2bc42976b13368159f841aa97e3a90585857c6486de52cfa06ff097f644e7756

Analysis

max time kernel
151s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18/01/2024, 00:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2bc42976b13368159f841aa97e3a90585857c6486de52cfa06ff097f644e7756.exe
Size

1.1MB
MD5

285ea1f931c1bcc1709898548406f998
SHA1

45d19fa0c2895856060d5c27a5deea6c4f723361
SHA256

2bc42976b13368159f841aa97e3a90585857c6486de52cfa06ff097f644e7756
SHA512

10d06a004dddfc351fe15ac8e7e2b4e094e69c66a9cb41676d6338d56c88660ff5655b0fe106d355807c82476288b8ee4546c4cb4ba912a9a90cedc77f6d5f99
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qe:CcaClSFlG4ZM7QzM1

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1412	svchcst.exe

Executes dropped EXE 29 IoCs

pid	Process
1412	svchcst.exe
2544	svchcst.exe
2964	svchcst.exe
328	svchcst.exe
1392	svchcst.exe
1116	svchcst.exe
1048	svchcst.exe
1044	svchcst.exe
1760	svchcst.exe
1584	svchcst.exe
2216	svchcst.exe
3068	svchcst.exe
2584	svchcst.exe
2748	svchcst.exe
3016	svchcst.exe
988	svchcst.exe
1524	svchcst.exe
1760	svchcst.exe
2296	svchcst.exe
2716	svchcst.exe
2720	svchcst.exe
532	svchcst.exe
1140	svchcst.exe
2596	svchcst.exe
1044	svchcst.exe
2224	svchcst.exe
1524	svchcst.exe
1556	svchcst.exe
1632	svchcst.exe

Loads dropped DLL 46 IoCs

pid	Process
2704	WScript.exe
2704	WScript.exe
2568	WScript.exe
2916	WScript.exe
2016	WScript.exe
2016	WScript.exe
2004	WScript.exe
2004	WScript.exe
2532	WScript.exe
2532	WScript.exe
2004	WScript.exe
292	WScript.exe
292	WScript.exe
2564	WScript.exe
2844	WScript.exe
2844	WScript.exe
2964	WScript.exe
304	WScript.exe
304	WScript.exe
304	WScript.exe
2420	WScript.exe
2420	WScript.exe
1480	WScript.exe
1480	WScript.exe
1396	WScript.exe
1396	WScript.exe
828	WScript.exe
828	WScript.exe
1952	WScript.exe
1952	WScript.exe
1820	WScript.exe
1820	WScript.exe
2328	WScript.exe
2328	WScript.exe
1108	WScript.exe
1108	WScript.exe
2964	WScript.exe
2964	WScript.exe
2040	WScript.exe
2040	WScript.exe
2536	WScript.exe
2536	WScript.exe
2184	WScript.exe
2184	WScript.exe
1188	WScript.exe
1188	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1248	2bc42976b13368159f841aa97e3a90585857c6486de52cfa06ff097f644e7756.exe
1248	2bc42976b13368159f841aa97e3a90585857c6486de52cfa06ff097f644e7756.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
2964	svchcst.exe
2964	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1248	2bc42976b13368159f841aa97e3a90585857c6486de52cfa06ff097f644e7756.exe

Suspicious use of SetWindowsHookEx 60 IoCs

pid	Process
1248	2bc42976b13368159f841aa97e3a90585857c6486de52cfa06ff097f644e7756.exe
1248	2bc42976b13368159f841aa97e3a90585857c6486de52cfa06ff097f644e7756.exe
1412	svchcst.exe
1412	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
2964	svchcst.exe
2964	svchcst.exe
328	svchcst.exe
328	svchcst.exe
1392	svchcst.exe
1392	svchcst.exe
1116	svchcst.exe
1116	svchcst.exe
1048	svchcst.exe
1048	svchcst.exe
1044	svchcst.exe
1044	svchcst.exe
1760	svchcst.exe
1760	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
2216	svchcst.exe
2216	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
988	svchcst.exe
988	svchcst.exe
1524	svchcst.exe
1524	svchcst.exe
1760	svchcst.exe
1760	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
532	svchcst.exe
532	svchcst.exe
1140	svchcst.exe
1140	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
1044	svchcst.exe
1044	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
1524	svchcst.exe
1524	svchcst.exe
1556	svchcst.exe
1556	svchcst.exe
1632	svchcst.exe
1632	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1248 wrote to memory of 2704	1248	2bc42976b13368159f841aa97e3a90585857c6486de52cfa06ff097f644e7756.exe	28
PID 1248 wrote to memory of 2704	1248	2bc42976b13368159f841aa97e3a90585857c6486de52cfa06ff097f644e7756.exe	28
PID 1248 wrote to memory of 2704	1248	2bc42976b13368159f841aa97e3a90585857c6486de52cfa06ff097f644e7756.exe	28
PID 1248 wrote to memory of 2704	1248	2bc42976b13368159f841aa97e3a90585857c6486de52cfa06ff097f644e7756.exe	28
PID 1248 wrote to memory of 2568	1248	2bc42976b13368159f841aa97e3a90585857c6486de52cfa06ff097f644e7756.exe	29
PID 1248 wrote to memory of 2568	1248	2bc42976b13368159f841aa97e3a90585857c6486de52cfa06ff097f644e7756.exe	29
PID 1248 wrote to memory of 2568	1248	2bc42976b13368159f841aa97e3a90585857c6486de52cfa06ff097f644e7756.exe	29
PID 1248 wrote to memory of 2568	1248	2bc42976b13368159f841aa97e3a90585857c6486de52cfa06ff097f644e7756.exe	29
PID 2704 wrote to memory of 1412	2704	WScript.exe	31
PID 2704 wrote to memory of 1412	2704	WScript.exe	31
PID 2704 wrote to memory of 1412	2704	WScript.exe	31
PID 2704 wrote to memory of 1412	2704	WScript.exe	31
PID 2568 wrote to memory of 2544	2568	WScript.exe	32
PID 2568 wrote to memory of 2544	2568	WScript.exe	32
PID 2568 wrote to memory of 2544	2568	WScript.exe	32
PID 2568 wrote to memory of 2544	2568	WScript.exe	32
PID 1412 wrote to memory of 2916	1412	svchcst.exe	33
PID 1412 wrote to memory of 2916	1412	svchcst.exe	33
PID 1412 wrote to memory of 2916	1412	svchcst.exe	33
PID 1412 wrote to memory of 2916	1412	svchcst.exe	33
PID 2916 wrote to memory of 2964	2916	WScript.exe	34
PID 2916 wrote to memory of 2964	2916	WScript.exe	34
PID 2916 wrote to memory of 2964	2916	WScript.exe	34
PID 2916 wrote to memory of 2964	2916	WScript.exe	34
PID 2964 wrote to memory of 2016	2964	svchcst.exe	35
PID 2964 wrote to memory of 2016	2964	svchcst.exe	35
PID 2964 wrote to memory of 2016	2964	svchcst.exe	35
PID 2964 wrote to memory of 2016	2964	svchcst.exe	35
PID 2016 wrote to memory of 328	2016	WScript.exe	36
PID 2016 wrote to memory of 328	2016	WScript.exe	36
PID 2016 wrote to memory of 328	2016	WScript.exe	36
PID 2016 wrote to memory of 328	2016	WScript.exe	36
PID 328 wrote to memory of 2004	328	svchcst.exe	37
PID 328 wrote to memory of 2004	328	svchcst.exe	37
PID 328 wrote to memory of 2004	328	svchcst.exe	37
PID 328 wrote to memory of 2004	328	svchcst.exe	37
PID 2016 wrote to memory of 1392	2016	WScript.exe	38
PID 2016 wrote to memory of 1392	2016	WScript.exe	38
PID 2016 wrote to memory of 1392	2016	WScript.exe	38
PID 2016 wrote to memory of 1392	2016	WScript.exe	38
PID 1392 wrote to memory of 2532	1392	svchcst.exe	39
PID 1392 wrote to memory of 2532	1392	svchcst.exe	39
PID 1392 wrote to memory of 2532	1392	svchcst.exe	39
PID 1392 wrote to memory of 2532	1392	svchcst.exe	39
PID 2004 wrote to memory of 1116	2004	WScript.exe	40
PID 2004 wrote to memory of 1116	2004	WScript.exe	40
PID 2004 wrote to memory of 1116	2004	WScript.exe	40
PID 2004 wrote to memory of 1116	2004	WScript.exe	40
PID 2004 wrote to memory of 1048	2004	WScript.exe	41
PID 2004 wrote to memory of 1048	2004	WScript.exe	41
PID 2004 wrote to memory of 1048	2004	WScript.exe	41
PID 2004 wrote to memory of 1048	2004	WScript.exe	41
PID 2532 wrote to memory of 1044	2532	WScript.exe	42
PID 2532 wrote to memory of 1044	2532	WScript.exe	42
PID 2532 wrote to memory of 1044	2532	WScript.exe	42
PID 2532 wrote to memory of 1044	2532	WScript.exe	42
PID 1048 wrote to memory of 1276	1048	svchcst.exe	43
PID 1048 wrote to memory of 1276	1048	svchcst.exe	43
PID 1048 wrote to memory of 1276	1048	svchcst.exe	43
PID 1048 wrote to memory of 1276	1048	svchcst.exe	43
PID 2004 wrote to memory of 1760	2004	WScript.exe	44
PID 2004 wrote to memory of 1760	2004	WScript.exe	44
PID 2004 wrote to memory of 1760	2004	WScript.exe	44
PID 2004 wrote to memory of 1760	2004	WScript.exe	44

C:\Users\Admin\AppData\Local\Temp\2bc42976b13368159f841aa97e3a90585857c6486de52cfa06ff097f644e7756.exe
"C:\Users\Admin\AppData\Local\Temp\2bc42976b13368159f841aa97e3a90585857c6486de52cfa06ff097f644e7756.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1412
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2916
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2964
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:328
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1116
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1760
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        
        PID:292
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1584
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        
        PID:2564
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2216
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        
        PID:2844
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3068
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2584
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:2964
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2748
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:304
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3016
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:988
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2420
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1524
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:1480
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1760
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:1396
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2296
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:828
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2716
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:1952
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2720
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:1820
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:532
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:2328
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1140
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:1108
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2596
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:2964
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1044
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:2040
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2224
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:2536
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1524
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:2184
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1556
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        
        PID:1188
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1632
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1044
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
c798ed39139e6c1876544d4b97d56879

SHA1
9a6af3b86e64956f09592bb0f8e367577c7862df

SHA256
fc4b28495ca2ba06f046f580a11efb514f1f1fee557cd5fd45624bddb3be89e5

SHA512
0b2d2f8c3ecc577329781c4d7037b9ba6a67cc0668837f5241b29a82c6ac3a162151d137992c3d9c8a876efa3b3c93df8776a49a72373de8168c31208c084f56

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
80ebf5d44551af5680e6faa0b57e8c8b

SHA1
2e17219fbf9ac0ffaf25efb6a11dfe6e9e404798

SHA256
ca82157de4bf3edea1ce728fea480f64259153ea391b2be7b5f59864c0ae7a53

SHA512
a96c9d64087a4b9eccb235e9e1b19da6adfa1adc40ea11eca5cca69cc7b57eb4c3a299eb2103768398d99aee534c3eced7e76099917c52d1499ea9af07ba2ca8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
95cbcc068b61f14455af7f3daea5c57f

SHA1
7121bec25241666a150cd1a58eb7efb0b26eab96

SHA256
205412cd3d890bd070295ebf41e4a831de855a2b755c1a583b4dd2df66d5bc81

SHA512
5ae57031bb2ce71bf93c683f07f82b521918ef8a145a80f8e488e403d7ca97079cb305bb3f9ad93f2b3a99f44954063447a5f9a2c0f6f276a2ef84beff5674a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ed546bb522a06b2fe1964359d1c00489

SHA1
f645b56f6b42e6e187d97e90006e64493e168dfd

SHA256
770b107915197c74e581cfd8ea4047ad94180a81a2e6422eb5a8139839645257

SHA512
bc0172ea605aeb832088b2e5d3cd3c4ba9f052a1f4afaa3696e8672f3e6a5776537472d56805f0dea9d8474ffca77d9b574331c9dc57bc7a6e029e01169de0b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
427acf0d31e4c051a5ecca486df18aaa

SHA1
66ed2e8e5533846366375ce855fb7b5d574d97fc

SHA256
397aa2536df328968f7006d3c5a2d0e7e53ab1e6d2deae8bb5bc7a242b4ba012

SHA512
aa2fe9a10550076d478762ed2043437460bfa1d81c3e6b793127d1235f8a6e75dc6002aad415f8086387faf7dc75a83f1790662cdfa58aa66596c640ed35b778

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8364c7b31d7cc2ff033d43e692633d35

SHA1
8c51dd902e1739104aff48093aecb669522fea1f

SHA256
7ac0c74de647ef78ef6fffba49310f3c9c1b7d9ad19121d3502ec03c6e412a42

SHA512
0615c03be93f2b8cadfa7f0fca0ec6a790728d61980a9cd5edc372c99d3d73c5bdd1e6abfc055d4bd7ff2a2aa67f6fd5221c0d0479e33ac6736522fdc0572571

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f3159db8bd483868144429c5909d280a

SHA1
a3698b1ebb0e43a564357bb77c3462539a114f87

SHA256
f31b8921a342ba1eecff8852bd1904a17e94e544a1975106b9b5533155ed044c

SHA512
328e166bbd706c7e6848c246909d96779ee2efcdf7bdb0ff47eed24e0267dcca005bb41651b60393ffafbb7b7467d94b22454e8c4be57108ffeb6238e88db916

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a3b1a2435db9006df38c9e78df96e2f2

SHA1
a8a6d302d102686610f54547bdf0245b177a752f

SHA256
8ca1784265581709551e81326c9733c10ac943c899070bee9b799f88dad7870e

SHA512
fe8a0d2a67e28fcf1b31e640132a669186ddb33302b135d11c0706a5c9e98548d53d51be0d2ecc9d20c43efbe393d7865c57ca9b6c651deca93f67aff0968210

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5771c014296ebb077452c34a3ea54708

SHA1
6e6ff6d4e62db0f7295883fcdf1b10a4f69b2b58

SHA256
8abb3ec990928dfb09f067bb1f8b7e99a9487f039c9a5f80ab5306006c746859

SHA512
642db2534af82e398285770d5b6564603b457e1e4e0853cb46322aa24f7a880223a839875e7022d5c21f5eb01730df4e4dffdb426ef6e6c81defeb5f5f774ac5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3be529c48598ce74c5871846d63ca15c

SHA1
93bb8e6882b776b47589ffa48116e17c98071383

SHA256
f9f80c033a3cb1e2e9a8aa108427d6985dd2a08c2bea70e4dda2309f03ab7b2a

SHA512
e848a532aa9acfddfb754e081353660af23f3d0ee7720f6162fc5e8a2104d98b7be8aa461ea274a311634ae3b5b0bd219731da7d6b43c3b381de56d03bb43608

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
9d9867376c8284245aea97643987cadf

SHA1
fe6a7bd23577feb841e3cbeae6aebd38a742b0a5

SHA256
b31c91bdbe14673b004567163ddea094dd6bd903f62c5a57c3b3f79268021fb4

SHA512
2dc179cf9f71aae049072f62e06951537e38c6070d79d98aaaa94d2b1b53edd6550f6d1c61a2ffc117ed53791689b59c50826bb506cf22cb01235da522d623a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2c3b5340da071ac89dded61dffd49fb5

SHA1
77a880658d0b70e5455379099427bfdae8cc0ae8

SHA256
d7433fbea40ea3f87e991ce54c73436c110cfbb83748d554aea8d94051a5224e

SHA512
7e69f14c55afec39149491531c2a499b6253aa71ad448e722912f239fde055826b34383bd8d14773af08ef475b5fe53451a0a93e0bcc46fbeba3872198200f3c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
512KB

MD5
504be9a8ff9f05232b9ab5a64de8138a

SHA1
e32500299334cc60e84fdf40f824eca2c1cc2868

SHA256
88419de77cb9979e4a68d9571dd3fd61cc4f5f20de627318db8b0d570d866c64

SHA512
ad3c25fb9275dbb5bd683f7826615771b54624decdec5c39440057722524aec0928b6dc346d0b1b680e0ecd68ac1bd27e721132f81f8d3096e6f1905162d0ece

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
232KB

MD5
3470f2f128efd87915785776352dc9c1

SHA1
f79d2ac5b302c1352c7147598eed38e813a0ef16

SHA256
0b83fe63362ed0421d38cfeebf7800627cfb1fe86ea4a265ce5d48531f2052a7

SHA512
66bc166eae373b2559093855f97f84d7c579274c3a31cc98967d4c896fa8dcfe60720d53117f93579697ca1137c9c3f2b2edb7bcfc1d71ffbda51b3a18e74ee8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
288KB

MD5
02bb8668df9e38d079a5f09f69cff628

SHA1
d481bec663f85503fb22006b00bfbb52ffa3751a

SHA256
f8f7c2b395034dab077785030bfdfe304142528bc2738598430386adcace5995

SHA512
e473afc22ed5392ad62ce74aa58953baa06d0ffa52a94226701f302a9cbf48241ef398824ac108489b1ab8d9717b1f3be262e6133d4a8dac58bf7cac6b816377

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d071f7fa39a0fe0fbe484cb8d91355e4

SHA1
f754afa96c582f74ef6a32f01fc9d6d8185c6523

SHA256
4476341af733b680ff74144e1febdb55caf49692fde380e2c9a713509891771a

SHA512
eadd98f1a65e6035ccf08e57ce41178a766ee927e2dc515075371e303bca99063202ac5f4cb36259867be4e65d5eef3ed23debe62e875a9d0cbd79f829b20fe6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
06b664df01b24ab5ed30e0a32525f90d

SHA1
f87dd5ddabd71c9efa316d7cc3f3a4b833d95be2

SHA256
e7c598aaad91ae114163337ddbd09c0d59ae4666ee44a88de6ec126de3341976

SHA512
d2c273b4c7387f2c5d5b67972b9ab14560a6122bab0dd458c6cac819e5123fe4a2d957e223ae4755996309da2deb3e19e0c79790b393ff29526487789d999f98

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9d9ce066cbbd89f209a9b900445ae55d

SHA1
3c84d9db9a6c4943306987b0e26844be03382d44

SHA256
257fac696f66c8a22a7df9d0804658c751edb2a564c7953525550190bfe4c1ad

SHA512
00c67a87c6904809f5593f79cb3e79f1e072d5c70c190f894cca1c73b9c5f0957611d35ac7e245faa7f278bfc0258362e41b109b8e45f4cfa8167f950d9a6754

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
758KB

MD5
983898501ae929edbbde72a0c67bdb17

SHA1
5c474909ba546772e736c5afcc369a3a72c40135

SHA256
3a3dff329f34d2a4ddca32071c4c0a65cb44097eedcb062b39e2a4e17f022c75

SHA512
a6384af7305fd33d8fd20bc4afbf84981731b923fb5db15be31c8307c00f27d084b2857b41ae1d010ac5f50558fd42a44508ae984bc8652be3344c601d68a383

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
796KB

MD5
e66806760f69e2200140917324e6e96e

SHA1
9e27a0e99ce0af51c6d804adcc761db124b6d54c

SHA256
434a77cba6af418a0231745f601e9789a475aa933a9de463a24e6bc979e83e60

SHA512
bcb85b713eda86eb501ea952318fc7e078a5acaa373df89f15f5a4ba12978b4aedc10076e5df3e3dffc49fdd130aa9ee214131e32c3a15ca9921238598477151

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
189KB

MD5
5467d0e7d9865dcb5fff4c9da61b6a3a

SHA1
6797a1f1e768da8a77ccf3b84c0140364d6b0ec7

SHA256
246ab04864eb943348d1745cd1208f5082ae98049cad56719e05b6aea0bf5728

SHA512
f208813570c2f342a0d9f0cf1665b4aec6faa73994e10d4586e3e445da22eebd37d05e8cf3feb58b7a72c418210b928de9f438943dbbbecd6fddcc1d8652a491

Download Submit