7746040010492fc7c252436ef5d568be0791b5820e463a9f37389ee423307af9

Analysis

max time kernel
137s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24-06-2024 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7746040010492fc7c252436ef5d568be0791b5820e463a9f37389ee423307af9.exe
Size

1.1MB
MD5

5570fb65520eddfa055e943a15d87ecb
SHA1

941e5fa94731c15061c94bb4358f4e1764ae78c2
SHA256

7746040010492fc7c252436ef5d568be0791b5820e463a9f37389ee423307af9
SHA512

2273807d64eda4487dfe34cad39ef1357f8463417e8ff20250235f028e118814c71bfc04f556a14c0c12726ddfdc32f35d1945d4ecccc2945ad1c97c761565c8
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q+:acallSllG4ZM7QzM1

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2852	svchcst.exe

Executes dropped EXE 22 IoCs

pid	Process
2852	svchcst.exe
2168	svchcst.exe
1204	svchcst.exe
2312	svchcst.exe
2180	svchcst.exe
1532	svchcst.exe
784	svchcst.exe
1160	svchcst.exe
3024	svchcst.exe
2232	svchcst.exe
2728	svchcst.exe
1852	svchcst.exe
1732	svchcst.exe
772	svchcst.exe
960	svchcst.exe
2188	svchcst.exe
2720	svchcst.exe
2552	svchcst.exe
2680	svchcst.exe
2064	svchcst.exe
2392	svchcst.exe
2912	svchcst.exe

Loads dropped DLL 39 IoCs

pid	Process
2368	WScript.exe
2368	WScript.exe
2532	WScript.exe
2532	WScript.exe
2848	WScript.exe
2848	WScript.exe
1788	WScript.exe
1788	WScript.exe
2060	WScript.exe
2060	WScript.exe
1876	WScript.exe
1876	WScript.exe
2316	WScript.exe
1756	WScript.exe
1756	WScript.exe
1756	WScript.exe
2732	WScript.exe
2580	WScript.exe
1820	WScript.exe
1660	WScript.exe
1660	WScript.exe
2240	WScript.exe
2240	WScript.exe
1916	WScript.exe
1916	WScript.exe
2476	WScript.exe
2476	WScript.exe
2316	WScript.exe
2316	WScript.exe
2708	WScript.exe
2708	WScript.exe
1868	WScript.exe
1868	WScript.exe
2736	WScript.exe
2736	WScript.exe
2784	WScript.exe
2784	WScript.exe
288	WScript.exe
288	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
836	7746040010492fc7c252436ef5d568be0791b5820e463a9f37389ee423307af9.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2168	svchcst.exe
2168	svchcst.exe
2168	svchcst.exe
2168	svchcst.exe
2168	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
836	7746040010492fc7c252436ef5d568be0791b5820e463a9f37389ee423307af9.exe

Suspicious use of SetWindowsHookEx 46 IoCs

pid	Process
836	7746040010492fc7c252436ef5d568be0791b5820e463a9f37389ee423307af9.exe
836	7746040010492fc7c252436ef5d568be0791b5820e463a9f37389ee423307af9.exe
2852	svchcst.exe
2852	svchcst.exe
2168	svchcst.exe
2168	svchcst.exe
1204	svchcst.exe
1204	svchcst.exe
2312	svchcst.exe
2312	svchcst.exe
2180	svchcst.exe
2180	svchcst.exe
1532	svchcst.exe
1532	svchcst.exe
784	svchcst.exe
784	svchcst.exe
1160	svchcst.exe
1160	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
2232	svchcst.exe
2232	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
1852	svchcst.exe
1852	svchcst.exe
1732	svchcst.exe
1732	svchcst.exe
772	svchcst.exe
772	svchcst.exe
960	svchcst.exe
960	svchcst.exe
2188	svchcst.exe
2188	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
2064	svchcst.exe
2064	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 836 wrote to memory of 2368	836	7746040010492fc7c252436ef5d568be0791b5820e463a9f37389ee423307af9.exe	28
PID 836 wrote to memory of 2368	836	7746040010492fc7c252436ef5d568be0791b5820e463a9f37389ee423307af9.exe	28
PID 836 wrote to memory of 2368	836	7746040010492fc7c252436ef5d568be0791b5820e463a9f37389ee423307af9.exe	28
PID 836 wrote to memory of 2368	836	7746040010492fc7c252436ef5d568be0791b5820e463a9f37389ee423307af9.exe	28
PID 2368 wrote to memory of 2852	2368	WScript.exe	30
PID 2368 wrote to memory of 2852	2368	WScript.exe	30
PID 2368 wrote to memory of 2852	2368	WScript.exe	30
PID 2368 wrote to memory of 2852	2368	WScript.exe	30
PID 2852 wrote to memory of 2532	2852	svchcst.exe	31
PID 2852 wrote to memory of 2532	2852	svchcst.exe	31
PID 2852 wrote to memory of 2532	2852	svchcst.exe	31
PID 2852 wrote to memory of 2532	2852	svchcst.exe	31
PID 2532 wrote to memory of 2168	2532	WScript.exe	32
PID 2532 wrote to memory of 2168	2532	WScript.exe	32
PID 2532 wrote to memory of 2168	2532	WScript.exe	32
PID 2532 wrote to memory of 2168	2532	WScript.exe	32
PID 2168 wrote to memory of 2848	2168	svchcst.exe	33
PID 2168 wrote to memory of 2848	2168	svchcst.exe	33
PID 2168 wrote to memory of 2848	2168	svchcst.exe	33
PID 2168 wrote to memory of 2848	2168	svchcst.exe	33
PID 2848 wrote to memory of 1204	2848	WScript.exe	34
PID 2848 wrote to memory of 1204	2848	WScript.exe	34
PID 2848 wrote to memory of 1204	2848	WScript.exe	34
PID 2848 wrote to memory of 1204	2848	WScript.exe	34
PID 1204 wrote to memory of 1788	1204	svchcst.exe	35
PID 1204 wrote to memory of 1788	1204	svchcst.exe	35
PID 1204 wrote to memory of 1788	1204	svchcst.exe	35
PID 1204 wrote to memory of 1788	1204	svchcst.exe	35
PID 1788 wrote to memory of 2312	1788	WScript.exe	36
PID 1788 wrote to memory of 2312	1788	WScript.exe	36
PID 1788 wrote to memory of 2312	1788	WScript.exe	36
PID 1788 wrote to memory of 2312	1788	WScript.exe	36
PID 2312 wrote to memory of 2060	2312	svchcst.exe	37
PID 2312 wrote to memory of 2060	2312	svchcst.exe	37
PID 2312 wrote to memory of 2060	2312	svchcst.exe	37
PID 2312 wrote to memory of 2060	2312	svchcst.exe	37
PID 2060 wrote to memory of 2180	2060	WScript.exe	38
PID 2060 wrote to memory of 2180	2060	WScript.exe	38
PID 2060 wrote to memory of 2180	2060	WScript.exe	38
PID 2060 wrote to memory of 2180	2060	WScript.exe	38
PID 2180 wrote to memory of 1876	2180	svchcst.exe	39
PID 2180 wrote to memory of 1876	2180	svchcst.exe	39
PID 2180 wrote to memory of 1876	2180	svchcst.exe	39
PID 2180 wrote to memory of 1876	2180	svchcst.exe	39
PID 1876 wrote to memory of 1532	1876	WScript.exe	40
PID 1876 wrote to memory of 1532	1876	WScript.exe	40
PID 1876 wrote to memory of 1532	1876	WScript.exe	40
PID 1876 wrote to memory of 1532	1876	WScript.exe	40
PID 1532 wrote to memory of 2316	1532	svchcst.exe	41
PID 1532 wrote to memory of 2316	1532	svchcst.exe	41
PID 1532 wrote to memory of 2316	1532	svchcst.exe	41
PID 1532 wrote to memory of 2316	1532	svchcst.exe	41
PID 2316 wrote to memory of 784	2316	WScript.exe	42
PID 2316 wrote to memory of 784	2316	WScript.exe	42
PID 2316 wrote to memory of 784	2316	WScript.exe	42
PID 2316 wrote to memory of 784	2316	WScript.exe	42
PID 784 wrote to memory of 1756	784	svchcst.exe	43
PID 784 wrote to memory of 1756	784	svchcst.exe	43
PID 784 wrote to memory of 1756	784	svchcst.exe	43
PID 784 wrote to memory of 1756	784	svchcst.exe	43
PID 1756 wrote to memory of 1160	1756	WScript.exe	46
PID 1756 wrote to memory of 1160	1756	WScript.exe	46
PID 1756 wrote to memory of 1160	1756	WScript.exe	46
PID 1756 wrote to memory of 1160	1756	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\7746040010492fc7c252436ef5d568be0791b5820e463a9f37389ee423307af9.exe
"C:\Users\Admin\AppData\Local\Temp\7746040010492fc7c252436ef5d568be0791b5820e463a9f37389ee423307af9.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:836
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2532
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2168
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:784
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1160
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2732
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2232
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:1820
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1852
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:1660
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1732
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:2240
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:772
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:1916
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:960
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:2476
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2188
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:2316
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2720
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:2708
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2552
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:1868
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2680
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:2736
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2064
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:2784
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2392
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:288
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2912
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        
        PID:2156
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        
        PID:996
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3024
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2580
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
067a3458406fce1e0caec803b21a2c58

SHA1
1277d2a3236100a0758d4f4f279cd02d537e626b

SHA256
35c0d5d7757b50c61a708107c8e2ab5df872fdc25516f8003d9d58d3ae5ec9e3

SHA512
99918a35f93140231d63a17c97bb9ef66a5744dc044c7e48034c3d2fcc49c3b97fe0d37a32ae6307a7b7e772b8016a6727672d2844b5ed7dcf20c31dd01724e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
0bf7ef1b024f2256a66d836452266868

SHA1
56a7d5cae7d3d43a2cabb9cdbed5e3f51cbf5ec4

SHA256
40b0e768bfdfec75f21aa978845139197b34060331c8db837352c6a2a865c3ab

SHA512
4fe920c8fc0d0225e7c8ac60671449817a2184b665e9325dd296f2c50e3e8cd649bac2754e3c3b57822888218035600ad4da3893f9e120b2c23080494adbfd55

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0b07dbb471d7fe60f6b7446050131aa9

SHA1
4e1f1ada445a0bd2f1df1b5fe3ac6fff22c577a1

SHA256
483f571197412d4524e63cd78ae3ccd6a0c934a2178119e6aea3331a7bae6929

SHA512
6ddb5ad7ea76630d076b3e6ff03cf3087f65b035e7de9a4b30c6243641efc9a1c2f2975f05662039e95558aa81e78ecc1694114b22877f1029cb0d551df59ec1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
81911744d71ed066085116eec2026095

SHA1
47cfe383cd90c80f367d20667fa26cd160507a8f

SHA256
3154f7fe0c77b8441733285f257a444605ca5badb1148288aa7275033f75d3f5

SHA512
e64925ee682737251c7d5f42a378a4f6c23a50a07a6811882547567725b59c172da356b235afc977d4c1e8209f5c1ba696b9dd54e7739f67a71c099c031d7396

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
80ebf5d44551af5680e6faa0b57e8c8b

SHA1
2e17219fbf9ac0ffaf25efb6a11dfe6e9e404798

SHA256
ca82157de4bf3edea1ce728fea480f64259153ea391b2be7b5f59864c0ae7a53

SHA512
a96c9d64087a4b9eccb235e9e1b19da6adfa1adc40ea11eca5cca69cc7b57eb4c3a299eb2103768398d99aee534c3eced7e76099917c52d1499ea9af07ba2ca8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a66ca64afe431b7c50358bd05ba54e34

SHA1
f34d905ac06b3c07f936352bff4db70469f5057c

SHA256
3a2a423d9df888fadef3786fdbf7fb0125eb8e1d08b22a707b6efa4bc00b7f43

SHA512
90ea8413b1fce013f8e902e0e3efbbfd1ec30c7f26ca2fb05e390a847d22a1181eeb60dccf6e3f8fec5aeff2568506977ab47018a54d328078ab14407f3eeb09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
cd34ba54e0dd84bc94990092afc183a9

SHA1
938feedabe63e3e7c6cbb6a405512e21a7ebe449

SHA256
44358f1aedf540acf9e56069e4cc6d4e6a2445ccba362dad9ec4e2f59e0178ab

SHA512
1c261ac13591d4d1cd3692dae12de7fb393134b014dbc766b2946b6ea983e74cef7984bb7003241d5221dea9df78e5f5fe31a839ad7d8453a79db887c8d09958

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
379619305716718fbeeab2f364946c39

SHA1
b663cf106c4673549692fa39d25e9e8f4561cd64

SHA256
c844bc25686320e65c1b5259a6d0d6d47f61709f46e2c8eb2ad3f9c3b9333d84

SHA512
b2c91d0f1cbc9e253bb3bb339acbab0e31eef31188cc00132c423fee2a85c7a91132c9259b99b23a149f6ba1172b8522e2d8350f88dbb735ad8d7a32f71e2ed8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
4433cc23fc280ad8dcff9966bac19fe4

SHA1
62cc2abfe6e2ee0fd6b5cbce20daff4ba787bff0

SHA256
ca7cfd972b03d0b30404c8233125adda1dacc81a2e43e919d70bf1c2700af55b

SHA512
6a5e7454dde98251a987bedc21e628550c469480cbe41f3b3644789da38e782c8b94660d4a076697cc7abf3fcc767650d00ac3639b11cfeba96ece8110920b4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d04e4fa1d3c8ba67f98c8e40c157ed97

SHA1
c0d95df53f8a804370ce7230fd02b9e58f75ec22

SHA256
b0544b1226f7cfd08fbffa33537e742cae314ef9ebc6a146d9aae7ead895ae1f

SHA512
7436211ec14314df3689406a0b828f28a337929922fe1d381569b3eedc40dd9639764a73adfb033ede68ff760c5c0429de44a865e96f105cd0a2b6ec80269890

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0192d17fea0102bde8e142aabd30379e

SHA1
f625075beef58c06ca68d43a3ba5cc1caa8efdfd

SHA256
98e8ea7a93d93f491f56d4026b5683e7fdeff25fe26f518e2e81a1319ef49719

SHA512
43002329c61c0fedc908a1838c1868573a5f6f64b4bad3295182b341562cd4b17710ce021e75157830b5b29d29141ae394b3addae4f8c180259f02cb44648163

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
6384f18c1c783b004531095a478899f0

SHA1
224fc585e99c88f50f88b2e2e6485ce7ea494dd9

SHA256
fd9755e1f255ec27f2011dac00f55716ef8cbb0384e2d377031c04717b51c79d

SHA512
daed0aae2c51423a254ffab3c5c847e6a8d07a9531cec0bdfefcb3c97c4ab830b7c8b8819cfb0f5504b0bda3d6a0a95fbff406e93e7c34cb547abd8eda408f5f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b085e9145c71893fb8ea68cac0b5f598

SHA1
9126891f8c95cd7dde982ba13de3386f8ac7d1a8

SHA256
08198864f3313505c4929a65a9d8e2d262f99307677b4125934bd246bf4cd004

SHA512
09f70fe34d7ae38bd79ddf8bbb517e3d9050b36377e81a0b5611a7aff3d89f2d5da5740401073cd15cd543d239239322adb37d16cf51199bb37c473200ee2a2c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
fe740b47e6527755132a0dea7a4aefa0

SHA1
fd62749435276a2abc719be6e2b8af045bb7e4cf

SHA256
1a63d306641a77850b5250f895c8f4a17f6b2646431c5b06824dfb0b02d6fe98

SHA512
ac6129ee3bee83c243e888256b1ee782d86c04a75239c4db40b9b1ae3396b62ecb2c93b439514544e74477939a4fed2fec904efb8365548823d7c8095c842a8e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
6ec4b9cfaaa0b787acf8c99f01220747

SHA1
0f036a7a85329baa701b473dbe3fcb077a8ddf4c

SHA256
3a45dc67d834909e1bf958c84b8761b68a6208e4e21296d9490cec64b8a47c2b

SHA512
ff7ae9122754b618a1576a4083b94651cce912fb7faec90bead3ea9c5587bd940366e0e313c3ceff0b584dd1c2c00426000342e07c17a77bac51c83627df0ae1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b2ac0ceed1bae3e21a2087344234b55f

SHA1
f44efbef5ccfec26096fdc529b3316ba5836dfe1

SHA256
753caa4bf629447ddf3efc35ec24b6bc638c48741aa67e03d56584d754ffb1d7

SHA512
94414fefd0747f1ce6f0d36a099368a7458b62d0c72aeaf57d9791e1e187f9357d9a2ff8ad4da5610447e1eabd15f39867c7049389184b72e1dd767a50d16a8d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
07510c1d734b4e43e290409b5b4a7f26

SHA1
7e4047bc574f88191b887f01d3fcf746c158ee73

SHA256
366cad05a444a632c755ffd6290615cede28fb70df923eb483879fc2fe954dd5

SHA512
7288058bba9316a863ec7b40853f234ea4af2e42e4e552b8f609b9ec66aaadcd8633a31a1f1d7f8f3f8270176e2bff44e4537ed1a4d0ab9777af9fb3a97cb809

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
db0b0cd2119c02f7a09492a5b8c90645

SHA1
bf53577d568f8c6e23ae0c98bfda29305dbb5a49

SHA256
1a60df8b8deebf5406347537c7eee100de4c8acba2a7b78514f6a578b50b9c85

SHA512
23276dd3b5a719246007994e4f324d6d3cc429bbf06ce52b1fd29396bd0f4730bb4580153cbb2200dc80b23e54aad8a9ae2903d0a510dd964e73f5994cbf1e96

Download Submit
memory/288-236-0x00000000045A0000-0x00000000046FF000-memory.dmp

Filesize
1.4MB

Download
memory/448-253-0x0000000005920000-0x0000000005A7F000-memory.dmp

Filesize
1.4MB

Download
memory/448-254-0x0000000005920000-0x0000000005A7F000-memory.dmp

Filesize
1.4MB

Download
memory/772-161-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/772-168-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/784-100-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/784-93-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/836-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/836-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/960-170-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/960-177-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1160-104-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1160-112-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1204-50-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1348-255-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1348-262-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1504-252-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1504-245-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1532-86-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1532-90-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1732-158-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1732-151-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1756-117-0x0000000005FD0000-0x000000000612F000-memory.dmp

Filesize
1.4MB

Download
memory/1852-150-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1852-147-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1868-208-0x0000000004830000-0x000000000498F000-memory.dmp

Filesize
1.4MB

Download
memory/1876-80-0x0000000005AE0000-0x0000000005C3F000-memory.dmp

Filesize
1.4MB

Download
memory/1876-85-0x0000000005AE0000-0x0000000005C3F000-memory.dmp

Filesize
1.4MB

Download
memory/1916-169-0x0000000005B00000-0x0000000005C5F000-memory.dmp

Filesize
1.4MB

Download
memory/2064-226-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2064-219-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2156-244-0x0000000004850000-0x00000000049AF000-memory.dmp

Filesize
1.4MB

Download
memory/2168-38-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2180-75-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2188-179-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2188-186-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2232-141-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2240-159-0x0000000004950000-0x0000000004AAF000-memory.dmp

Filesize
1.4MB

Download
memory/2240-160-0x0000000004950000-0x0000000004AAF000-memory.dmp

Filesize
1.4MB

Download
memory/2312-62-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2316-187-0x00000000059E0000-0x0000000005B3F000-memory.dmp

Filesize
1.4MB

Download
memory/2316-189-0x00000000059E0000-0x0000000005B3F000-memory.dmp

Filesize
1.4MB

Download
memory/2392-235-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2392-228-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2476-178-0x00000000043C0000-0x000000000451F000-memory.dmp

Filesize
1.4MB

Download
memory/2476-207-0x00000000043C0000-0x000000000451F000-memory.dmp

Filesize
1.4MB

Download
memory/2532-28-0x0000000005980000-0x0000000005ADF000-memory.dmp

Filesize
1.4MB

Download
memory/2552-199-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2552-206-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2680-209-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2680-216-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2708-197-0x0000000004520000-0x000000000467F000-memory.dmp

Filesize
1.4MB

Download
memory/2708-198-0x0000000004520000-0x000000000467F000-memory.dmp

Filesize
1.4MB

Download
memory/2720-188-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2720-196-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2728-136-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2728-137-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2732-130-0x0000000004550000-0x00000000046AF000-memory.dmp

Filesize
1.4MB

Download
memory/2736-217-0x00000000042F0000-0x000000000444F000-memory.dmp

Filesize
1.4MB

Download
memory/2736-218-0x00000000042F0000-0x000000000444F000-memory.dmp

Filesize
1.4MB

Download
memory/2784-227-0x0000000005E80000-0x0000000005FDF000-memory.dmp

Filesize
1.4MB

Download
memory/2852-24-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2852-14-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2912-243-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2944-263-0x0000000005AA0000-0x0000000005BFF000-memory.dmp

Filesize
1.4MB

Download
memory/2944-264-0x0000000005AA0000-0x0000000005BFF000-memory.dmp

Filesize
1.4MB

Download
memory/3024-118-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3024-126-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download