecc64ef7c34dbd7f46409c9b3a55e.exe
2912	svchcst.exe
2912	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
2480	svchcst.exe
2480	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
1536	svchcst.exe
1536	svchcst.exe
1804	svchcst.exe
1804	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
372	svchcst.exe
372	svchcst.exe
832	svchcst.exe
832	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
1856	svchcst.exe
1856	svchcst.exe
1144	svchcst.exe
1144	svchcst.exe
272	svchcst.exe
272	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
2928	svchcst.exe
2928	svchcst.exe
2780	svchcst.exe
2780	svchcst.exe
564	svchcst.exe
564	svchcst.exe
868	svchcst.exe
868	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
3060	svchcst.exe
3060	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2960	2956	bf0e0f456990806edfcdd0094952a648e76ecc64ef7c34dbd7f46409c9b3a55e.exe	29
PID 2956 wrote to memory of 2960	2956	bf0e0f456990806edfcdd0094952a648e76ecc64ef7c34dbd7f46409c9b3a55e.exe	29
PID 2956 wrote to memory of 2960	2956	bf0e0f456990806edfcdd0094952a648e76ecc64ef7c34dbd7f46409c9b3a55e.exe	29
PID 2956 wrote to memory of 2960	2956	bf0e0f456990806edfcdd0094952a648e76ecc64ef7c34dbd7f46409c9b3a55e.exe	29
PID 2956 wrote to memory of 2980	2956	bf0e0f456990806edfcdd0094952a648e76ecc64ef7c34dbd7f46409c9b3a55e.exe	28
PID 2956 wrote to memory of 2980	2956	bf0e0f456990806edfcdd0094952a648e76ecc64ef7c34dbd7f46409c9b3a55e.exe	28
PID 2956 wrote to memory of 2980	2956	bf0e0f456990806edfcdd0094952a648e76ecc64ef7c34dbd7f46409c9b3a55e.exe	28
PID 2956 wrote to memory of 2980	2956	bf0e0f456990806edfcdd0094952a648e76ecc64ef7c34dbd7f46409c9b3a55e.exe	28
PID 2956 wrote to memory of 3048	2956	bf0e0f456990806edfcdd0094952a648e76ecc64ef7c34dbd7f46409c9b3a55e.exe	30
PID 2956 wrote to memory of 3048	2956	bf0e0f456990806edfcdd0094952a648e76ecc64ef7c34dbd7f46409c9b3a55e.exe	30
PID 2956 wrote to memory of 3048	2956	bf0e0f456990806edfcdd0094952a648e76ecc64ef7c34dbd7f46409c9b3a55e.exe	30
PID 2956 wrote to memory of 3048	2956	bf0e0f456990806edfcdd0094952a648e76ecc64ef7c34dbd7f46409c9b3a55e.exe	30
PID 2980 wrote to memory of 2912	2980	WScript.exe	32
PID 2980 wrote to memory of 2912	2980	WScript.exe	32
PID 2980 wrote to memory of 2912	2980	WScript.exe	32
PID 2980 wrote to memory of 2912	2980	WScript.exe	32
PID 2960 wrote to memory of 3000	2960	WScript.exe	33
PID 2960 wrote to memory of 3000	2960	WScript.exe	33
PID 2960 wrote to memory of 3000	2960	WScript.exe	33
PID 2960 wrote to memory of 3000	2960	WScript.exe	33
PID 3000 wrote to memory of 2644	3000	svchcst.exe	34
PID 3000 wrote to memory of 2644	3000	svchcst.exe	34
PID 3000 wrote to memory of 2644	3000	svchcst.exe	34
PID 3000 wrote to memory of 2644	3000	svchcst.exe	34
PID 2644 wrote to memory of 2480	2644	WScript.exe	35
PID 2644 wrote to memory of 2480	2644	WScript.exe	35
PID 2644 wrote to memory of 2480	2644	WScript.exe	35
PID 2644 wrote to memory of 2480	2644	WScript.exe	35
PID 2480 wrote to memory of 784	2480	svchcst.exe	36
PID 2480 wrote to memory of 784	2480	svchcst.exe	36
PID 2480 wrote to memory of 784	2480	svchcst.exe	36
PID 2480 wrote to memory of 784	2480	svchcst.exe	36
PID 784 wrote to memory of 1644	784	WScript.exe	37
PID 784 wrote to memory of 1644	784	WScript.exe	37
PID 784 wrote to memory of 1644	784	WScript.exe	37
PID 784 wrote to memory of 1644	784	WScript.exe	37
PID 1644 wrote to memory of 2088	1644	svchcst.exe	38
PID 1644 wrote to memory of 2088	1644	svchcst.exe	38
PID 1644 wrote to memory of 2088	1644	svchcst.exe	38
PID 1644 wrote to memory of 2088	1644	svchcst.exe	38
PID 2088 wrote to memory of 2324	2088	WScript.exe	39
PID 2088 wrote to memory of 2324	2088	WScript.exe	39
PID 2088 wrote to memory of 2324	2088	WScript.exe	39
PID 2088 wrote to memory of 2324	2088	WScript.exe	39
PID 2324 wrote to memory of 1144	2324	svchcst.exe	40
PID 2324 wrote to memory of 1144	2324	svchcst.exe	40
PID 2324 wrote to memory of 1144	2324	svchcst.exe	40
PID 2324 wrote to memory of 1144	2324	svchcst.exe	40
PID 1144 wrote to memory of 1536	1144	WScript.exe	41
PID 1144 wrote to memory of 1536	1144	WScript.exe	41
PID 1144 wrote to memory of 1536	1144	WScript.exe	41
PID 1144 wrote to memory of 1536	1144	WScript.exe	41
PID 1536 wrote to memory of 776	1536	svchcst.exe	42
PID 1536 wrote to memory of 776	1536	svchcst.exe	42
PID 1536 wrote to memory of 776	1536	svchcst.exe	42
PID 1536 wrote to memory of 776	1536	svchcst.exe	42
PID 776 wrote to memory of 1804	776	WScript.exe	45
PID 776 wrote to memory of 1804	776	WScript.exe	45
PID 776 wrote to memory of 1804	776	WScript.exe	45
PID 776 wrote to memory of 1804	776	WScript.exe	45
PID 1804 wrote to memory of 1752	1804	svchcst.exe	46
PID 1804 wrote to memory of 1752	1804	svchcst.exe	46
PID 1804 wrote to memory of 1752	1804	svchcst.exe	46
PID 1804 wrote to memory of 1752	1804	svchcst.exe	46

C:\Users\Admin\AppData\Local\Temp\bf0e0f456990806edfcdd0094952a648e76ecc64ef7c34dbd7f46409c9b3a55e.exe
"C:\Users\Admin\AppData\Local\Temp\bf0e0f456990806edfcdd0094952a648e76ecc64ef7c34dbd7f46409c9b3a55e.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2912
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2480
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:784
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:776
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        
        PID:1752
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2788
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:2984
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2968
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:1688
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2640
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2976
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2944
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:372
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2832
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:832
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:3060
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2772
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1856
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:1972
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1144
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:2568
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:272
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:1708
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2284
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:1608
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2928
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:1620
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2780
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:3004
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:564
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:676
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:868
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:2248
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2068
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:996
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1484
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:1004
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3060
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        
        PID:1324
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        
        PID:1552
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6a10838e65cf3aedda11230ee7f407b7

SHA1
7878e96feb82d309b74e4fe98ad256d3bfd63d08

SHA256
79b9776ab8d5f525f63ccab50ff6d79e7a7daeb47894ce971b63ab072314009e

SHA512
7fd419656935cef9e30f36f618df90399b015dc281dea6b30f12ba7bf2c07a58e7aa570ea5fd1f04b3643be33eb1d8521787c94384cb7ef0ec8d5459a8c50eaa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
ddded44bc914fe22ef2cdc3d92082dfa

SHA1
dcbd01674ffdd62cabd96a858cc8032c808228b3

SHA256
732b691d13b5fe2cb02290eb57c4218852ea42bf3ecc7e4e5d3b27f6cba17ba8

SHA512
6efa4dd7e98da924a1b1582c0f5e6c64647bda45d6ebd3b360122825351edb5f256ae66c36f46ee512f38aec0619b578c98c848f7ac0faf17160de78dbcc46ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
9d9867376c8284245aea97643987cadf

SHA1
fe6a7bd23577feb841e3cbeae6aebd38a742b0a5

SHA256
b31c91bdbe14673b004567163ddea094dd6bd903f62c5a57c3b3f79268021fb4

SHA512
2dc179cf9f71aae049072f62e06951537e38c6070d79d98aaaa94d2b1b53edd6550f6d1c61a2ffc117ed53791689b59c50826bb506cf22cb01235da522d623a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
efa4b9f79f0e80cc4480b4196f965c98

SHA1
56401c277c2e9c8111a865c9225b943fc4a7433b

SHA256
5db1107f337e47becfbcacfdc107678db82fb69fc4a9a1341c0decacff5146c3

SHA512
c3b3f2cd4b0a7257fcb391a7defee9a0db1650febb3dab466732bf81cdec9a8bbfb9e28afd2ffff03d57f2cd2be8adc8da67abeb39e295c94b3dd536fb092180

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
faa8ef2e758448ccba58a486794e0699

SHA1
85bd05023b75335ca0ff084efcd02e7e9e447e88

SHA256
f4c0222febb3104b66ec8578be36697e28bc8956d3606e711c39b3ad7fcf6b8b

SHA512
8a1074670bbf7942ba1cef24d474aa26b9a66c378cc790a5577bc3d487f7174dad7890d2fdd43eccad42c4da28e282e5909a8f9de120a3ba81ee2847b44a328e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1ddf68547078713a6bd04e589e87bc2f

SHA1
cdfb5481f8214590744133c77204eff54e733b90

SHA256
a5954677872e02157f5c6921ef883fbc22a4f7940d17403a9a0658931d4971fc

SHA512
194d12570a7d4e8e9341f56d23fda7ff49e131e818b93633b75c6ef05b6972b8428294bb95529af25cf75cbe2d86756dab000be200466a30a64922e764ebfc2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
418e489a61f524eb101168676ee507c0

SHA1
c2d403388bfdccf0d75b4ef92dd8a453c413057c

SHA256
2ec2f981acbd3a091e05e93f06c952fdf6372e4d4d4ad78e7ddfe60043b1ad3c

SHA512
56033db0322098091059ab662f14f51c8bd98fc6784e3a5c553428c3c91d160fa5f784e43020fde5630515f87a2dbd7dff88865a5ecc4f349f6482eaef1b522a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f76c7cf504b872903a1325a57e8baaf9

SHA1
896ac9d8338b41c7673781f07915612c538c385f

SHA256
46436b128cbdb907e9666c1aa6257164f7e5a2ebe1c79b9198b36e50115a8163

SHA512
59c0e9f508682af572185dd2578ad1e62abb99297a99018af7638bc8d2f6693fe00900bd739e00a912088f77624f08034dba041ce1677e2924cb8ab3196b6054

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
cd34ba54e0dd84bc94990092afc183a9

SHA1
938feedabe63e3e7c6cbb6a405512e21a7ebe449

SHA256
44358f1aedf540acf9e56069e4cc6d4e6a2445ccba362dad9ec4e2f59e0178ab

SHA512
1c261ac13591d4d1cd3692dae12de7fb393134b014dbc766b2946b6ea983e74cef7984bb7003241d5221dea9df78e5f5fe31a839ad7d8453a79db887c8d09958

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a4e2d4727487955ad59bf2d1a6661981

SHA1
e52949b5d7226aaf75d3713ed2ff1283edab2259

SHA256
4b2d44fd28dcc86d4f73784cea9ac601d2e69574ea0fc6214b3481b10687e0e2

SHA512
f3c59196a57237caa7ad762e2e31bb3b95156eb33cdad7d7b28244842a733160a74c6568452252ce2add95980fe653dc5322a3d1722f9d798289557351b5ea55

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
774844b08b364b32d1209ef0d962d2fd

SHA1
967a30d076aa269a5cef321d36ac1f5c1eb180cb

SHA256
c9beda5ae7965cd968f1e6b1e11f17b1b443b8fc6dddb9ad0fe830aafe35ae3a

SHA512
2bab1d82f2cf484029722e64dd75516645e3f2dc6028153b65479757a3d33bbe883a1ac97771f1a9dfff1927cbfc58b5460f0c21a3ce01a4eae32b205772c4ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
608aea68519434d685c413b31a12c6ce

SHA1
7a62e13cab985d0588a0faea63751fd0355da7fc

SHA256
5ed3aa382febd7a4e6c3a921a5add055f6e2bbea7558b21da46752f037d52b1a

SHA512
6ddca4b85fc1b6ecb6c1081b32067eb438ed5167b48565ea449e6babb1f27a01c75599c6b0f10b29ac9278e619891588d654466ce882d8080f4d2435f450d198

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1931659cf1a0b565c26fde26192e60ea

SHA1
290204916cf2bd320dd6af5de4fea33f4b987a23

SHA256
8d4ff60de30d55f81dda162ccf8ad556e3a1c9a9e20260d8a767def90595191a

SHA512
9a90635a350ecaf5d4f9c5787f4079e90d6e2983b87e8dc6db38a2d0121e68422d2fc8c7e322c0b6556cd92870713380edf55950260e9369350e96d4603f390e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0cea0315e530990c8b15618244a85889

SHA1
7da2dc23fc74c9fcec1242fb6b35e9a4ba70916a

SHA256
b9d6a124e72411d47552ade245ca18fe1b2167ad428af3f2923af7ee8d153281

SHA512
f328984e2bc8d9ac68ec94301b4765b1c75eb690a21a1a7289641236de5a04316b0563a15ece1cc5b3a858483eb6f3ab8c0275900aa2542355f4dba54a79ba68

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
864cb1705c9a493770456915f05c00dc

SHA1
edc93873d62cc7f224b510ebaf27a9046619044b

SHA256
9cdbeb7d79c762e074881b96c1ab31b526778f23a24d646ed27979b571bf5155

SHA512
8bd8bfa9d726b28fa32961dec74b1d7f423c1865c815570e09d2cfcbc63efd45b3102e3ebeddd76feaef7c990e9166c13ddca9720a7f4d6462d85fe90f663f4e

Download Submit