43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
10/06/2024, 18:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe
Size

1.1MB
MD5

6bfbe52166fef78db443fa067727d251
SHA1

f9feb5267e839258d5882da390222b46faf1c43d
SHA256

43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f
SHA512

76faf7440b4519bbbf63d46a371e15229a984492b5084e852431737a180ea2e5d5c4d9d2000bc19c5f55eb1f09a1dec3207a30f0a2d094c3a5c9a52a506a7d12
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Ql:acallSllG4ZM7QzMO

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2804	svchcst.exe

Executes dropped EXE 24 IoCs

pid	Process
2804	svchcst.exe
2960	svchcst.exe
2024	svchcst.exe
2812	svchcst.exe
2892	svchcst.exe
1944	svchcst.exe
2676	svchcst.exe
1692	svchcst.exe
3060	svchcst.exe
3004	svchcst.exe
1532	svchcst.exe
2284	svchcst.exe
1172	svchcst.exe
568	svchcst.exe
916	svchcst.exe
1980	svchcst.exe
768	svchcst.exe
868	svchcst.exe
2140	svchcst.exe
2884	svchcst.exe
2888	svchcst.exe
1040	svchcst.exe
2292	svchcst.exe
1372	svchcst.exe

Loads dropped DLL 45 IoCs

pid	Process
1032	WScript.exe
1032	WScript.exe
804	WScript.exe
804	WScript.exe
2472	WScript.exe
2472	WScript.exe
1636	WScript.exe
1636	WScript.exe
2244	WScript.exe
592	WScript.exe
788	WScript.exe
788	WScript.exe
764	WScript.exe
868	WScript.exe
868	WScript.exe
2424	WScript.exe
2424	WScript.exe
2692	WScript.exe
2692	WScript.exe
2312	WScript.exe
2312	WScript.exe
1132	WScript.exe
1132	WScript.exe
2896	WScript.exe
2896	WScript.exe
932	WScript.exe
932	WScript.exe
1236	WScript.exe
1236	WScript.exe
2736	WScript.exe
2736	WScript.exe
2432	WScript.exe
2432	WScript.exe
2780	WScript.exe
2780	WScript.exe
1768	WScript.exe
1768	WScript.exe
2872	WScript.exe
2872	WScript.exe
1276	WScript.exe
1276	WScript.exe
776	WScript.exe
776	WScript.exe
2896	WScript.exe
2896	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2924	43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2960	svchcst.exe
2960	svchcst.exe
2960	svchcst.exe
2960	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2924	43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe

Suspicious use of SetWindowsHookEx 50 IoCs

pid	Process
2924	43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe
2924	43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe
2804	svchcst.exe
2804	svchcst.exe
2960	svchcst.exe
2960	svchcst.exe
2024	svchcst.exe
2024	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
1692	svchcst.exe
1692	svchcst.exe
3060	svchcst.exe
3060	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
1532	svchcst.exe
1532	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
1172	svchcst.exe
1172	svchcst.exe
568	svchcst.exe
568	svchcst.exe
916	svchcst.exe
916	svchcst.exe
1980	svchcst.exe
1980	svchcst.exe
768	svchcst.exe
768	svchcst.exe
868	svchcst.exe
868	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2884	svchcst.exe
2884	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
1040	svchcst.exe
1040	svchcst.exe
2292	svchcst.exe
2292	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 1032	2924	43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe	28
PID 2924 wrote to memory of 1032	2924	43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe	28
PID 2924 wrote to memory of 1032	2924	43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe	28
PID 2924 wrote to memory of 1032	2924	43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe	28
PID 1032 wrote to memory of 2804	1032	WScript.exe	30
PID 1032 wrote to memory of 2804	1032	WScript.exe	30
PID 1032 wrote to memory of 2804	1032	WScript.exe	30
PID 1032 wrote to memory of 2804	1032	WScript.exe	30
PID 2804 wrote to memory of 2472	2804	svchcst.exe	31
PID 2804 wrote to memory of 2472	2804	svchcst.exe	31
PID 2804 wrote to memory of 2472	2804	svchcst.exe	31
PID 2804 wrote to memory of 2472	2804	svchcst.exe	31
PID 2804 wrote to memory of 804	2804	svchcst.exe	32
PID 2804 wrote to memory of 804	2804	svchcst.exe	32
PID 2804 wrote to memory of 804	2804	svchcst.exe	32
PID 2804 wrote to memory of 804	2804	svchcst.exe	32
PID 804 wrote to memory of 2960	804	WScript.exe	33
PID 804 wrote to memory of 2960	804	WScript.exe	33
PID 804 wrote to memory of 2960	804	WScript.exe	33
PID 804 wrote to memory of 2960	804	WScript.exe	33
PID 2472 wrote to memory of 2024	2472	WScript.exe	34
PID 2472 wrote to memory of 2024	2472	WScript.exe	34
PID 2472 wrote to memory of 2024	2472	WScript.exe	34
PID 2472 wrote to memory of 2024	2472	WScript.exe	34
PID 2024 wrote to memory of 1636	2024	svchcst.exe	35
PID 2024 wrote to memory of 1636	2024	svchcst.exe	35
PID 2024 wrote to memory of 1636	2024	svchcst.exe	35
PID 2024 wrote to memory of 1636	2024	svchcst.exe	35
PID 1636 wrote to memory of 2812	1636	WScript.exe	36
PID 1636 wrote to memory of 2812	1636	WScript.exe	36
PID 1636 wrote to memory of 2812	1636	WScript.exe	36
PID 1636 wrote to memory of 2812	1636	WScript.exe	36
PID 2812 wrote to memory of 2244	2812	svchcst.exe	37
PID 2812 wrote to memory of 2244	2812	svchcst.exe	37
PID 2812 wrote to memory of 2244	2812	svchcst.exe	37
PID 2812 wrote to memory of 2244	2812	svchcst.exe	37
PID 2244 wrote to memory of 2892	2244	WScript.exe	38
PID 2244 wrote to memory of 2892	2244	WScript.exe	38
PID 2244 wrote to memory of 2892	2244	WScript.exe	38
PID 2244 wrote to memory of 2892	2244	WScript.exe	38
PID 2892 wrote to memory of 592	2892	svchcst.exe	39
PID 2892 wrote to memory of 592	2892	svchcst.exe	39
PID 2892 wrote to memory of 592	2892	svchcst.exe	39
PID 2892 wrote to memory of 592	2892	svchcst.exe	39
PID 592 wrote to memory of 1944	592	WScript.exe	40
PID 592 wrote to memory of 1944	592	WScript.exe	40
PID 592 wrote to memory of 1944	592	WScript.exe	40
PID 592 wrote to memory of 1944	592	WScript.exe	40
PID 1944 wrote to memory of 788	1944	svchcst.exe	41
PID 1944 wrote to memory of 788	1944	svchcst.exe	41
PID 1944 wrote to memory of 788	1944	svchcst.exe	41
PID 1944 wrote to memory of 788	1944	svchcst.exe	41
PID 788 wrote to memory of 2676	788	WScript.exe	42
PID 788 wrote to memory of 2676	788	WScript.exe	42
PID 788 wrote to memory of 2676	788	WScript.exe	42
PID 788 wrote to memory of 2676	788	WScript.exe	42
PID 2676 wrote to memory of 764	2676	svchcst.exe	43
PID 2676 wrote to memory of 764	2676	svchcst.exe	43
PID 2676 wrote to memory of 764	2676	svchcst.exe	43
PID 2676 wrote to memory of 764	2676	svchcst.exe	43
PID 764 wrote to memory of 1692	764	WScript.exe	44
PID 764 wrote to memory of 1692	764	WScript.exe	44
PID 764 wrote to memory of 1692	764	WScript.exe	44
PID 764 wrote to memory of 1692	764	WScript.exe	44

C:\Users\Admin\AppData\Local\Temp\43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe
"C:\Users\Admin\AppData\Local\Temp\43bbde35d4c620cdd5ed7a51426df308ca7658f4a7d0784998b75bfc3d38042f.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2472
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2024
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:592
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:788
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1692
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:868
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3060
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2424
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3004
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2692
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1532
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:2312
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2284
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:1132
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1172
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:2896
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:568
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:932
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:916
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:1236
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1980
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:2736
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:768
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:2432
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:868
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:2780
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2140
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:1768
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2884
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:2872
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2888
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:1276
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1040
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        
        PID:776
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2292
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        
        PID:2896
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1372
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        49⤵
        
        PID:2208
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:804
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
53586000e76ee6942df430b8716b4616

SHA1
97afd48071b6043c0a04b823875956b98a8d33bd

SHA256
486e66f5aafdb179f41e1d1f39c8fb5662bfad43d5d53dfa89405a04b0d42d69

SHA512
3a9a94289a667899d5ba7db41486854b9234929ecaa9d9aaff3188740cc084c0a633702be218f4b1a8afbfbd8a4e1a892eebbdfde1a7d3fb9c27c3482aa03bd7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
ac0ed33a7fe4bca59abd11c3065546f2

SHA1
5b90cb376adaf2469b686920f754d4433b002323

SHA256
ebac11f346952d9511c2902c8d9534d2c3c55220cd89dd34668def593824ad1d

SHA512
7c5b601cf8722c8de9c085e353203c6d3ec546029354e40dfd5d154b6d0f57a98ba27c4758bda076055de89ea63e2471d1d8613426d7d320a9464a4278c11aef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
df56efc5aa49720056952b653a76a0d1

SHA1
82823a83837e69b031a973238d78e0360d113ac7

SHA256
bd6fdd2db5dd3828baa84352f1c382304ce0481755f000a7445e3977c24d0a35

SHA512
ffd2ffc465dcd33cca7fdf4cce8711ce7a5cb6af0933fbf2885b7b4164ea2c19ec1a776f2422996599e28b05a3ff927dd76221b9b4dec49b942941b48962034c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d44632a3e4cce7689f6de0096ea7b712

SHA1
62726ae2641d71b6a218793f1ca8c00c81443eda

SHA256
013ba01f27689a865f4497bdab298b8914e8c235beac2311020fa928649a7603

SHA512
ed9934194e0211fca3d30bb16802ae080086a71d4b8b065afecea339f06f4d5dc43f51786059d6ccaf7718a54dde8b050268068ed6a416dacfa6c79a8ba0881a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
41bdc303960afcda8ebae4f3e29f0b52

SHA1
4cbf649fb04c836614138308a06ecd48dcb2882d

SHA256
da674cdbd4dd762cc32ce0bd2ec36929a626e0e87f7ab7a4a1b1e1ce0123d999

SHA512
800b5b01cc41e7633f203579e7f6ec0a9f6408f7af79dcfa74596be9264dbb8baade6b1439dedb5194496aa27b8b0e2680ce65ad91032138ea0ac2c8a0872cf1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3f88ed4a802ff96db44e34ad53ac06c2

SHA1
446fe4e265af02ea012b5a8d5d0e7a0c9867f1ed

SHA256
04a5abb92c689fa7b9d768a067b1d9bd16c0a5d856c67c7f7881d62662ae0911

SHA512
f1afaf53ee96969d58902836b841ca7feed9769c81d9b2d63b72db5d7cf04d6a659b50869f8dba0d650aa6833d892261c0c3dd918e8bfbed13237e6333c47fdf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ad7007ed9542468662553e405df66821

SHA1
757c5ee287a113d689f2d370176fcf9c9e1223a3

SHA256
12967e637928b853b708430671e1b72f6ca847a2af2680f8f15da98efb31161e

SHA512
812220b05239ebb0e14f3cd738e58274deb60624eacc360d2b3be6c5010dc418f2587f5f6736a1d80a3a5f52ae9887a492e8934e64af66c89b45a9b47d3069c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1ef0f0b572c2f4293cad723d25d00c42

SHA1
21070aedce103ee5e41ef411b732699f04623804

SHA256
92f0114d24a1bf7f670197c1b6e8cecc445559bbf6b12e1a82538aa9213fe4a3

SHA512
0af8482f8df004ae0534ab1d23addd55149209ab50bfb1ecbfc4d9ee49c7cce91b53fd3ed3b155e020286772eaa8396c89b8f67befe3ca5d9804b7871add0c4c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5771c014296ebb077452c34a3ea54708

SHA1
6e6ff6d4e62db0f7295883fcdf1b10a4f69b2b58

SHA256
8abb3ec990928dfb09f067bb1f8b7e99a9487f039c9a5f80ab5306006c746859

SHA512
642db2534af82e398285770d5b6564603b457e1e4e0853cb46322aa24f7a880223a839875e7022d5c21f5eb01730df4e4dffdb426ef6e6c81defeb5f5f774ac5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
66dec81d7f7dc4e36f9d8151fe38056a

SHA1
fc169994b2239eb407778d28d35025f7c9a1658e

SHA256
a09a3c722b494400011829c5645415020d39c8e6ec90f466fc3109a1ba49db2a

SHA512
3e8af1d301ba9228d5afcfaa1e1d3e6f931c5f0ba5e19c74f73b88ddf7c4baa7b24f13533679096f6c94871985de9e47d0f91362ec2ee9132b1e1b772d56fbcc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e94e88174ec781f873054a1341dde3c1

SHA1
1bfcc1fd57262661e3e17db7f582004d481e95d9

SHA256
83a3606b4d4b48761b768ff2bd5668a599025f46b5d31b73bd0b014f6f95e225

SHA512
10dd4c89ea250920267a33317f693093471b805e33f18b38ffd7e3b9fb12624047f6bca7c82b0a2c83a3d6cead4d289f3da723b249a7ab6a9c40b339977fe7f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3be529c48598ce74c5871846d63ca15c

SHA1
93bb8e6882b776b47589ffa48116e17c98071383

SHA256
f9f80c033a3cb1e2e9a8aa108427d6985dd2a08c2bea70e4dda2309f03ab7b2a

SHA512
e848a532aa9acfddfb754e081353660af23f3d0ee7720f6162fc5e8a2104d98b7be8aa461ea274a311634ae3b5b0bd219731da7d6b43c3b381de56d03bb43608

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b63993a1172c3bd3aa34e16acb2f61e9

SHA1
79464926f35c006e2428c585bdb0947395e9cfb0

SHA256
168d9c70e26dede80ef00426aa638ba58e3aaa9b4a004b61c53137860e44a54a

SHA512
3428ef1e1b8e3527265f24f1ae2c6fdcacbe17f05df51b6114edc49711881bd32e244964769450893c0436b610f5d9c3e087cf5257da03c6696a59cc883b0f67

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
cf9c89b4645d9b233771fdf9625845dc

SHA1
d435f713ec5a75264829e1ce9a7e86834c97c092

SHA256
219548730f258b3cd2b7af4eae3a698b38b6d69304ad693450f5af4dabac955e

SHA512
c9fff151f817712153232a70851b4d663cddc67a5b675453dd5fac3f7835e6ceccd1b9b17fe37891129dcd0ebef0f68e14d389ffcced579a27bbac3033a48144

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
54bfc221b14152916ef03484abb07b05

SHA1
d3daf7cf2edc8d28a3d2771fe480cbddd855651e

SHA256
0879165c9e9ad036226fecf058278e51057ed9da4342ddcecad173a88e2ac593

SHA512
02f9f1d03323805355aa8711da69f075935ea8c372bcd04ac4acd602ad66776280e79a3bad3df82e6ee84e61d03668599171bf79de8d635eb0634be7b1c8b011

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2c9d532788a8625a6d5a2e2033f477ff

SHA1
b8c6f609eebaecb42ef3bda1970ba111ed989d3f

SHA256
c2c98f8467f546fd9a13edc7a1737919fb6c24cc46ece4b1497d81b7686aa26f

SHA512
11b6da89cfc5edb371b77be60b69e08f0498daf19ec1e472c5b05ed98457b468dcd015b7d434f4f7f9b7ca9e628d75ef1418f3e07e5508224be196bbbf671292

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
03a549efa5f29b08eb7b58f5b6a1c182

SHA1
c617f0978e9edad0dc4e77235be16222a7fbf25f

SHA256
0917f277b23d16fe1d77a80074dbdb5834a4d0b5664ad6f497952fcab8e372b8

SHA512
63519e4f2ffcbe602d4093b8c76894eb22e7ce82b87fa9615b2b0724f2eb6f742032eebd44f43e306ec64ac77b8a96a1a7f1d6a2b145f851cb81ede947d936cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
4445ca9c262c76d56c97dd33f45d3231

SHA1
41fea8d200fdd15e1638a85892d200fa0af60155

SHA256
4d67519cc3a9a0ec9e85b75e5ab26361e15e1acb018f57479a035650c354ed37

SHA512
5bd3eced07d8eaa49d1a11369bd1b0f84fa7774881616284a119c429c47fb7026c2ecdb3ea26c87304945436c1b0cc16dc8bba9cd58709de9c8cf39a8bf02121

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
cfe4a7b7b73a50f446169b786e00a9ce

SHA1
491e2764307eb666119bae4fcd2593b8ba137649

SHA256
c425b3dcaa35b0f57d84590f6ce930ac6ede1dd5cae4b9663591053d6b773e5a

SHA512
4d2eefbb24cad1e6890e9efaf576be93c99eac6af0dc8e760753ea59b50eb36462ddca3a7546d8516d32479377442f896851ff7bb13f4e59fc54cd1c598c390e

Download Submit
memory/568-170-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/568-177-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/768-201-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/768-194-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/804-33-0x0000000005790000-0x00000000058EF000-memory.dmp

Filesize
1.4MB

Download
memory/804-34-0x0000000005790000-0x00000000058EF000-memory.dmp

Filesize
1.4MB

Download
memory/868-152-0x0000000005CF0000-0x0000000005E4F000-memory.dmp

Filesize
1.4MB

Download
memory/868-209-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/868-202-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/916-185-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/916-178-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1032-14-0x0000000003DD0000-0x0000000003F2F000-memory.dmp

Filesize
1.4MB

Download
memory/1032-15-0x0000000003DD0000-0x0000000003F2F000-memory.dmp

Filesize
1.4MB

Download
memory/1040-242-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1040-235-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1132-161-0x00000000059D0000-0x0000000005B2F000-memory.dmp

Filesize
1.4MB

Download
memory/1172-169-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1172-162-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1236-210-0x0000000005C10000-0x0000000005D6F000-memory.dmp

Filesize
1.4MB

Download
memory/1276-234-0x0000000005C40000-0x0000000005D9F000-memory.dmp

Filesize
1.4MB

Download
memory/1372-251-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1372-258-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1532-151-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1532-143-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1636-52-0x00000000047A0000-0x00000000048FF000-memory.dmp

Filesize
1.4MB

Download
memory/1692-111-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1692-102-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1944-78-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1944-86-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1980-193-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1980-186-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2024-47-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2024-39-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2140-211-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2140-218-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2244-66-0x0000000005C00000-0x0000000005D5F000-memory.dmp

Filesize
1.4MB

Download
memory/2284-160-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2284-153-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2292-250-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2292-243-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2676-91-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2676-99-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2804-27-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2804-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2812-62-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2812-53-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2884-225-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2888-226-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2888-233-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2892-68-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2892-74-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2924-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2924-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2960-37-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3004-138-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3060-116-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3060-125-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download