50c9d3d8fde81a0a01c1f6686df6cb8c8fb53bad658f8c15a5114afdd7faad81

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-06-2024 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50c9d3d8fde81a0a01c1f6686df6cb8c8fb53bad658f8c15a5114afdd7faad81.exe
Size

1.1MB
MD5

738d9e5631033af637e852858158f9d2
SHA1

9909851854f07f373021f94eeb5be7e9d71d4020
SHA256

50c9d3d8fde81a0a01c1f6686df6cb8c8fb53bad658f8c15a5114afdd7faad81
SHA512

e93143f571f489d16589b30d1598e9c9bba3d6a4f38b4202153939208a15521c0678e47df44503461b7797eb9a0fbffce2c72587a7f6acdd1f8eb5153d58fc4e
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qc:acallSllG4ZM7QzMr

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2132	svchcst.exe

Executes dropped EXE 25 IoCs

pid	Process
2132	svchcst.exe
1868	svchcst.exe
1856	svchcst.exe
840	svchcst.exe
2824	svchcst.exe
1168	svchcst.exe
928	svchcst.exe
2220	svchcst.exe
2624	svchcst.exe
2372	svchcst.exe
2772	svchcst.exe
1336	svchcst.exe
1936	svchcst.exe
276	svchcst.exe
784	svchcst.exe
1604	svchcst.exe
2620	svchcst.exe
2132	svchcst.exe
1868	svchcst.exe
1856	svchcst.exe
1448	svchcst.exe
2792	svchcst.exe
2364	svchcst.exe
472	svchcst.exe
2208	svchcst.exe

Loads dropped DLL 47 IoCs

pid	Process
2556	WScript.exe
2536	WScript.exe
2556	WScript.exe
2536	WScript.exe
2968	WScript.exe
2688	WScript.exe
2688	WScript.exe
1764	WScript.exe
1804	WScript.exe
2868	WScript.exe
2868	WScript.exe
1160	WScript.exe
1160	WScript.exe
1700	WScript.exe
1700	WScript.exe
1640	WScript.exe
1640	WScript.exe
1932	WScript.exe
1932	WScript.exe
488	WScript.exe
488	WScript.exe
2272	WScript.exe
2272	WScript.exe
1200	WScript.exe
1200	WScript.exe
1616	WScript.exe
1616	WScript.exe
1508	WScript.exe
1508	WScript.exe
2440	WScript.exe
2440	WScript.exe
1528	WScript.exe
1528	WScript.exe
2820	WScript.exe
2820	WScript.exe
804	WScript.exe
804	WScript.exe
860	WScript.exe
860	WScript.exe
1440	WScript.exe
1440	WScript.exe
2072	WScript.exe
2072	WScript.exe
1140	WScript.exe
1140	WScript.exe
1624	WScript.exe
1624	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2012	50c9d3d8fde81a0a01c1f6686df6cb8c8fb53bad658f8c15a5114afdd7faad81.exe
2012	50c9d3d8fde81a0a01c1f6686df6cb8c8fb53bad658f8c15a5114afdd7faad81.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
1868	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2012	50c9d3d8fde81a0a01c1f6686df6cb8c8fb53bad658f8c15a5114afdd7faad81.exe

Suspicious use of SetWindowsHookEx 52 IoCs

pid	Process
2012	50c9d3d8fde81a0a01c1f6686df6cb8c8fb53bad658f8c15a5114afdd7faad81.exe
2012	50c9d3d8fde81a0a01c1f6686df6cb8c8fb53bad658f8c15a5114afdd7faad81.exe
2132	svchcst.exe
2132	svchcst.exe
1868	svchcst.exe
1868	svchcst.exe
1856	svchcst.exe
1856	svchcst.exe
840	svchcst.exe
840	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
1168	svchcst.exe
1168	svchcst.exe
928	svchcst.exe
928	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2372	svchcst.exe
2372	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
1336	svchcst.exe
1336	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
276	svchcst.exe
276	svchcst.exe
784	svchcst.exe
784	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
2620	svchcst.exe
2620	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
1868	svchcst.exe
1868	svchcst.exe
1856	svchcst.exe
1856	svchcst.exe
1448	svchcst.exe
1448	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2364	svchcst.exe
2364	svchcst.exe
472	svchcst.exe
472	svchcst.exe
2208	svchcst.exe
2208	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 2536	2012	50c9d3d8fde81a0a01c1f6686df6cb8c8fb53bad658f8c15a5114afdd7faad81.exe	28
PID 2012 wrote to memory of 2536	2012	50c9d3d8fde81a0a01c1f6686df6cb8c8fb53bad658f8c15a5114afdd7faad81.exe	28
PID 2012 wrote to memory of 2536	2012	50c9d3d8fde81a0a01c1f6686df6cb8c8fb53bad658f8c15a5114afdd7faad81.exe	28
PID 2012 wrote to memory of 2536	2012	50c9d3d8fde81a0a01c1f6686df6cb8c8fb53bad658f8c15a5114afdd7faad81.exe	28
PID 2012 wrote to memory of 2556	2012	50c9d3d8fde81a0a01c1f6686df6cb8c8fb53bad658f8c15a5114afdd7faad81.exe	29
PID 2012 wrote to memory of 2556	2012	50c9d3d8fde81a0a01c1f6686df6cb8c8fb53bad658f8c15a5114afdd7faad81.exe	29
PID 2012 wrote to memory of 2556	2012	50c9d3d8fde81a0a01c1f6686df6cb8c8fb53bad658f8c15a5114afdd7faad81.exe	29
PID 2012 wrote to memory of 2556	2012	50c9d3d8fde81a0a01c1f6686df6cb8c8fb53bad658f8c15a5114afdd7faad81.exe	29
PID 2556 wrote to memory of 2132	2556	WScript.exe	31
PID 2556 wrote to memory of 2132	2556	WScript.exe	31
PID 2556 wrote to memory of 2132	2556	WScript.exe	31
PID 2556 wrote to memory of 2132	2556	WScript.exe	31
PID 2536 wrote to memory of 1868	2536	WScript.exe	32
PID 2536 wrote to memory of 1868	2536	WScript.exe	32
PID 2536 wrote to memory of 1868	2536	WScript.exe	32
PID 2536 wrote to memory of 1868	2536	WScript.exe	32
PID 1868 wrote to memory of 2968	1868	svchcst.exe	33
PID 1868 wrote to memory of 2968	1868	svchcst.exe	33
PID 1868 wrote to memory of 2968	1868	svchcst.exe	33
PID 1868 wrote to memory of 2968	1868	svchcst.exe	33
PID 2968 wrote to memory of 1856	2968	WScript.exe	34
PID 2968 wrote to memory of 1856	2968	WScript.exe	34
PID 2968 wrote to memory of 1856	2968	WScript.exe	34
PID 2968 wrote to memory of 1856	2968	WScript.exe	34
PID 1856 wrote to memory of 2688	1856	svchcst.exe	35
PID 1856 wrote to memory of 2688	1856	svchcst.exe	35
PID 1856 wrote to memory of 2688	1856	svchcst.exe	35
PID 1856 wrote to memory of 2688	1856	svchcst.exe	35
PID 2688 wrote to memory of 840	2688	WScript.exe	36
PID 2688 wrote to memory of 840	2688	WScript.exe	36
PID 2688 wrote to memory of 840	2688	WScript.exe	36
PID 2688 wrote to memory of 840	2688	WScript.exe	36
PID 840 wrote to memory of 1764	840	svchcst.exe	37
PID 840 wrote to memory of 1764	840	svchcst.exe	37
PID 840 wrote to memory of 1764	840	svchcst.exe	37
PID 840 wrote to memory of 1764	840	svchcst.exe	37
PID 1764 wrote to memory of 2824	1764	WScript.exe	38
PID 1764 wrote to memory of 2824	1764	WScript.exe	38
PID 1764 wrote to memory of 2824	1764	WScript.exe	38
PID 1764 wrote to memory of 2824	1764	WScript.exe	38
PID 2824 wrote to memory of 1804	2824	svchcst.exe	39
PID 2824 wrote to memory of 1804	2824	svchcst.exe	39
PID 2824 wrote to memory of 1804	2824	svchcst.exe	39
PID 2824 wrote to memory of 1804	2824	svchcst.exe	39
PID 1804 wrote to memory of 1168	1804	WScript.exe	40
PID 1804 wrote to memory of 1168	1804	WScript.exe	40
PID 1804 wrote to memory of 1168	1804	WScript.exe	40
PID 1804 wrote to memory of 1168	1804	WScript.exe	40
PID 1168 wrote to memory of 2868	1168	svchcst.exe	41
PID 1168 wrote to memory of 2868	1168	svchcst.exe	41
PID 1168 wrote to memory of 2868	1168	svchcst.exe	41
PID 1168 wrote to memory of 2868	1168	svchcst.exe	41
PID 2868 wrote to memory of 928	2868	WScript.exe	42
PID 2868 wrote to memory of 928	2868	WScript.exe	42
PID 2868 wrote to memory of 928	2868	WScript.exe	42
PID 2868 wrote to memory of 928	2868	WScript.exe	42
PID 928 wrote to memory of 1160	928	svchcst.exe	43
PID 928 wrote to memory of 1160	928	svchcst.exe	43
PID 928 wrote to memory of 1160	928	svchcst.exe	43
PID 928 wrote to memory of 1160	928	svchcst.exe	43
PID 1160 wrote to memory of 2220	1160	WScript.exe	46
PID 1160 wrote to memory of 2220	1160	WScript.exe	46
PID 1160 wrote to memory of 2220	1160	WScript.exe	46
PID 1160 wrote to memory of 2220	1160	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\50c9d3d8fde81a0a01c1f6686df6cb8c8fb53bad658f8c15a5114afdd7faad81.exe
"C:\Users\Admin\AppData\Local\Temp\50c9d3d8fde81a0a01c1f6686df6cb8c8fb53bad658f8c15a5114afdd7faad81.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1868
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2968
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1856
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:928
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2220
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:1700
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2624
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:1640
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2372
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:1932
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2772
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:488
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1336
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:2272
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1936
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:1200
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:276
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:1616
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:784
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:1508
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1604
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:2440
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2620
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:1528
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2132
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:2820
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1868
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:804
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1856
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:860
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1448
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:1440
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2792
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        
        PID:2072
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2364
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        
        PID:1140
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:472
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        Loads dropped DLL
        
        PID:1624
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2208
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        50⤵
        
        PID:1944
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6491ffe6ef75436d9e660280f5c7fa8f

SHA1
aa563dfffa849153924e8a50f5b562663d1549b5

SHA256
61926578340a542bb64c6abd62437790f27fe9f3c91f6e7bc3268fe318333382

SHA512
7caf0a3528181a867f6a7d1e705531db6eb12a82faa881fde4693b6d1f57be05e589c9276fc6364204494cd9c65f355a35d1dafb0d02582346057b5c4b8c2193

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
02bec440e11bdc76b5de3232abd91f03

SHA1
2118a1f2249848ea084c7d98709f7ba7906e43a3

SHA256
4382e8d6fd98aeb7c574b195019c1687ac6628e8f97485614ad743ae5a0616b0

SHA512
f86e900e6bd38151fad12b160c0489823bd18d15609346172ca1f815593e69f9269cb28a0eaea6a588a29d41343f3b9d4c6489cc3c50e2b24a31720de26e0411

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
024be950e07002e527b8dd1efbb0e4b4

SHA1
1a56034c6366027442be28a75bce7cdea55a8a98

SHA256
51f47375c2a87dc9fe8cc958432adcc166d0faf75f7d1da1322e238fb5d72893

SHA512
96864be4661feeef155d1816192852146e5d2aa3266ce5b732ec203d43a6098a5fa456a7decb9ab1bd66bc959ed85b485de32c11cea6ee6d1a48d0bea2349b6f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
98328aa8ad181fbf0b87edfc21155dce

SHA1
3ca100ca64d5f62a5dceef47f414c0953fd4f559

SHA256
a6928cf27564f6f983d8f62358463a2dee471715b220de03db8b72ebf105f20c

SHA512
75f298c982eeebf184fdd0612436583a863beba740bd55053539dc1b1c20103a1c6f5da46b41621eb00d601cdfc86c1705080a0da08fef7756637805dcb588ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0e6005a9dcb5a78d6fdd54527602f926

SHA1
90adc62e99f3c94c643596af0e17b5853b91fe1f

SHA256
847552b1ad30bd72f24acfe4afa5c326d3e79d7c2f147c958d72e92daca716da

SHA512
b4acfd81c1e926fcd305690aa3780bbec50460bcf947d17c20d6445faca4e774294b9da3a144207ccb3855e3ea2008a2d82ef691f32a4db6c7c3eb8202c6b568

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d0a7594dbfff2934bae6e22de9f233fe

SHA1
b2a276918a0f5fb2da4440d77ec65c3c644dcf74

SHA256
b5ba466f75e4b160d164ce3886c42fe86c339961f2f303cfdba40d2c711bc61d

SHA512
3d0c5b27841efaa0286d2b58d1749c1efe45ce115cbcb2af1473e29ec3791501a278c90f087e995279518b3c3aec687edca8937f77ff2520ed6b8d3dff6c0a63

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0b07dbb471d7fe60f6b7446050131aa9

SHA1
4e1f1ada445a0bd2f1df1b5fe3ac6fff22c577a1

SHA256
483f571197412d4524e63cd78ae3ccd6a0c934a2178119e6aea3331a7bae6929

SHA512
6ddb5ad7ea76630d076b3e6ff03cf3087f65b035e7de9a4b30c6243641efc9a1c2f2975f05662039e95558aa81e78ecc1694114b22877f1029cb0d551df59ec1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f2d2f31794455ef80ea8a41b0b218045

SHA1
926c4e45922f43c6afc2cb31d96b5b35d4db3cae

SHA256
698e3bc7681704e68728030dcceb12377aae02f71e91a5fd15c12b686ba00141

SHA512
36cc2c9bd29c6bd97c2bd7eef7b9bffc512ebabf43d089a2866a66efc4f4f3f7d92b2d0719ae61ad07c38b89b1c0a4b59df57f84beef76c88bd376125048d714

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ad7007ed9542468662553e405df66821

SHA1
757c5ee287a113d689f2d370176fcf9c9e1223a3

SHA256
12967e637928b853b708430671e1b72f6ca847a2af2680f8f15da98efb31161e

SHA512
812220b05239ebb0e14f3cd738e58274deb60624eacc360d2b3be6c5010dc418f2587f5f6736a1d80a3a5f52ae9887a492e8934e64af66c89b45a9b47d3069c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
e04182ddbcfe44c4d343a47bc7874477

SHA1
c6687501eecdf6fedb7785c536bcd4f65b8320c3

SHA256
480b478c69e9ad0ec964a2217d323da0b3ce9a92e2ab6a5bfe5e570a0b791b11

SHA512
6e0eba7149f64ece054b679865724c8c3584d01e663bf4e3964f7bfd0be7d89fd1e08df752289d6b8f9bda31f03e3d918fe4b1d04310f5326887a4ff5c283f2e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
41ff9dfbbc10bdfb1133e17a26fe3bed

SHA1
5cd2dec2f69701ac3b5a7ddafde697c8015a0b9f

SHA256
a620736fe0bac84d75a64cff721961c7044a9a507cff2213d1acb9c846c32a1a

SHA512
470ed1d4b7d86e498a4bfc2508ed9d5d505599bf2c5953e9879bc4357efa12f38c5682818a1c986a6b28e4aca66bfa4b3de92d97d6e664db811dbd75a28df466

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a0b234d5ab844fd433f7443dab94236f

SHA1
da75ee71f206c25443f937c3c84e0aacb73627f1

SHA256
41eb076b3b3f945825b8000b96d1d43d6296d240a91ba9337426e5fde849f3d1

SHA512
8801c04caf2b5a91ec113ebf29f06956868ac603f4becf64ef6f66b58b67f8829cf666478b0c8dad7522685ec87f81b602b77d943b352ae274dceb71eedbf8f7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ac125b830bb799b5405e775f5f0c9025

SHA1
4e6c27d6c618133d0eea2fce1fbc322cd6849471

SHA256
3d31d43342bf7db428f45f14ed31865d2e58ee2184c31fde9e8041c85ab55129

SHA512
0935392ced864acf2906433fd8c87470d7ba417ae7378ad86b413b0e202d0e4756c06faeade375c4fc9c2702509fd6d3fb564b2cfa03d1208b964f3a7c2024be

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b4b237682da38b3165946305ad2a49ae

SHA1
91d70db2856a5758aa1cf2298d841380cb92db7a

SHA256
108c2f7a1dfcdc223300e29e92ac2a04d0c0ab0ad8ee358eb336a733bd1bb801

SHA512
a6042369dc9abdba97ebcab95b9e3c74533aa4af07cbaf84740707399f166d15aa02123350f52bb1069949bdfcbf2fc9838ac863f3e9bf63005177eb1544974e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ccfdd22a2e20fdc576b928d8e8fd21fd

SHA1
83662380d38c126ca7397360966e900ca8387ea6

SHA256
6cb16afe23f186d7c56185aaa9c8f4565761dca40d08d4cdfeb1b5014d48b08a

SHA512
5a260889ca7705b1587ed1a66158be8abe183a2acb9fe5441caf05024e7ab0b2fbf0557fb0cf84c18dc50a5cf39ebaf72559194a4d11f72aeafdced9648f547b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e9fe6c810731127d5e4da95141172987

SHA1
4dc98621b0df3e1b7f61c6634184782b93956e98

SHA256
36982a4cb23da7e09659f8f8a0094222053f6ec0b66695dae734da5236f8a5b4

SHA512
635406547a40711363843803789fb93fb457c3d64e586e1a8f88aedc32e9a4b13b6f90ae6d89ffa86c5c1bb174fb454f5f188dc93142a22c1d96fc546fb5f56b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e202ae881e6b4b88baaa8f810fa247c9

SHA1
63416404b800d601cc1df6bbc75312282ff9e5e1

SHA256
06e77416ba95271c8236ea3b0f319d91d6fac44efde259106262ca3a52daf4e7

SHA512
490e118ae7b18bfdfd6b5d82009b5607d02b5da7bb222dc11918755818a02202762a5f79c21520fc199753a15bfc8c0aba31d12e993dfe4f868e1a51748597aa

Download Submit
memory/276-172-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/276-165-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/472-253-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/784-173-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/784-181-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/840-57-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/840-61-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/928-95-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1160-100-0x0000000004790000-0x00000000048EF000-memory.dmp

Filesize
1.4MB

Download
memory/1168-82-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1336-149-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1336-156-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1448-223-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1448-230-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1604-182-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1604-189-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1616-174-0x0000000005B30000-0x0000000005C8F000-memory.dmp

Filesize
1.4MB

Download
memory/1700-116-0x0000000004410000-0x000000000456F000-memory.dmp

Filesize
1.4MB

Download
memory/1804-74-0x0000000005A60000-0x0000000005BBF000-memory.dmp

Filesize
1.4MB

Download
memory/1856-222-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1856-46-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1856-38-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1856-219-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1868-214-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1868-33-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1868-207-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1868-24-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1932-140-0x0000000004330000-0x000000000448F000-memory.dmp

Filesize
1.4MB

Download
memory/1936-157-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1936-164-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2012-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2012-11-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2132-199-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2132-206-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2132-21-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2132-23-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2208-258-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2220-110-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2220-102-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2364-246-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2364-239-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2372-136-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2440-190-0x0000000004590000-0x00000000046EF000-memory.dmp

Filesize
1.4MB

Download
memory/2536-20-0x0000000005A90000-0x0000000005BEF000-memory.dmp

Filesize
1.4MB

Download
memory/2556-19-0x0000000005B00000-0x0000000005C5F000-memory.dmp

Filesize
1.4MB

Download
memory/2620-191-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2620-198-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2624-124-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2688-51-0x00000000046D0000-0x000000000482F000-memory.dmp

Filesize
1.4MB

Download
memory/2688-52-0x00000000046D0000-0x000000000482F000-memory.dmp

Filesize
1.4MB

Download
memory/2772-141-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2772-148-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2792-231-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2792-238-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2824-67-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2824-71-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2868-86-0x0000000005AA0000-0x0000000005BFF000-memory.dmp

Filesize
1.4MB

Download