51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe
Size

1.1MB
MD5

0701807d60fd1ab688fb854b8e8faf1c
SHA1

0b706f92f12fe19ec30cb338c33dfd3bbc59aa84
SHA256

51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3
SHA512

1970ae2ee71dbbdae317cd7614c44c525feef918268d377f01d6c242fc0322666df2f1fe5f861be432ffef258b6c7bf0b0f8f6d5f1d2e56bdee3f5ec49bb2d75
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QM:acallSllG4ZM7QzML

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2736	svchcst.exe

Executes dropped EXE 26 IoCs

pid	Process
2736	svchcst.exe
1252	svchcst.exe
344	svchcst.exe
2328	svchcst.exe
1340	svchcst.exe
1776	svchcst.exe
1356	svchcst.exe
3032	svchcst.exe
2320	svchcst.exe
2400	svchcst.exe
1308	svchcst.exe
2220	svchcst.exe
1076	svchcst.exe
1576	svchcst.exe
1732	svchcst.exe
1464	svchcst.exe
2996	svchcst.exe
1828	svchcst.exe
2096	svchcst.exe
3000	svchcst.exe
2164	svchcst.exe
2244	svchcst.exe
1692	svchcst.exe
2456	svchcst.exe
2204	svchcst.exe
1496	svchcst.exe

Loads dropped DLL 43 IoCs

pid	Process
2084	WScript.exe
2084	WScript.exe
2552	WScript.exe
1648	WScript.exe
1648	WScript.exe
2384	WScript.exe
2384	WScript.exe
2204	WScript.exe
2964	WScript.exe
2964	WScript.exe
2964	WScript.exe
300	WScript.exe
300	WScript.exe
2644	WScript.exe
1136	WScript.exe
1136	WScript.exe
1136	WScript.exe
2380	WScript.exe
2380	WScript.exe
2880	WScript.exe
2880	WScript.exe
1068	WScript.exe
1068	WScript.exe
1068	WScript.exe
1068	WScript.exe
2068	WScript.exe
2068	WScript.exe
980	WScript.exe
2068	WScript.exe
2068	WScript.exe
2068	WScript.exe
2084	WScript.exe
2084	WScript.exe
284	WScript.exe
284	WScript.exe
1984	WScript.exe
1984	WScript.exe
2836	WScript.exe
2836	WScript.exe
3064	WScript.exe
3064	WScript.exe
2956	WScript.exe
2956	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2072	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2072	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe

Suspicious use of SetWindowsHookEx 54 IoCs

pid	Process
2072	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe
2072	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe
2736	svchcst.exe
2736	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
344	svchcst.exe
344	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
1340	svchcst.exe
1340	svchcst.exe
1776	svchcst.exe
1776	svchcst.exe
1356	svchcst.exe
1356	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2400	svchcst.exe
2400	svchcst.exe
1308	svchcst.exe
1308	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
1076	svchcst.exe
1076	svchcst.exe
1576	svchcst.exe
1576	svchcst.exe
1732	svchcst.exe
1732	svchcst.exe
1464	svchcst.exe
1464	svchcst.exe
1828	svchcst.exe
1828	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2096	svchcst.exe
2096	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2244	svchcst.exe
2244	svchcst.exe
1692	svchcst.exe
1692	svchcst.exe
2456	svchcst.exe
2456	svchcst.exe
2204	svchcst.exe
2204	svchcst.exe
1496	svchcst.exe
1496	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2084	2072	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe	28
PID 2072 wrote to memory of 2084	2072	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe	28
PID 2072 wrote to memory of 2084	2072	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe	28
PID 2072 wrote to memory of 2084	2072	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe	28
PID 2084 wrote to memory of 2736	2084	WScript.exe	30
PID 2084 wrote to memory of 2736	2084	WScript.exe	30
PID 2084 wrote to memory of 2736	2084	WScript.exe	30
PID 2084 wrote to memory of 2736	2084	WScript.exe	30
PID 2736 wrote to memory of 2552	2736	svchcst.exe	31
PID 2736 wrote to memory of 2552	2736	svchcst.exe	31
PID 2736 wrote to memory of 2552	2736	svchcst.exe	31
PID 2736 wrote to memory of 2552	2736	svchcst.exe	31
PID 2552 wrote to memory of 1252	2552	WScript.exe	32
PID 2552 wrote to memory of 1252	2552	WScript.exe	32
PID 2552 wrote to memory of 1252	2552	WScript.exe	32
PID 2552 wrote to memory of 1252	2552	WScript.exe	32
PID 1252 wrote to memory of 1648	1252	svchcst.exe	33
PID 1252 wrote to memory of 1648	1252	svchcst.exe	33
PID 1252 wrote to memory of 1648	1252	svchcst.exe	33
PID 1252 wrote to memory of 1648	1252	svchcst.exe	33
PID 1648 wrote to memory of 344	1648	WScript.exe	34
PID 1648 wrote to memory of 344	1648	WScript.exe	34
PID 1648 wrote to memory of 344	1648	WScript.exe	34
PID 1648 wrote to memory of 344	1648	WScript.exe	34
PID 344 wrote to memory of 2384	344	svchcst.exe	35
PID 344 wrote to memory of 2384	344	svchcst.exe	35
PID 344 wrote to memory of 2384	344	svchcst.exe	35
PID 344 wrote to memory of 2384	344	svchcst.exe	35
PID 2384 wrote to memory of 2328	2384	WScript.exe	36
PID 2384 wrote to memory of 2328	2384	WScript.exe	36
PID 2384 wrote to memory of 2328	2384	WScript.exe	36
PID 2384 wrote to memory of 2328	2384	WScript.exe	36
PID 2328 wrote to memory of 2204	2328	svchcst.exe	37
PID 2328 wrote to memory of 2204	2328	svchcst.exe	37
PID 2328 wrote to memory of 2204	2328	svchcst.exe	37
PID 2328 wrote to memory of 2204	2328	svchcst.exe	37
PID 2204 wrote to memory of 1340	2204	WScript.exe	38
PID 2204 wrote to memory of 1340	2204	WScript.exe	38
PID 2204 wrote to memory of 1340	2204	WScript.exe	38
PID 2204 wrote to memory of 1340	2204	WScript.exe	38
PID 1340 wrote to memory of 2964	1340	svchcst.exe	39
PID 1340 wrote to memory of 2964	1340	svchcst.exe	39
PID 1340 wrote to memory of 2964	1340	svchcst.exe	39
PID 1340 wrote to memory of 2964	1340	svchcst.exe	39
PID 2964 wrote to memory of 1776	2964	WScript.exe	40
PID 2964 wrote to memory of 1776	2964	WScript.exe	40
PID 2964 wrote to memory of 1776	2964	WScript.exe	40
PID 2964 wrote to memory of 1776	2964	WScript.exe	40
PID 1776 wrote to memory of 300	1776	svchcst.exe	41
PID 1776 wrote to memory of 300	1776	svchcst.exe	41
PID 1776 wrote to memory of 300	1776	svchcst.exe	41
PID 1776 wrote to memory of 300	1776	svchcst.exe	41
PID 2964 wrote to memory of 1356	2964	WScript.exe	42
PID 2964 wrote to memory of 1356	2964	WScript.exe	42
PID 2964 wrote to memory of 1356	2964	WScript.exe	42
PID 2964 wrote to memory of 1356	2964	WScript.exe	42
PID 1356 wrote to memory of 2444	1356	svchcst.exe	43
PID 1356 wrote to memory of 2444	1356	svchcst.exe	43
PID 1356 wrote to memory of 2444	1356	svchcst.exe	43
PID 1356 wrote to memory of 2444	1356	svchcst.exe	43
PID 300 wrote to memory of 3032	300	WScript.exe	46
PID 300 wrote to memory of 3032	300	WScript.exe	46
PID 300 wrote to memory of 3032	300	WScript.exe	46
PID 300 wrote to memory of 3032	300	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe
"C:\Users\Admin\AppData\Local\Temp\51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2552
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1252
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:344
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:300
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3032
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:2644
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2320
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:1136
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2400
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2380
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2220
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1076
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:2880
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1576
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:1068
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1732
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:980
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1828
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1464
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:2068
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2996
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2096
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3000
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:2084
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2164
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:284
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2244
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:1984
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1692
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:2836
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2456
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:3064
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2204
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:2956
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1496
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        
        PID:656
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1308
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        
        PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
53586000e76ee6942df430b8716b4616

SHA1
97afd48071b6043c0a04b823875956b98a8d33bd

SHA256
486e66f5aafdb179f41e1d1f39c8fb5662bfad43d5d53dfa89405a04b0d42d69

SHA512
3a9a94289a667899d5ba7db41486854b9234929ecaa9d9aaff3188740cc084c0a633702be218f4b1a8afbfbd8a4e1a892eebbdfde1a7d3fb9c27c3482aa03bd7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
aa6578debd9e5045ad239d59ebeb6d15

SHA1
2a25e6293914cd6ada6649f34506c8bcf35494aa

SHA256
7acb095ca5298eb1d1e2ba7f02c1b876d7d28684762a9d180ae2ed8c9e68beb2

SHA512
150796c7aad73d1732103e41bd01d3c181b4a0afd37b673d184d5c6c643622704e7692b668e231a319549c2bb378f4d83c7ede82caf81dd15c934b81936e22b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0667072f0b99c114be29b17a58be850a

SHA1
8ec8d5ba1f5842c2f07a4332fb04ba60b0bc7143

SHA256
002841eff29a50e5cf34cf60cfb5bbbf780c4d2f8809016ab22a0e084fc10d07

SHA512
5e0c61897463fd935f2e0420389e4d7c6b08232e63175ccc96db2b6f3d294e9196bc5efd6445ccc8f460efc0791c13ea040b36ce3130f12e414a3ab7b678dfd9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
56b642f742552f48c6b8b9c099412a21

SHA1
c3cf968546d550feddcded0747d331305147e1e3

SHA256
a91e4afb0d2f495e9c4fd5031514174673505464922192f9d87832fc21ef119b

SHA512
43edab26c4c27b9458d393f139895b68ce6b230685fd112658b4046094beac5479329f63c9c836dace1e76984fc22b96aecdf0c0252cf656e6d1fe639abf403a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
418e489a61f524eb101168676ee507c0

SHA1
c2d403388bfdccf0d75b4ef92dd8a453c413057c

SHA256
2ec2f981acbd3a091e05e93f06c952fdf6372e4d4d4ad78e7ddfe60043b1ad3c

SHA512
56033db0322098091059ab662f14f51c8bd98fc6784e3a5c553428c3c91d160fa5f784e43020fde5630515f87a2dbd7dff88865a5ecc4f349f6482eaef1b522a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c85adfb789ee03eba0d843b08042e4db

SHA1
263793011d11bd0dd1daf4b55215a8802f9bf6e2

SHA256
8cc7784dcb4efa452913063eacec257cd1b6577c80bb3540f7cfcc48320dbf59

SHA512
b52184fa3c8a36d8e9293921a40820991247bbd203aa991678dafcd5cc96af20bf2df3e0b876b77a0d6a91f5b43aa2768137f88fca28357f883410d3b9f77539

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
44c38fa25d3a9963483b583388b6f47b

SHA1
e9b37eb8bcbe2ddda96178ee7502616660cfce57

SHA256
004b640ccc72e36c16e85661847b12fff228d63de834042accadde333aa33e36

SHA512
c39bd240b263314169cef9af85a8e8a89146e96400026936b68a69a7c732d301c16561971dbeaee752e2618f2a592bff5a6a91ee75893522e77f574176887905

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
bdff210bf33c9ed5f2b10773c8c98ff5

SHA1
fc4fbaca4c7f23506dc792dec89e640050ad62e9

SHA256
900ab6b8ac0df4e138335d9d8e283495f569bf9fa1f401a6f8122661104f8cf8

SHA512
45849b735796586ea2518bd4aec42377db54b2de01025df65e52d8d1561d7e26702051c945ac7257857e00d7ab9d2d7fbf87f178e1e606905e095b22d95e5b32

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e941c404604f780e37c7e63233301fa0

SHA1
d27c9a3b90881add1a06b41b5931267fc818ff08

SHA256
6add2531fc05662418f48a46f522fa4507053ece8d0d94a04c0c213d27da81ce

SHA512
1f448e52f5aa81f30ecf10d6222fa0913ab7a5f3c0f2c7e6a9deb231e9bf55937c4fb0f84bbaeccdd9040e163ae371daec55eff48d633cd6d6bd409433fbf4f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
c84435f6f17b57789108816a811f16d8

SHA1
027163edab6e2180091a935ef443ec16c1633123

SHA256
a0f769d55b9124d67574d36bc7b3a305afd30076bb0f5b56762a410ff3529efc

SHA512
ebe8dc55cad01a9f21f616d0506bba098b2d6b28a80bc87a288235233784795acb4531e0b137e1d0e1e8679ea46b567a2eef3e8c566db19e5d13bc4682f9f215

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ee35194fa07bea6145178b37a18edb25

SHA1
7cbe9989cbc0090cc0ab534c7aa77d64d959e489

SHA256
e323603a594cf3a7e03aea20d2ab69a17040a02f256ac1e3fe02f8a36889a483

SHA512
d292e22575da17d694a33d6132cea65ca1c58a16bd2532dd24db161d2a77cf233039ed1b66b48868210f4d0ffff16678db3be341eca044432b8087b520e59f71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
38a699d07d8879db6356427ad5568cde

SHA1
a13f87e47243e126c2ea20018877fbeac913a320

SHA256
33039fb8b50833ea2836de980992405e10426ad862007f2fef2a96147dccc7bb

SHA512
b5373577a397c0eb493b1173f0fa5a583fe10b986eced439f39997707622fdb54dad7f39311c0148da02b9f0eda2c097d6d9e98b6a7c7d4aa5996e7cc5f4791d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
858051989565c42194af4617bc1f30ae

SHA1
7e9536848cca100a71148f8708958a9fd0032fe7

SHA256
45e0c566fa1aace7b62220e1bd4f4da12624632328abaddf7aad7a48c7cb2d69

SHA512
c7fddd114559d06e8bdbea6eb87e7dabc199ba8ba91934fe7a37835ddff07e8b13810d6d547d7849093059c29108dd2b1d65ce2be5967489cb76422e29042d78

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
5d181f4287dd4cbe0e461706c749c0dc

SHA1
8b7cb8488c9412fa469db8bbd007d65e610291ea

SHA256
20528cd9599b239452f32355d689ddfa993dd586ad3a613b4134eeab7348eeb8

SHA512
f53a2b7056dbd071b791e35f59f212b8b4435fed9a10e26446e267e6df6d12c0bc765f8648e371e08e65b4c106dab0fa8d2dce5f040ca149fd1066434f0509a0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
309ab4d4780ae89179f4ce25a028dfe5

SHA1
76da6daa2ff2dfcd006ed5c2c5c2841a6917bbd5

SHA256
9bdb7834820492b513726003065255f2b778adbc322ad11b37203197060fbefd

SHA512
4874e3989ce7b098ecb83e6ff2aec4208bf297cd8d65046502ace331f1a03c81c0f3f839c53b826fd331299a9be91a9e34edfd74998949f5617fcfc4a5d0d868

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c54e56090145035a66ea15e921e45ff7

SHA1
caced67b3beca752b09af5a9670e7171d37a73ac

SHA256
5d1235147e4f839351fa7c24eb66ffad896be3bf3316993dd94951024d3fe49f

SHA512
7adee88ea1fa1a12ada6c01bf0f5d6500072899096683e7f18764797babe0422ae6e005e2969e02a937126e66c0d62229383e58f817bcfae8575c7289e472379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
44be924b87b3444e35598f2361bc92f7

SHA1
1e6d495abd349a8d9557d6e0e55f31efa8471481

SHA256
88c1b492add2d719e4173d4a4450b02d7dc962317cb7f16f278801259df81dd3

SHA512
03a61dcd53eb597e29d5512831df7412368ff8489197bcc3cdf5a7facf7d88dae620a1ff2ce89ae1d88a10be91b7b1fcba20affe58a8ecfad5ff253288ce6697

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f2a09e5835e91057b6960e8e2e9a0047

SHA1
801d0fb2953515798bfd6919a8f7192f895301b9

SHA256
72cfbd86d48936b0ca9dce7bac3119ff1965551a8adf9d0ac27aaf7a5f5e1e0d

SHA512
7b0b9eda8cf51d27335ed121372c3d6e0996fd5de995f36b6e7c8975fb3ef37a7e18e3717355772d84816844cc7a5b60aba848a548b90706e4b67771b86a1fba

Download Submit
memory/300-148-0x0000000004730000-0x000000000488F000-memory.dmp

Filesize
1.4MB

Download
memory/300-114-0x0000000004730000-0x000000000488F000-memory.dmp

Filesize
1.4MB

Download
memory/300-119-0x0000000004730000-0x000000000488F000-memory.dmp

Filesize
1.4MB

Download
memory/344-54-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/344-46-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/980-200-0x00000000040D0000-0x000000000422F000-memory.dmp

Filesize
1.4MB

Download
memory/1076-173-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1076-166-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1252-29-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1252-39-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1308-165-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1308-154-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1340-74-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1340-82-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1356-101-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1356-109-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1464-192-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1464-199-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1496-264-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1576-183-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1648-43-0x0000000005F80000-0x00000000060DF000-memory.dmp

Filesize
1.4MB

Download
memory/1648-44-0x0000000005F80000-0x00000000060DF000-memory.dmp

Filesize
1.4MB

Download
memory/1692-236-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1692-243-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1732-184-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1732-191-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1776-94-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1776-86-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1828-201-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1828-203-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2072-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2072-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2084-14-0x0000000004510000-0x000000000466F000-memory.dmp

Filesize
1.4MB

Download
memory/2084-15-0x0000000004510000-0x000000000466F000-memory.dmp

Filesize
1.4MB

Download
memory/2096-209-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2096-212-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2164-227-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2204-256-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2204-73-0x0000000005B20000-0x0000000005C7F000-memory.dmp

Filesize
1.4MB

Download
memory/2204-259-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2220-162-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2220-161-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2244-228-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2244-235-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2320-135-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2320-131-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2328-65-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2328-70-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2384-64-0x0000000004A50000-0x0000000004BAF000-memory.dmp

Filesize
1.4MB

Download
memory/2384-59-0x0000000004A50000-0x0000000004BAF000-memory.dmp

Filesize
1.4MB

Download
memory/2400-139-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2400-149-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2456-251-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2456-248-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2736-20-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2736-26-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2880-174-0x00000000059C0000-0x0000000005B1F000-memory.dmp

Filesize
1.4MB

Download
memory/2964-100-0x0000000005B90000-0x0000000005CEF000-memory.dmp

Filesize
1.4MB

Download
memory/2964-85-0x0000000005B90000-0x0000000005CEF000-memory.dmp

Filesize
1.4MB

Download
memory/2964-99-0x0000000005B90000-0x0000000005CEF000-memory.dmp

Filesize
1.4MB

Download
memory/2996-204-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2996-202-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3000-220-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3000-213-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3032-125-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3032-120-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download