c4cbf305ce96e843e6c198853c904ea5955536c964781286c6022b0ed585ba72

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
22/05/2024, 21:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4cbf305ce96e843e6c198853c904ea5955536c964781286c6022b0ed585ba72.exe
Size

1.1MB
MD5

2a4bdd6529c896d7ffdd2e612d2f09e2
SHA1

282f66abdef35ca9dc625f2168fe5aea5043a075
SHA256

c4cbf305ce96e843e6c198853c904ea5955536c964781286c6022b0ed585ba72
SHA512

8a187ef8bae494fc2f2d1be9b46272d64205237bd0f49d7ecbda5894538975f6b7e5479124a6badd68aeb65cdc2a37e64e47d138b48167b4d74ee2f095e514bc
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Ql:acallSllG4ZM7QzM+

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3012	svchcst.exe

Executes dropped EXE 26 IoCs

pid	Process
3012	svchcst.exe
2596	svchcst.exe
1868	svchcst.exe
1720	svchcst.exe
1732	svchcst.exe
1644	svchcst.exe
1360	svchcst.exe
1512	svchcst.exe
2748	svchcst.exe
2784	svchcst.exe
3012	svchcst.exe
1440	svchcst.exe
1720	svchcst.exe
832	svchcst.exe
1828	svchcst.exe
2472	svchcst.exe
1808	svchcst.exe
2440	svchcst.exe
2620	svchcst.exe
2248	svchcst.exe
2156	svchcst.exe
2892	svchcst.exe
692	svchcst.exe
3052	svchcst.exe
1872	svchcst.exe
1132	svchcst.exe

Loads dropped DLL 48 IoCs

pid	Process
3016	WScript.exe
3016	WScript.exe
2552	WScript.exe
2892	WScript.exe
2892	WScript.exe
2892	WScript.exe
1828	WScript.exe
2960	WScript.exe
2960	WScript.exe
792	WScript.exe
792	WScript.exe
792	WScript.exe
792	WScript.exe
1928	WScript.exe
1928	WScript.exe
1608	WScript.exe
2536	WScript.exe
2536	WScript.exe
2868	WScript.exe
2868	WScript.exe
1796	WScript.exe
1796	WScript.exe
1528	WScript.exe
1528	WScript.exe
3024	WScript.exe
3024	WScript.exe
1084	WScript.exe
1084	WScript.exe
2320	WScript.exe
2320	WScript.exe
2588	WScript.exe
2588	WScript.exe
2560	WScript.exe
2560	WScript.exe
2284	WScript.exe
2284	WScript.exe
1996	WScript.exe
1996	WScript.exe
316	WScript.exe
316	WScript.exe
2660	WScript.exe
2660	WScript.exe
1792	WScript.exe
1792	WScript.exe
1492	WScript.exe
1492	WScript.exe
2292	WScript.exe
2292	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2108	c4cbf305ce96e843e6c198853c904ea5955536c964781286c6022b0ed585ba72.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2108	c4cbf305ce96e843e6c198853c904ea5955536c964781286c6022b0ed585ba72.exe

Suspicious use of SetWindowsHookEx 54 IoCs

pid	Process
2108	c4cbf305ce96e843e6c198853c904ea5955536c964781286c6022b0ed585ba72.exe
2108	c4cbf305ce96e843e6c198853c904ea5955536c964781286c6022b0ed585ba72.exe
3012	svchcst.exe
3012	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
1868	svchcst.exe
1868	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
1732	svchcst.exe
1732	svchcst.exe
1644	svchcst.exe
1644	svchcst.exe
1360	svchcst.exe
1360	svchcst.exe
1512	svchcst.exe
1512	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
1440	svchcst.exe
1440	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
832	svchcst.exe
832	svchcst.exe
1828	svchcst.exe
1828	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
1808	svchcst.exe
1808	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
2620	svchcst.exe
2620	svchcst.exe
2248	svchcst.exe
2248	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
692	svchcst.exe
692	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
1872	svchcst.exe
1872	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 3016	2108	c4cbf305ce96e843e6c198853c904ea5955536c964781286c6022b0ed585ba72.exe	28
PID 2108 wrote to memory of 3016	2108	c4cbf305ce96e843e6c198853c904ea5955536c964781286c6022b0ed585ba72.exe	28
PID 2108 wrote to memory of 3016	2108	c4cbf305ce96e843e6c198853c904ea5955536c964781286c6022b0ed585ba72.exe	28
PID 2108 wrote to memory of 3016	2108	c4cbf305ce96e843e6c198853c904ea5955536c964781286c6022b0ed585ba72.exe	28
PID 3016 wrote to memory of 3012	3016	WScript.exe	30
PID 3016 wrote to memory of 3012	3016	WScript.exe	30
PID 3016 wrote to memory of 3012	3016	WScript.exe	30
PID 3016 wrote to memory of 3012	3016	WScript.exe	30
PID 3012 wrote to memory of 2552	3012	svchcst.exe	31
PID 3012 wrote to memory of 2552	3012	svchcst.exe	31
PID 3012 wrote to memory of 2552	3012	svchcst.exe	31
PID 3012 wrote to memory of 2552	3012	svchcst.exe	31
PID 2552 wrote to memory of 2596	2552	WScript.exe	32
PID 2552 wrote to memory of 2596	2552	WScript.exe	32
PID 2552 wrote to memory of 2596	2552	WScript.exe	32
PID 2552 wrote to memory of 2596	2552	WScript.exe	32
PID 2596 wrote to memory of 2892	2596	svchcst.exe	33
PID 2596 wrote to memory of 2892	2596	svchcst.exe	33
PID 2596 wrote to memory of 2892	2596	svchcst.exe	33
PID 2596 wrote to memory of 2892	2596	svchcst.exe	33
PID 2892 wrote to memory of 1868	2892	WScript.exe	34
PID 2892 wrote to memory of 1868	2892	WScript.exe	34
PID 2892 wrote to memory of 1868	2892	WScript.exe	34
PID 2892 wrote to memory of 1868	2892	WScript.exe	34
PID 1868 wrote to memory of 1828	1868	svchcst.exe	35
PID 1868 wrote to memory of 1828	1868	svchcst.exe	35
PID 1868 wrote to memory of 1828	1868	svchcst.exe	35
PID 1868 wrote to memory of 1828	1868	svchcst.exe	35
PID 2892 wrote to memory of 1720	2892	WScript.exe	36
PID 2892 wrote to memory of 1720	2892	WScript.exe	36
PID 2892 wrote to memory of 1720	2892	WScript.exe	36
PID 2892 wrote to memory of 1720	2892	WScript.exe	36
PID 1828 wrote to memory of 1732	1828	WScript.exe	37
PID 1828 wrote to memory of 1732	1828	WScript.exe	37
PID 1828 wrote to memory of 1732	1828	WScript.exe	37
PID 1828 wrote to memory of 1732	1828	WScript.exe	37
PID 1732 wrote to memory of 2960	1732	svchcst.exe	38
PID 1732 wrote to memory of 2960	1732	svchcst.exe	38
PID 1732 wrote to memory of 2960	1732	svchcst.exe	38
PID 1732 wrote to memory of 2960	1732	svchcst.exe	38
PID 2960 wrote to memory of 1644	2960	WScript.exe	39
PID 2960 wrote to memory of 1644	2960	WScript.exe	39
PID 2960 wrote to memory of 1644	2960	WScript.exe	39
PID 2960 wrote to memory of 1644	2960	WScript.exe	39
PID 1644 wrote to memory of 792	1644	svchcst.exe	40
PID 1644 wrote to memory of 792	1644	svchcst.exe	40
PID 1644 wrote to memory of 792	1644	svchcst.exe	40
PID 1644 wrote to memory of 792	1644	svchcst.exe	40
PID 792 wrote to memory of 1360	792	WScript.exe	41
PID 792 wrote to memory of 1360	792	WScript.exe	41
PID 792 wrote to memory of 1360	792	WScript.exe	41
PID 792 wrote to memory of 1360	792	WScript.exe	41
PID 1360 wrote to memory of 1928	1360	svchcst.exe	42
PID 1360 wrote to memory of 1928	1360	svchcst.exe	42
PID 1360 wrote to memory of 1928	1360	svchcst.exe	42
PID 1360 wrote to memory of 1928	1360	svchcst.exe	42
PID 792 wrote to memory of 1512	792	WScript.exe	43
PID 792 wrote to memory of 1512	792	WScript.exe	43
PID 792 wrote to memory of 1512	792	WScript.exe	43
PID 792 wrote to memory of 1512	792	WScript.exe	43
PID 1512 wrote to memory of 1608	1512	svchcst.exe	46
PID 1512 wrote to memory of 1608	1512	svchcst.exe	46
PID 1512 wrote to memory of 1608	1512	svchcst.exe	46
PID 1512 wrote to memory of 1608	1512	svchcst.exe	46

C:\Users\Admin\AppData\Local\Temp\c4cbf305ce96e843e6c198853c904ea5955536c964781286c6022b0ed585ba72.exe
"C:\Users\Admin\AppData\Local\Temp\c4cbf305ce96e843e6c198853c904ea5955536c964781286c6022b0ed585ba72.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3012
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2552
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2596
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:792
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        
        PID:1928
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2748
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        
        PID:1608
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2784
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:2536
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3012
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2868
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1440
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:1796
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1720
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:1528
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:832
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:3024
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1828
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:1084
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2472
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:2320
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1808
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:2588
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2440
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:2560
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2620
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:2284
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2248
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:1996
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2156
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:316
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2892
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:2660
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:692
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:1792
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3052
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        
        PID:1492
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1872
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        
        PID:2292
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1132
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a3b1a2435db9006df38c9e78df96e2f2

SHA1
a8a6d302d102686610f54547bdf0245b177a752f

SHA256
8ca1784265581709551e81326c9733c10ac943c899070bee9b799f88dad7870e

SHA512
fe8a0d2a67e28fcf1b31e640132a669186ddb33302b135d11c0706a5c9e98548d53d51be0d2ecc9d20c43efbe393d7865c57ca9b6c651deca93f67aff0968210

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8364c7b31d7cc2ff033d43e692633d35

SHA1
8c51dd902e1739104aff48093aecb669522fea1f

SHA256
7ac0c74de647ef78ef6fffba49310f3c9c1b7d9ad19121d3502ec03c6e412a42

SHA512
0615c03be93f2b8cadfa7f0fca0ec6a790728d61980a9cd5edc372c99d3d73c5bdd1e6abfc055d4bd7ff2a2aa67f6fd5221c0d0479e33ac6736522fdc0572571

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6a10838e65cf3aedda11230ee7f407b7

SHA1
7878e96feb82d309b74e4fe98ad256d3bfd63d08

SHA256
79b9776ab8d5f525f63ccab50ff6d79e7a7daeb47894ce971b63ab072314009e

SHA512
7fd419656935cef9e30f36f618df90399b015dc281dea6b30f12ba7bf2c07a58e7aa570ea5fd1f04b3643be33eb1d8521787c94384cb7ef0ec8d5459a8c50eaa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2af86d83545125b952334759f8554ae3

SHA1
ddfef7be6fbd8d8185c772a9a78eb18617a9637b

SHA256
7dd3660d7e87e64f451b4d1882d07c1733ce38d828770910453cc1b7f457d11d

SHA512
38d2854f941ff77a2fec871ba6513df9862fe4f86778b22053b4c3e25995b192f4ab943051a2c613cc3e78d275bc543b0dff09149cb4620e307809d20beae17b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
be85ce7bb02d959078db568ee3a8905d

SHA1
e3598468f1db49d961a98da4deda91a619b56985

SHA256
4d76969f7a746574f6be0eca7b1939230ca7607610f12f82b670f4b7bf829806

SHA512
8ffd0d9432c57b2a445afb0701de88903bee1df5295b7ec14042623bfd5d72d0d3cdf198bbdce55be06439c8ac594ddc9bcf53f425bf9e9c9ebb299f6d8150cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e4e96c55460da5fa5643648177198d56

SHA1
da09b8271cfd09349b8e79bd8856671e6124d6a0

SHA256
6ca56d2034da62f3a82f84935631e9d90430875cfd9b95382fdf1210758ba761

SHA512
23da2c3c87c8e52aab70931c7ca6f0d04f453cff01bda2fe078a060468d9d7b9e544635eb11976541246eaed2e4cac06e0ed7ed86bce775f95ff5d5f40c5d1bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
9f87870aabac31b89e8f641cc4796a67

SHA1
0e7c4d9fa14eb4afe07e0ded564229685c3cbe4b

SHA256
c5ccc91ebc3838b354e5ae05c7b3efa01813e004b427f843ba23e78ff272e695

SHA512
28c7fe3049354286831a5c2b52ea96583bef30c4a294d07bfb10c11bb9e3469b944d8029d58f73611daa616a279e280d0c14fa037d390ab34a5daa2f5a25c4f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
99c82369839776d3d954a85361e76565

SHA1
fe01d71a20a80f468e5fa4df991eacca97e650a1

SHA256
ecfe1904a389f25b460a8eec64349498fde06733fa12cd5ae8e0c49a9699154f

SHA512
5deb6fd1534298cbc80f4653e60b9dcaba6cfd4af1f3b1e5369929472ab4f8cba7d50d3f63d7154170b5ea84f40f7511f1839f2e89340c6942fede255c93b69f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
093053154223167ee1aaac862840c670

SHA1
004649f7e65585717ed29c05dfe600929c569f7b

SHA256
1135732bf1876aa0b913fbde9c2fb1f6b732eec540699fcbe339ead2528bd201

SHA512
ee354e05d42fbcb314d9e759a4a527cbd54eaf28838de5400f6699da3263fd21bea4a3cb2ba6c513350f5b6e3b570b97feb2e5e020119f102fcb635bb1a17819

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5465e98b54b47d65941e5d12deb27c9d

SHA1
50e5e6ced6e5e332b303de4fa146482fbdf782d5

SHA256
38f339c2f4c0d7ea1ba1500460c63bc626a2465b3ca48c4d63ee2b0f3eafb82a

SHA512
50c6bc8c7da8c036c909672ade71b08aea49bc58474c40e660d7dc23c3a9869cfad82b4dc96335057ecd5bd1011f3db712f667b4085555e3dc6fb90de56b1c3a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b92d89ed62beaccd5dc6dc0fa4a98622

SHA1
f8960eb5a4d81eacba18094cbc0efe3edb423b7e

SHA256
832e02796c6fb9eb262b49006d06077c185e9e1b573e735264902c650a544b1c

SHA512
77234372d9cdf1b87435eb05857ed1dd591516b9dcb50436a9b5f17592b9641b2faee4da250112787f14a17d2def91494384f81e8921858803fa6363b97d220f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1f9628af903a1231a6f4f988cbc12d95

SHA1
b10a291034a7302c842939bbb7eefb626f9874d0

SHA256
524c19ec3f3695db62973558f4821ba1188b33d1396bd5378247b0c5d61491d5

SHA512
bec4e3deddd0b58beb7667d0f2d53acbe8dd5f09bdd200d89ace70852dd8fe37c486f25156c3c5e226f032593d5cdf6d5d60770d5c3c191cb86952747312623e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7f1b58763127eafea4fb058baf3a3013

SHA1
b2c08d69a5ffcd9ddffd1da040fe156d46c0e160

SHA256
d6e0277aa139a8b2a154b76b87042588ec2e1fd5924aae7e99481fb54c37aef6

SHA512
390b9f3783d53efe6199332bfdbea789361ed86cfb6dfe9bc4d9e27c62ecf5e103a8d97358cd1bd29988d673066e621b0c4a4af62a6484dc87943edb54519997

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e421e6e79c887b63bbf78f6affaebb10

SHA1
b4e514f5f828c248144596fea7f42e915378ae81

SHA256
2e701b27e51dcd8482082648656c41f4675be14e763e58a61b7c4ecff5674c1c

SHA512
3caf0d6a8c366cea826f77d27af1e9dd11dae35ba1f33301a682ad1b005d569cede5222e1b0b2684f3624535593c3bc0c0b2b237b72e52705625ac61cb0bc5bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c9f9a83cb4e1891796ad9aae2691c892

SHA1
be761fa7e396a272bca3662d8fdf23c85ebdcd9f

SHA256
f25f18b1be89cce44d51fbb277db84ff5061e435d12b9fbf614d93d50a822889

SHA512
f4c743deb1f05e59a5a3814b5b1c10a1509d9fe96002329be656dc411d1e55aa8f18c62eab7bb006bb9856737a0920f112d410cc12ed7c51deac8de67ddbff58

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
28ec1fcfa6cffda61c4cdb6521bba487

SHA1
e0fa3d7e85703a5da79f023d788e3752d0eafd0a

SHA256
e7f6b36bc945ddcf6b189fa6bdd3f064fcefb57c5279eac66bc94dcedec34e91

SHA512
15d9cede2335388531b931a6aa66a9381a9bdbe70a4bc0df44f55f5759cea6bc0862197122a792218060e08d096ca440f46c4ac06d7c173bbfa5d902ef876e5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d9b8b5e5899643904802e25e0e2dc0e5

SHA1
c89005e12a9f6d4e3791100b73bcb7bc727c5b98

SHA256
e072b69aab8e39b2c66b764f3c9086d69e77f380e99b6928718f1b4bab95bf20

SHA512
49bc22baea794eddd7cde772dbeb727b1453bfa118db27f2572c4f064cba761d42c7a9a2eb44fd87060eb85851a5da893451ad7ddbfc2202880f4ab317659647

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d7293ec04621eda094020ce4b526f6fe

SHA1
a966c30e7c95fdc08366fe2c90b6aec378e3ee6d

SHA256
104401468226a1b9a96b9c3ece1778f3b17cb3141662c65f0960afb6770f72ae

SHA512
df942f7a27cfde6f8416c601d1a7d621dc8bd7dde7b5ea1f7c32c5cb12b92c7bca68d1498edbeea4a72aaf55f8a8a8de5111208fbe7045b9598dfce4302695be

Download Submit
memory/692-230-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/692-237-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/792-97-0x0000000005B60000-0x0000000005CBF000-memory.dmp

Filesize
1.4MB

Download
memory/832-162-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/832-165-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1360-93-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1360-85-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1440-142-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1440-149-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1512-99-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1512-107-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1644-79-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1644-71-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1720-53-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1720-55-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1720-150-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1720-157-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1732-57-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1732-65-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1808-188-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1808-181-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1828-173-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1828-170-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1868-46-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1868-37-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1872-253-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1872-246-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1928-113-0x0000000004440000-0x000000000459F000-memory.dmp

Filesize
1.4MB

Download
memory/1996-212-0x00000000045C0000-0x000000000471F000-memory.dmp

Filesize
1.4MB

Download
memory/2108-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2108-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2156-213-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2156-220-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2248-211-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2248-204-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2440-195-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2472-180-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2596-26-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2596-34-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2620-200-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2620-203-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2660-229-0x0000000005AF0000-0x0000000005C4F000-memory.dmp

Filesize
1.4MB

Download
memory/2748-117-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2784-125-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2784-116-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2868-141-0x00000000046C0000-0x000000000481F000-memory.dmp

Filesize
1.4MB

Download
memory/2892-221-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2892-228-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2892-51-0x0000000005BF0000-0x0000000005D4F000-memory.dmp

Filesize
1.4MB

Download
memory/2960-69-0x00000000047F0000-0x000000000494F000-memory.dmp

Filesize
1.4MB

Download
memory/3012-138-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3012-23-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3012-18-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3012-130-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3016-50-0x0000000005B90000-0x0000000005CEF000-memory.dmp

Filesize
1.4MB

Download
memory/3052-238-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3052-245-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download