ec4eaa35ae6752aa92a75e24535e4c664f81fc4b30c27e514a15de22c8fb3b1a

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30/05/2024, 20:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec4eaa35ae6752aa92a75e24535e4c664f81fc4b30c27e514a15de22c8fb3b1a.exe
Size

1.1MB
MD5

5dba4c436b7e0583f72cbd00e30b23dc
SHA1

b426da46c0d7cc66b420f7bbc97071cee7d879e8
SHA256

ec4eaa35ae6752aa92a75e24535e4c664f81fc4b30c27e514a15de22c8fb3b1a
SHA512

a8b512879b8d56196ca5a88956802d8e29b82a7123167bf244b377a3f169e3613b0e4ad55155ef9322e7100b42de929e86405a3cc56233c3b90b0f936c1e460d
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qu:acallSllG4ZM7QzMF

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2892	svchcst.exe

Executes dropped EXE 25 IoCs

pid	Process
2892	svchcst.exe
2088	svchcst.exe
2688	svchcst.exe
1776	svchcst.exe
540	svchcst.exe
2124	svchcst.exe
1700	svchcst.exe
1620	svchcst.exe
880	svchcst.exe
2340	svchcst.exe
2724	svchcst.exe
2088	svchcst.exe
1592	svchcst.exe
1492	svchcst.exe
1868	svchcst.exe
2248	svchcst.exe
1628	svchcst.exe
2292	svchcst.exe
2192	svchcst.exe
2992	svchcst.exe
1304	svchcst.exe
2124	svchcst.exe
1872	svchcst.exe
1908	svchcst.exe
1468	svchcst.exe

Loads dropped DLL 38 IoCs

pid	Process
2208	WScript.exe
2208	WScript.exe
2496	WScript.exe
1968	WScript.exe
1968	WScript.exe
1264	WScript.exe
2840	WScript.exe
1264	WScript.exe
1988	WScript.exe
1000	WScript.exe
2936	WScript.exe
2616	WScript.exe
2616	WScript.exe
952	WScript.exe
636	WScript.exe
636	WScript.exe
764	WScript.exe
764	WScript.exe
1732	WScript.exe
1732	WScript.exe
1832	WScript.exe
1832	WScript.exe
2900	WScript.exe
2900	WScript.exe
2460	WScript.exe
2460	WScript.exe
2468	WScript.exe
2468	WScript.exe
2780	WScript.exe
2780	WScript.exe
1220	WScript.exe
1220	WScript.exe
3036	WScript.exe
3036	WScript.exe
1948	WScript.exe
1948	WScript.exe
1680	WScript.exe
1680	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
756	ec4eaa35ae6752aa92a75e24535e4c664f81fc4b30c27e514a15de22c8fb3b1a.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2088	svchcst.exe
2088	svchcst.exe
2088	svchcst.exe
2088	svchcst.exe
2088	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
756	ec4eaa35ae6752aa92a75e24535e4c664f81fc4b30c27e514a15de22c8fb3b1a.exe

Suspicious use of SetWindowsHookEx 52 IoCs

pid	Process
756	ec4eaa35ae6752aa92a75e24535e4c664f81fc4b30c27e514a15de22c8fb3b1a.exe
756	ec4eaa35ae6752aa92a75e24535e4c664f81fc4b30c27e514a15de22c8fb3b1a.exe
2892	svchcst.exe
2892	svchcst.exe
2088	svchcst.exe
2088	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
1776	svchcst.exe
1776	svchcst.exe
540	svchcst.exe
540	svchcst.exe
2124	svchcst.exe
2124	svchcst.exe
1700	svchcst.exe
1700	svchcst.exe
1620	svchcst.exe
1620	svchcst.exe
880	svchcst.exe
880	svchcst.exe
2340	svchcst.exe
2340	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2088	svchcst.exe
2088	svchcst.exe
1592	svchcst.exe
1592	svchcst.exe
1492	svchcst.exe
1492	svchcst.exe
1868	svchcst.exe
1868	svchcst.exe
2248	svchcst.exe
2248	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
2292	svchcst.exe
2292	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2992	svchcst.exe
2992	svchcst.exe
1304	svchcst.exe
1304	svchcst.exe
2124	svchcst.exe
2124	svchcst.exe
1872	svchcst.exe
1872	svchcst.exe
1908	svchcst.exe
1908	svchcst.exe
1468	svchcst.exe
1468	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 756 wrote to memory of 2208	756	ec4eaa35ae6752aa92a75e24535e4c664f81fc4b30c27e514a15de22c8fb3b1a.exe	28
PID 756 wrote to memory of 2208	756	ec4eaa35ae6752aa92a75e24535e4c664f81fc4b30c27e514a15de22c8fb3b1a.exe	28
PID 756 wrote to memory of 2208	756	ec4eaa35ae6752aa92a75e24535e4c664f81fc4b30c27e514a15de22c8fb3b1a.exe	28
PID 756 wrote to memory of 2208	756	ec4eaa35ae6752aa92a75e24535e4c664f81fc4b30c27e514a15de22c8fb3b1a.exe	28
PID 2208 wrote to memory of 2892	2208	WScript.exe	30
PID 2208 wrote to memory of 2892	2208	WScript.exe	30
PID 2208 wrote to memory of 2892	2208	WScript.exe	30
PID 2208 wrote to memory of 2892	2208	WScript.exe	30
PID 2892 wrote to memory of 2496	2892	svchcst.exe	31
PID 2892 wrote to memory of 2496	2892	svchcst.exe	31
PID 2892 wrote to memory of 2496	2892	svchcst.exe	31
PID 2892 wrote to memory of 2496	2892	svchcst.exe	31
PID 2496 wrote to memory of 2088	2496	WScript.exe	32
PID 2496 wrote to memory of 2088	2496	WScript.exe	32
PID 2496 wrote to memory of 2088	2496	WScript.exe	32
PID 2496 wrote to memory of 2088	2496	WScript.exe	32
PID 2088 wrote to memory of 1968	2088	svchcst.exe	33
PID 2088 wrote to memory of 1968	2088	svchcst.exe	33
PID 2088 wrote to memory of 1968	2088	svchcst.exe	33
PID 2088 wrote to memory of 1968	2088	svchcst.exe	33
PID 1968 wrote to memory of 2688	1968	WScript.exe	34
PID 1968 wrote to memory of 2688	1968	WScript.exe	34
PID 1968 wrote to memory of 2688	1968	WScript.exe	34
PID 1968 wrote to memory of 2688	1968	WScript.exe	34
PID 2688 wrote to memory of 2840	2688	svchcst.exe	35
PID 2688 wrote to memory of 2840	2688	svchcst.exe	35
PID 2688 wrote to memory of 2840	2688	svchcst.exe	35
PID 2688 wrote to memory of 2840	2688	svchcst.exe	35
PID 1968 wrote to memory of 1776	1968	WScript.exe	36
PID 1968 wrote to memory of 1776	1968	WScript.exe	36
PID 1968 wrote to memory of 1776	1968	WScript.exe	36
PID 1968 wrote to memory of 1776	1968	WScript.exe	36
PID 1776 wrote to memory of 1264	1776	svchcst.exe	37
PID 1776 wrote to memory of 1264	1776	svchcst.exe	37
PID 1776 wrote to memory of 1264	1776	svchcst.exe	37
PID 1776 wrote to memory of 1264	1776	svchcst.exe	37
PID 1264 wrote to memory of 540	1264	WScript.exe	38
PID 1264 wrote to memory of 540	1264	WScript.exe	38
PID 1264 wrote to memory of 540	1264	WScript.exe	38
PID 1264 wrote to memory of 540	1264	WScript.exe	38
PID 540 wrote to memory of 1988	540	svchcst.exe	39
PID 540 wrote to memory of 1988	540	svchcst.exe	39
PID 540 wrote to memory of 1988	540	svchcst.exe	39
PID 540 wrote to memory of 1988	540	svchcst.exe	39
PID 2840 wrote to memory of 2124	2840	WScript.exe	40
PID 2840 wrote to memory of 2124	2840	WScript.exe	40
PID 2840 wrote to memory of 2124	2840	WScript.exe	40
PID 2840 wrote to memory of 2124	2840	WScript.exe	40
PID 1264 wrote to memory of 1700	1264	WScript.exe	41
PID 1264 wrote to memory of 1700	1264	WScript.exe	41
PID 1264 wrote to memory of 1700	1264	WScript.exe	41
PID 1264 wrote to memory of 1700	1264	WScript.exe	41
PID 1988 wrote to memory of 1620	1988	WScript.exe	42
PID 1988 wrote to memory of 1620	1988	WScript.exe	42
PID 1988 wrote to memory of 1620	1988	WScript.exe	42
PID 1988 wrote to memory of 1620	1988	WScript.exe	42
PID 1700 wrote to memory of 1000	1700	svchcst.exe	43
PID 1700 wrote to memory of 1000	1700	svchcst.exe	43
PID 1700 wrote to memory of 1000	1700	svchcst.exe	43
PID 1700 wrote to memory of 1000	1700	svchcst.exe	43
PID 1000 wrote to memory of 880	1000	WScript.exe	44
PID 1000 wrote to memory of 880	1000	WScript.exe	44
PID 1000 wrote to memory of 880	1000	WScript.exe	44
PID 1000 wrote to memory of 880	1000	WScript.exe	44

C:\Users\Admin\AppData\Local\Temp\ec4eaa35ae6752aa92a75e24535e4c664f81fc4b30c27e514a15de22c8fb3b1a.exe
"C:\Users\Admin\AppData\Local\Temp\ec4eaa35ae6752aa92a75e24535e4c664f81fc4b30c27e514a15de22c8fb3b1a.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:756
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2496
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2088
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2124
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1620
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:880
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        
        PID:2936
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2340
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        
        PID:2616
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2724
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:952
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2088
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:636
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1592
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1492
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:764
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1868
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:1732
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2248
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:1832
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1628
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:2900
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2292
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:2460
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2192
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:2468
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2992
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:2780
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1304
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:1220
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2124
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:3036
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1872
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:1948
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1908
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:1680
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1468
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        
        PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f76c7cf504b872903a1325a57e8baaf9

SHA1
896ac9d8338b41c7673781f07915612c538c385f

SHA256
46436b128cbdb907e9666c1aa6257164f7e5a2ebe1c79b9198b36e50115a8163

SHA512
59c0e9f508682af572185dd2578ad1e62abb99297a99018af7638bc8d2f6693fe00900bd739e00a912088f77624f08034dba041ce1677e2924cb8ab3196b6054

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
cceb9c7e90d67c56d1177c6bde9769cc

SHA1
b7a81b7069627562079313ab932c2514e8888e63

SHA256
69954ee8522a6fccc43531d8a2db09046bc31c92412e73e75a3edac8d571ccc0

SHA512
032bf8120e897e3e3677a47f9e23ed3f97596f688adf28807b49a3eee4fbf53e209db698f455f8e8c0c17ad627aedc7c0869fed4e7404c26bf8879b5363de056

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
55765ba68da8820ee35d2d4d1dedeac0

SHA1
19f5f147056f3d837a11d6b08a7fc9544f9927f6

SHA256
1eb237d283717ac45bdfef217d3d09fb4ef73db3838859057c94e488b329c522

SHA512
61b6361b8dfef2067016c50e830db1fc768d0654a3f643cf4b4cb1193de722f74401e73f719d8cff5a443058adfa7e3cd0dfc502f25dd249cdc36a7056c81c18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
024be950e07002e527b8dd1efbb0e4b4

SHA1
1a56034c6366027442be28a75bce7cdea55a8a98

SHA256
51f47375c2a87dc9fe8cc958432adcc166d0faf75f7d1da1322e238fb5d72893

SHA512
96864be4661feeef155d1816192852146e5d2aa3266ce5b732ec203d43a6098a5fa456a7decb9ab1bd66bc959ed85b485de32c11cea6ee6d1a48d0bea2349b6f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
9f87870aabac31b89e8f641cc4796a67

SHA1
0e7c4d9fa14eb4afe07e0ded564229685c3cbe4b

SHA256
c5ccc91ebc3838b354e5ae05c7b3efa01813e004b427f843ba23e78ff272e695

SHA512
28c7fe3049354286831a5c2b52ea96583bef30c4a294d07bfb10c11bb9e3469b944d8029d58f73611daa616a279e280d0c14fa037d390ab34a5daa2f5a25c4f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
16b9011648a577741b7fb4a55f1eeaac

SHA1
b0d86d1cf62b882bf28f0897ddb610e41cc6814c

SHA256
7bf3fbb9962c054e651caf4e49fa468d5892cb0bf88f4bbf3fd85b372a7d173c

SHA512
1d8631904aa2df5a90aef858d4369ed53d0075f97b42361a8e05c9a64f8e6a786897b625b1230d20415f3923db8aa5d8f5f619b7b9084202fecf4e7cead4366d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ee35194fa07bea6145178b37a18edb25

SHA1
7cbe9989cbc0090cc0ab534c7aa77d64d959e489

SHA256
e323603a594cf3a7e03aea20d2ab69a17040a02f256ac1e3fe02f8a36889a483

SHA512
d292e22575da17d694a33d6132cea65ca1c58a16bd2532dd24db161d2a77cf233039ed1b66b48868210f4d0ffff16678db3be341eca044432b8087b520e59f71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6e11da1c8a05db963ff0dda7c43866e0

SHA1
e1343d4a94a629047631b0c53a0501eace14d2a9

SHA256
2605d23ba5b4a9fc117704a99d9351dfffc81f22681becb9aa59d72a64a6a8f6

SHA512
74be18fd41e091762e317fd4565c13d36832ca7d8fbcb60631c8e818c25f447db2ed4b3bc20e4a97da5efeb3ab66dbe815f34776b3db338a1e7d41abc57c99ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d6aef0b19d7d8dc2eda464cf358007b7

SHA1
c271fa23eee2c534cc862f7575df47f660c94d27

SHA256
70965d19e9afccec497ac21e98bfea9be46cf5df938982b3d19e6295aab3bb1d

SHA512
c547f50069f9f97dd9877bdb529f4ed49f9761d5cab1ff703e5185a6071e7591b98237834c6bd386b68b9c6504b76bdc581bf17a6fcef94e74b1483d47cf764a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
463784728a0ab2b8cc52ee1ed0e5258e

SHA1
620a618c31439d36e8539e50359713befcc28e92

SHA256
a34e1ed304dca4f58275bdd5daaf071d1767db7bb7ccc6bf2aea2df5e2be023b

SHA512
52f9736297fbaf65179d35e01c7a15d516d2ff8b5c949a45046bc668bbe94b5da63aea4d5920ebfc1a884721f16fdcae75ea08ca9a6aa78297a44051ed979c7f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7e30bbf5f589f6ae6e5daf322f9f4c63

SHA1
4078c36ab68538c4d3aa3996b3a218fa786e5813

SHA256
9ed68f0cb63b2fca99956af2a550eb26ac99a883afef4ea6dc1236c14593266b

SHA512
63bb07bfbef6c96b50bbcb60d7f805930aaeefd6eadaa39dcb3e591c84636c670257a7f544bb0565174578a517d06de29a6c086812ef5cfb3039aea1917fb4b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
619955d43a58558c766025119a5a66cb

SHA1
cfb43d2b9cb68699667ca8d4929e71b25ed115ab

SHA256
a129bff17a859b7b2d6681f519c985c661797dd508ac249d30f02a0a78858cee

SHA512
20f9499cddf2fb824365830736255a1dce689da0e94fa8e999ee4e28883e65637410710ea01204b5f3d48213f697461288da2b7a535511da87f848b1e6e83bc6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
3f644c7d588deb41f79e40b61557d09d

SHA1
d6028a511abd8869162f4ec120250d8b872176ae

SHA256
b753510cba5b43b8400720c41ed861ebf286024fcede2d30be8bc0df612647b9

SHA512
e9c0c335f59119f8b092529ff410cebb55188a263bfc27daf770103530d477004406ede1cdb8067b251e076f860389c03e2fa41eeaf02e8fad77d69ba5b4c552

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d775168002c533795df38e2d25c5b11a

SHA1
db742988d09a01b68bdda32000deb6176ba9cee6

SHA256
e8e3ef28f716e05187e32536c51cac99b0daa9875885179a369d86a28831142e

SHA512
7403b84a0c5a36185e17c666092c654a8e332cb6320e6f5315058e14c3a84ddcb29c3d1072e028b17378ac49c9f9351cbe798b62dd919a0e6d79ab84264be075

Download Submit
memory/540-66-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/540-76-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/636-145-0x0000000003C50000-0x0000000003DAF000-memory.dmp

Filesize
1.4MB

Download
memory/756-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/756-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/880-96-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/880-104-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1264-79-0x0000000004650000-0x00000000047AF000-memory.dmp

Filesize
1.4MB

Download
memory/1264-61-0x0000000004650000-0x00000000047AF000-memory.dmp

Filesize
1.4MB

Download
memory/1304-218-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1304-225-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1492-167-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1492-159-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1592-151-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1592-156-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1620-86-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1620-87-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1628-191-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1628-188-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1700-80-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1700-92-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1776-57-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1776-51-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1868-175-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1868-168-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1872-242-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1872-235-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1908-250-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1908-247-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1968-36-0x0000000005B10000-0x0000000005C6F000-memory.dmp

Filesize
1.4MB

Download
memory/2088-136-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2088-34-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2088-142-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2088-27-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2124-226-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2124-74-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2124-75-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2124-233-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2192-208-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2192-201-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2208-49-0x0000000004270000-0x00000000043CF000-memory.dmp

Filesize
1.4MB

Download
memory/2248-176-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2248-183-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2292-192-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2292-199-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2340-116-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2340-108-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2460-200-0x0000000005B50000-0x0000000005CAF000-memory.dmp

Filesize
1.4MB

Download
memory/2468-209-0x0000000005C30000-0x0000000005D8F000-memory.dmp

Filesize
1.4MB

Download
memory/2616-125-0x0000000005D40000-0x0000000005E9F000-memory.dmp

Filesize
1.4MB

Download
memory/2616-126-0x0000000005D40000-0x0000000005E9F000-memory.dmp

Filesize
1.4MB

Download
memory/2688-46-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2724-127-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2724-132-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2840-73-0x0000000005A20000-0x0000000005B7F000-memory.dmp

Filesize
1.4MB

Download
memory/2892-23-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2892-18-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2992-217-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2992-210-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3036-234-0x00000000047B0000-0x000000000490F000-memory.dmp

Filesize
1.4MB

Download