e0e5b98d80f5a97edbe070e290b4778e2a4cd8df721167d3e28e8017291b47c8

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
30/04/2024, 07:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0e5b98d80f5a97edbe070e290b4778e2a4cd8df721167d3e28e8017291b47c8.exe
Size

1.1MB
MD5

4ec1e232ae04577a5cb90ce6ef4d5f43
SHA1

5f22e0107b5798edc0f28d05b6f9099e726c2214
SHA256

e0e5b98d80f5a97edbe070e290b4778e2a4cd8df721167d3e28e8017291b47c8
SHA512

2f3d750b55f80abfc602514fe529945b1b1d5e901955dcbbfeab8a51e9893915032a1cce8c632cf85831862ab670c07c26847b7aa0bd98fa95b361b6059fd114
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q0:acallSllG4ZM7QzMT

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2412	svchcst.exe

Executes dropped EXE 24 IoCs

pid	Process
2412	svchcst.exe
2804	svchcst.exe
1692	svchcst.exe
2448	svchcst.exe
940	svchcst.exe
3012	svchcst.exe
1720	svchcst.exe
2616	svchcst.exe
2540	svchcst.exe
2668	svchcst.exe
1508	svchcst.exe
2036	svchcst.exe
1416	svchcst.exe
412	svchcst.exe
1600	svchcst.exe
1256	svchcst.exe
1544	svchcst.exe
2584	svchcst.exe
2900	svchcst.exe
2456	svchcst.exe
808	svchcst.exe
1420	svchcst.exe
608	svchcst.exe
940	svchcst.exe

Loads dropped DLL 35 IoCs

pid	Process
2556	WScript.exe
2556	WScript.exe
2968	WScript.exe
2220	WScript.exe
2220	WScript.exe
2244	WScript.exe
2244	WScript.exe
2244	WScript.exe
796	WScript.exe
2340	WScript.exe
2340	WScript.exe
2496	WScript.exe
2184	WScript.exe
3060	WScript.exe
3060	WScript.exe
2016	WScript.exe
2016	WScript.exe
920	WScript.exe
920	WScript.exe
2168	WScript.exe
2168	WScript.exe
1444	WScript.exe
1444	WScript.exe
312	WScript.exe
312	WScript.exe
1500	WScript.exe
1500	WScript.exe
2364	WScript.exe
2364	WScript.exe
1740	WScript.exe
1740	WScript.exe
2288	WScript.exe
2288	WScript.exe
1756	WScript.exe
1756	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2144	e0e5b98d80f5a97edbe070e290b4778e2a4cd8df721167d3e28e8017291b47c8.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2144	e0e5b98d80f5a97edbe070e290b4778e2a4cd8df721167d3e28e8017291b47c8.exe

Suspicious use of SetWindowsHookEx 50 IoCs

pid	Process
2144	e0e5b98d80f5a97edbe070e290b4778e2a4cd8df721167d3e28e8017291b47c8.exe
2144	e0e5b98d80f5a97edbe070e290b4778e2a4cd8df721167d3e28e8017291b47c8.exe
2412	svchcst.exe
2412	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
1692	svchcst.exe
1692	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
940	svchcst.exe
940	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
1508	svchcst.exe
1508	svchcst.exe
2036	svchcst.exe
2036	svchcst.exe
1416	svchcst.exe
1416	svchcst.exe
412	svchcst.exe
412	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
1256	svchcst.exe
1256	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2900	svchcst.exe
2900	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
808	svchcst.exe
808	svchcst.exe
1420	svchcst.exe
1420	svchcst.exe
608	svchcst.exe
608	svchcst.exe
940	svchcst.exe
940	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 2556	2144	e0e5b98d80f5a97edbe070e290b4778e2a4cd8df721167d3e28e8017291b47c8.exe	28
PID 2144 wrote to memory of 2556	2144	e0e5b98d80f5a97edbe070e290b4778e2a4cd8df721167d3e28e8017291b47c8.exe	28
PID 2144 wrote to memory of 2556	2144	e0e5b98d80f5a97edbe070e290b4778e2a4cd8df721167d3e28e8017291b47c8.exe	28
PID 2144 wrote to memory of 2556	2144	e0e5b98d80f5a97edbe070e290b4778e2a4cd8df721167d3e28e8017291b47c8.exe	28
PID 2556 wrote to memory of 2412	2556	WScript.exe	30
PID 2556 wrote to memory of 2412	2556	WScript.exe	30
PID 2556 wrote to memory of 2412	2556	WScript.exe	30
PID 2556 wrote to memory of 2412	2556	WScript.exe	30
PID 2412 wrote to memory of 2968	2412	svchcst.exe	31
PID 2412 wrote to memory of 2968	2412	svchcst.exe	31
PID 2412 wrote to memory of 2968	2412	svchcst.exe	31
PID 2412 wrote to memory of 2968	2412	svchcst.exe	31
PID 2968 wrote to memory of 2804	2968	WScript.exe	32
PID 2968 wrote to memory of 2804	2968	WScript.exe	32
PID 2968 wrote to memory of 2804	2968	WScript.exe	32
PID 2968 wrote to memory of 2804	2968	WScript.exe	32
PID 2804 wrote to memory of 2220	2804	svchcst.exe	33
PID 2804 wrote to memory of 2220	2804	svchcst.exe	33
PID 2804 wrote to memory of 2220	2804	svchcst.exe	33
PID 2804 wrote to memory of 2220	2804	svchcst.exe	33
PID 2220 wrote to memory of 1692	2220	WScript.exe	34
PID 2220 wrote to memory of 1692	2220	WScript.exe	34
PID 2220 wrote to memory of 1692	2220	WScript.exe	34
PID 2220 wrote to memory of 1692	2220	WScript.exe	34
PID 1692 wrote to memory of 1276	1692	svchcst.exe	35
PID 1692 wrote to memory of 1276	1692	svchcst.exe	35
PID 1692 wrote to memory of 1276	1692	svchcst.exe	35
PID 1692 wrote to memory of 1276	1692	svchcst.exe	35
PID 2220 wrote to memory of 2448	2220	WScript.exe	36
PID 2220 wrote to memory of 2448	2220	WScript.exe	36
PID 2220 wrote to memory of 2448	2220	WScript.exe	36
PID 2220 wrote to memory of 2448	2220	WScript.exe	36
PID 2448 wrote to memory of 2244	2448	svchcst.exe	37
PID 2448 wrote to memory of 2244	2448	svchcst.exe	37
PID 2448 wrote to memory of 2244	2448	svchcst.exe	37
PID 2448 wrote to memory of 2244	2448	svchcst.exe	37
PID 2244 wrote to memory of 940	2244	WScript.exe	38
PID 2244 wrote to memory of 940	2244	WScript.exe	38
PID 2244 wrote to memory of 940	2244	WScript.exe	38
PID 2244 wrote to memory of 940	2244	WScript.exe	38
PID 940 wrote to memory of 2380	940	svchcst.exe	39
PID 940 wrote to memory of 2380	940	svchcst.exe	39
PID 940 wrote to memory of 2380	940	svchcst.exe	39
PID 940 wrote to memory of 2380	940	svchcst.exe	39
PID 2244 wrote to memory of 3012	2244	WScript.exe	40
PID 2244 wrote to memory of 3012	2244	WScript.exe	40
PID 2244 wrote to memory of 3012	2244	WScript.exe	40
PID 2244 wrote to memory of 3012	2244	WScript.exe	40
PID 3012 wrote to memory of 796	3012	svchcst.exe	41
PID 3012 wrote to memory of 796	3012	svchcst.exe	41
PID 3012 wrote to memory of 796	3012	svchcst.exe	41
PID 3012 wrote to memory of 796	3012	svchcst.exe	41
PID 796 wrote to memory of 1720	796	WScript.exe	42
PID 796 wrote to memory of 1720	796	WScript.exe	42
PID 796 wrote to memory of 1720	796	WScript.exe	42
PID 796 wrote to memory of 1720	796	WScript.exe	42
PID 1720 wrote to memory of 2340	1720	svchcst.exe	43
PID 1720 wrote to memory of 2340	1720	svchcst.exe	43
PID 1720 wrote to memory of 2340	1720	svchcst.exe	43
PID 1720 wrote to memory of 2340	1720	svchcst.exe	43
PID 2340 wrote to memory of 2616	2340	WScript.exe	46
PID 2340 wrote to memory of 2616	2340	WScript.exe	46
PID 2340 wrote to memory of 2616	2340	WScript.exe	46
PID 2340 wrote to memory of 2616	2340	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\e0e5b98d80f5a97edbe070e290b4778e2a4cd8df721167d3e28e8017291b47c8.exe
"C:\Users\Admin\AppData\Local\Temp\e0e5b98d80f5a97edbe070e290b4778e2a4cd8df721167d3e28e8017291b47c8.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2412
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2968
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2804
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:940
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:796
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2616
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        
        PID:2496
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2668
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2540
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        
        PID:2184
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1508
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:3060
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2036
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2016
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:412
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1600
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:920
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1256
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:2168
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1544
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:1444
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2584
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:312
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2900
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:1500
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2456
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:2364
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:808
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:1740
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1420
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:2288
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:608
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:1756
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:940
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1416
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        
        PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
98328aa8ad181fbf0b87edfc21155dce

SHA1
3ca100ca64d5f62a5dceef47f414c0953fd4f559

SHA256
a6928cf27564f6f983d8f62358463a2dee471715b220de03db8b72ebf105f20c

SHA512
75f298c982eeebf184fdd0612436583a863beba740bd55053539dc1b1c20103a1c6f5da46b41621eb00d601cdfc86c1705080a0da08fef7756637805dcb588ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
66073a2944d79129b28645fed6bc1286

SHA1
2cbba938ab66f7f5c9b0cb2a5c58940e2e14599b

SHA256
87d79920ed0fb49971153bdcb8a8ca003a247e5937d8cc3dc3b871e91ef79042

SHA512
95b8dffed82c126394ce16db0af1874ade41cca2b096d9ffe388e9c6a462c86e21723f811c0fb8c8445047906b0dfe035f5a421b5d406b8e8d3e6a1ad5d4351b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
910e8b4a682865877d5b4c6b32ac2db3

SHA1
7df0ffdcff6b2f1d51878af2ca989990c399c005

SHA256
0eaa114fec2febec98337efcccfbb2863979005935decd44f9cd7db110b33b9f

SHA512
eb3e30e57f8ae59dc62d7c7f6c20296c7105a3fead464229b7b037924a20127266c0f09a6090cdeae4bea0f728f6213b2da67b44c3cd85a662c6b0cdf34c24bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
427acf0d31e4c051a5ecca486df18aaa

SHA1
66ed2e8e5533846366375ce855fb7b5d574d97fc

SHA256
397aa2536df328968f7006d3c5a2d0e7e53ab1e6d2deae8bb5bc7a242b4ba012

SHA512
aa2fe9a10550076d478762ed2043437460bfa1d81c3e6b793127d1235f8a6e75dc6002aad415f8086387faf7dc75a83f1790662cdfa58aa66596c640ed35b778

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0667072f0b99c114be29b17a58be850a

SHA1
8ec8d5ba1f5842c2f07a4332fb04ba60b0bc7143

SHA256
002841eff29a50e5cf34cf60cfb5bbbf780c4d2f8809016ab22a0e084fc10d07

SHA512
5e0c61897463fd935f2e0420389e4d7c6b08232e63175ccc96db2b6f3d294e9196bc5efd6445ccc8f460efc0791c13ea040b36ce3130f12e414a3ab7b678dfd9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e74576d29f1c1a7185cdf1e12b96a260

SHA1
f76ee203cb56b7dda62a2947ff1e2fc954efa777

SHA256
e31ecb9dcf31c19fbd131b31e5191375f7aeb708ffa678363de99e118715eb65

SHA512
934e3a9171de8fe03c9b398b4e79b3eee77845750ba2b0d16c3a38bc8299d3d72643cedfbb025df848f4c5ab302f5d4b145da13c2ac3ed96bdc1658791d4f5bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5c256ba320c7487a2c3cdb62bea97bb5

SHA1
2a28e5d7bd4483a40fb6035f1ec6fcf1d66cb2fc

SHA256
854aeaf6ba44537fc01088f8c336552a1aab4c6df84938d241c8616b6f0802e4

SHA512
bb55f293471dda9b074664d4cf2dad094f8f0c2479c1fd754dd85199d1d1b1012cfa3b050711ac0b59368d6bf1756cfcadcaff1e47d4f103a093a0b77782fdc0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
93bffb400f506fbd69421b6075802c65

SHA1
b9d8c4ea6a8fd739f6cf167e1f58412525f15784

SHA256
2e455d4d9ba6db3056e273b33c3cc67d60d76c4a750b98b2d4d0e2bcc6aa57b1

SHA512
e00a5d4ad19c488dc18e50150fcd50505133666e333f12f9e0cb3a894162951e4195886798de3531561ff99b4a3fbca6fb351f1ff0bcd0e1ac20cd685962ec23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f262d0722b88145e786399f42047785d

SHA1
9f4426b6ac52bb0456945b0619fcd355d118a0b7

SHA256
f20592c5d5216a153e7d9fc67c87e2d3346f3781014162462e824a5dbc4c7aef

SHA512
da8aa8fd4f84c224f7c6f3fe483b030e2307f3313c003f17f6b9c943f9ea9d052d9d9297f93fdf49428eedd235ef6d7efe0199e1620e55cb052f2ca3cb492eb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
067a3458406fce1e0caec803b21a2c58

SHA1
1277d2a3236100a0758d4f4f279cd02d537e626b

SHA256
35c0d5d7757b50c61a708107c8e2ab5df872fdc25516f8003d9d58d3ae5ec9e3

SHA512
99918a35f93140231d63a17c97bb9ef66a5744dc044c7e48034c3d2fcc49c3b97fe0d37a32ae6307a7b7e772b8016a6727672d2844b5ed7dcf20c31dd01724e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c1f667683c1809dc2fa81d863ea10a4e

SHA1
dc9fdbeca32f2afbcfdc5363769ebb594fc93e44

SHA256
a0afd04975f7f5cf26533640020a9533d4dcf1b152143e69196f93bd5b49fa1e

SHA512
e4c894530934444cb97392b0180e5b6040b84ab5c639412c6b9e5355a13152412da8d881403832c2f3c601624465b16242ebd8710f6e6a4666a27e15ce759b2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1a9d2727f5157f704f57fb2f0e0a7939

SHA1
4085542ccb9a53b29208916307ee515880d6410f

SHA256
46c5d3b8a158fe319dfd325df66634b1bdef724bab79b7007f565e44beb34f31

SHA512
7ec52df630965769dae3e05a1b9fd489c7d5413ea77b28cbe2435e839f80d7eabdbbcc74af4cf544b9f0f57403a505501b08753ffeaec8cf6c32972fc3e72d68

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
edb280c7c82f8026fa9c7a78c1046253

SHA1
6d0266d3e423a5bd9e6e6a0269714452a1a73336

SHA256
d64dad53e52986438ac3dd868819a9839a891b423ff89af4564cea30a677cc3f

SHA512
b64ec466439fa67c36b4442e22844382cc58b69df9eb4c3dba13ac2a61457bd6e20cb64a45e84929a74f7bb333c8cc7e943996778b4f73f87f6563913cda6aa8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
cd8f4366d682c71e2188ae2d282c2616

SHA1
3b04f1a6780cef04c5b50e02539f032ab9eac6ba

SHA256
b8157fb60cbfe65b8e010b65ba7573d44e738be598d0b6d4e52409ee2f41214b

SHA512
8ab1efe530ebdf78411d8f6b5375084f2cfab7e7d4f0b85cf44aee4fcb5c0b1d93a7e0e5baed66a9f4fa1e49a73155ef55a55664c935b7eba0a8c7680c4d6f0f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
26e608a806c3da5a1263b07425aad46b

SHA1
f1a6344eaa39eff8934bc9d58f1d50fd5fe3e733

SHA256
8626f50ca0a0efebe02d9b49f2cbee4acc5bfc61fd321f382095e190f1621680

SHA512
047a6e3eb9fc975d67df298f051ae239f266f7dc4ba0bf13f95cddf3c30bed62f4977940a79bf5fd624e086a53f0446c0023b855c6a05d727708a4f1a2aa4b00

Download Submit
memory/312-191-0x0000000005BC0000-0x0000000005D1F000-memory.dmp

Filesize
1.4MB

Download
memory/412-155-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/608-230-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/608-233-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/796-84-0x0000000004780000-0x00000000048DF000-memory.dmp

Filesize
1.4MB

Download
memory/808-216-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/808-213-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/940-68-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/940-60-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/940-241-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/940-234-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1256-171-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1416-152-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1416-156-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1420-222-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1420-225-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1444-186-0x0000000005BD0000-0x0000000005D2F000-memory.dmp

Filesize
1.4MB

Download
memory/1444-206-0x0000000005BD0000-0x0000000005D2F000-memory.dmp

Filesize
1.4MB

Download
memory/1508-135-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1508-129-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1544-172-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1544-181-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1600-164-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1600-157-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1692-43-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1692-47-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1720-92-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1740-217-0x0000000005C70000-0x0000000005DCF000-memory.dmp

Filesize
1.4MB

Download
memory/2036-142-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2036-146-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2144-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2144-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2220-83-0x0000000005CC0000-0x0000000005E1F000-memory.dmp

Filesize
1.4MB

Download
memory/2364-212-0x00000000049F0000-0x0000000004B4F000-memory.dmp

Filesize
1.4MB

Download
memory/2412-26-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2412-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2448-53-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2448-57-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2456-207-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2540-110-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2540-114-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2556-15-0x0000000004A50000-0x0000000004BAF000-memory.dmp

Filesize
1.4MB

Download
memory/2556-13-0x0000000004A50000-0x0000000004BAF000-memory.dmp

Filesize
1.4MB

Download
memory/2584-187-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2584-190-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2616-104-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2616-95-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2668-125-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2668-117-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2804-36-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2804-32-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2900-196-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2900-199-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3012-73-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3012-81-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download