dce146fd6044e0300e9195793ef6faefa79d08cc8ad5c21f2c2e903de14d5d1a

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
18/08/2024, 05:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5bbda624d1b8aba4f4f49ac996a27a0N.exe
Size

1.1MB
MD5

b5bbda624d1b8aba4f4f49ac996a27a0
SHA1

1f2688e09a4b2320e3a98acf6fbd520e436de7e9
SHA256

dce146fd6044e0300e9195793ef6faefa79d08cc8ad5c21f2c2e903de14d5d1a
SHA512

608795549b18d09c2d1c653fa86e7d2d17ad79c97d3d01781fdac9a36be355492fdaeecd9acb829a4de9b1c3ee6267d798c83d8f0173e7dcc2c664add55f089a
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qg:CcaClSFlG4ZM7QzMH

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
556	svchcst.exe

Executes dropped EXE 18 IoCs

pid	Process
556	svchcst.exe
1576	svchcst.exe
980	svchcst.exe
2388	svchcst.exe
2444	svchcst.exe
836	svchcst.exe
1856	svchcst.exe
2484	svchcst.exe
2192	svchcst.exe
804	svchcst.exe
776	svchcst.exe
1516	svchcst.exe
1132	svchcst.exe
2020	svchcst.exe
2092	svchcst.exe
2072	svchcst.exe
2684	svchcst.exe
1028	svchcst.exe

Loads dropped DLL 29 IoCs

pid	Process
2556	WScript.exe
2556	WScript.exe
2648	WScript.exe
2648	WScript.exe
1004	WScript.exe
1908	WScript.exe
1908	WScript.exe
2504	WScript.exe
2504	WScript.exe
2160	WScript.exe
2292	WScript.exe
2292	WScript.exe
2292	WScript.exe
1280	WScript.exe
1720	WScript.exe
1720	WScript.exe
1720	WScript.exe
2128	WScript.exe
2128	WScript.exe
1224	WScript.exe
1224	WScript.exe
3028	WScript.exe
3028	WScript.exe
1500	WScript.exe
1500	WScript.exe
1796	WScript.exe
1796	WScript.exe
2896	WScript.exe
2896	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 38 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b5bbda624d1b8aba4f4f49ac996a27a0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2676	b5bbda624d1b8aba4f4f49ac996a27a0N.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe
556	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2676	b5bbda624d1b8aba4f4f49ac996a27a0N.exe

Suspicious use of SetWindowsHookEx 38 IoCs

pid	Process
2676	b5bbda624d1b8aba4f4f49ac996a27a0N.exe
2676	b5bbda624d1b8aba4f4f49ac996a27a0N.exe
556	svchcst.exe
556	svchcst.exe
1576	svchcst.exe
1576	svchcst.exe
980	svchcst.exe
980	svchcst.exe
2388	svchcst.exe
2388	svchcst.exe
2444	svchcst.exe
2444	svchcst.exe
836	svchcst.exe
836	svchcst.exe
1856	svchcst.exe
1856	svchcst.exe
2484	svchcst.exe
2484	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
804	svchcst.exe
804	svchcst.exe
776	svchcst.exe
776	svchcst.exe
1516	svchcst.exe
1516	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
2020	svchcst.exe
2020	svchcst.exe
2092	svchcst.exe
2092	svchcst.exe
2072	svchcst.exe
2072	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2556	2676	b5bbda624d1b8aba4f4f49ac996a27a0N.exe	31
PID 2676 wrote to memory of 2556	2676	b5bbda624d1b8aba4f4f49ac996a27a0N.exe	31
PID 2676 wrote to memory of 2556	2676	b5bbda624d1b8aba4f4f49ac996a27a0N.exe	31
PID 2676 wrote to memory of 2556	2676	b5bbda624d1b8aba4f4f49ac996a27a0N.exe	31
PID 2556 wrote to memory of 556	2556	WScript.exe	33
PID 2556 wrote to memory of 556	2556	WScript.exe	33
PID 2556 wrote to memory of 556	2556	WScript.exe	33
PID 2556 wrote to memory of 556	2556	WScript.exe	33
PID 556 wrote to memory of 2648	556	svchcst.exe	34
PID 556 wrote to memory of 2648	556	svchcst.exe	34
PID 556 wrote to memory of 2648	556	svchcst.exe	34
PID 556 wrote to memory of 2648	556	svchcst.exe	34
PID 2648 wrote to memory of 1576	2648	WScript.exe	35
PID 2648 wrote to memory of 1576	2648	WScript.exe	35
PID 2648 wrote to memory of 1576	2648	WScript.exe	35
PID 2648 wrote to memory of 1576	2648	WScript.exe	35
PID 1576 wrote to memory of 1004	1576	svchcst.exe	36
PID 1576 wrote to memory of 1004	1576	svchcst.exe	36
PID 1576 wrote to memory of 1004	1576	svchcst.exe	36
PID 1576 wrote to memory of 1004	1576	svchcst.exe	36
PID 1004 wrote to memory of 980	1004	WScript.exe	37
PID 1004 wrote to memory of 980	1004	WScript.exe	37
PID 1004 wrote to memory of 980	1004	WScript.exe	37
PID 1004 wrote to memory of 980	1004	WScript.exe	37
PID 980 wrote to memory of 1908	980	svchcst.exe	38
PID 980 wrote to memory of 1908	980	svchcst.exe	38
PID 980 wrote to memory of 1908	980	svchcst.exe	38
PID 980 wrote to memory of 1908	980	svchcst.exe	38
PID 1908 wrote to memory of 2388	1908	WScript.exe	39
PID 1908 wrote to memory of 2388	1908	WScript.exe	39
PID 1908 wrote to memory of 2388	1908	WScript.exe	39
PID 1908 wrote to memory of 2388	1908	WScript.exe	39
PID 2388 wrote to memory of 1948	2388	svchcst.exe	40
PID 2388 wrote to memory of 1948	2388	svchcst.exe	40
PID 2388 wrote to memory of 1948	2388	svchcst.exe	40
PID 2388 wrote to memory of 1948	2388	svchcst.exe	40
PID 1908 wrote to memory of 2444	1908	WScript.exe	41
PID 1908 wrote to memory of 2444	1908	WScript.exe	41
PID 1908 wrote to memory of 2444	1908	WScript.exe	41
PID 1908 wrote to memory of 2444	1908	WScript.exe	41
PID 2444 wrote to memory of 2504	2444	svchcst.exe	42
PID 2444 wrote to memory of 2504	2444	svchcst.exe	42
PID 2444 wrote to memory of 2504	2444	svchcst.exe	42
PID 2444 wrote to memory of 2504	2444	svchcst.exe	42
PID 2504 wrote to memory of 836	2504	WScript.exe	43
PID 2504 wrote to memory of 836	2504	WScript.exe	43
PID 2504 wrote to memory of 836	2504	WScript.exe	43
PID 2504 wrote to memory of 836	2504	WScript.exe	43
PID 836 wrote to memory of 2160	836	svchcst.exe	44
PID 836 wrote to memory of 2160	836	svchcst.exe	44
PID 836 wrote to memory of 2160	836	svchcst.exe	44
PID 836 wrote to memory of 2160	836	svchcst.exe	44
PID 2160 wrote to memory of 1856	2160	WScript.exe	45
PID 2160 wrote to memory of 1856	2160	WScript.exe	45
PID 2160 wrote to memory of 1856	2160	WScript.exe	45
PID 2160 wrote to memory of 1856	2160	WScript.exe	45
PID 1856 wrote to memory of 2292	1856	svchcst.exe	46
PID 1856 wrote to memory of 2292	1856	svchcst.exe	46
PID 1856 wrote to memory of 2292	1856	svchcst.exe	46
PID 1856 wrote to memory of 2292	1856	svchcst.exe	46
PID 2292 wrote to memory of 2484	2292	WScript.exe	47
PID 2292 wrote to memory of 2484	2292	WScript.exe	47
PID 2292 wrote to memory of 2484	2292	WScript.exe	47
PID 2292 wrote to memory of 2484	2292	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\b5bbda624d1b8aba4f4f49ac996a27a0N.exe
"C:\Users\Admin\AppData\Local\Temp\b5bbda624d1b8aba4f4f49ac996a27a0N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:556
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2648
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1576
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:980
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:836
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2484
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:2804
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2192
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1280
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:804
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:776
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:692
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1516
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2128
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1132
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1224
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2020
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3028
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2092
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1500
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2072
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1796
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2684
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1028
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
722B

MD5
ccd483a579e1c72ab4c5f5fa46d21471

SHA1
a53ab5fd8bad6719629966f72cbdaabe94cbea61

SHA256
ba962243b9de3c7aa56238c269387b2cfeed26bc772f99c0036c7123bf5b9073

SHA512
d8e00f7bb3da018fa7e18c94f569b0922e909356a75a5baa6b9641b02296e36edd539fc1c56892898e80a278c9242109d99f20c64336bce37efce3346fb4de7b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7f92a34f71720b04d60028801eb07932

SHA1
1701bae49609dc0ad1ab56823ae2414fd6c286c5

SHA256
b7445df62a392850e8ed07fba398dd5896625b6bcd694dfb5a02797ca2c637ee

SHA512
f5173fb410530956a6fcc8a15894c4186ae7fbac8e408714143359b476a2a2b1bd528cdb2e4647d1c16b99f108e452fb4fcb0a6db5eae6750fc6f6d8edd85360

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2c3b5340da071ac89dded61dffd49fb5

SHA1
77a880658d0b70e5455379099427bfdae8cc0ae8

SHA256
d7433fbea40ea3f87e991ce54c73436c110cfbb83748d554aea8d94051a5224e

SHA512
7e69f14c55afec39149491531c2a499b6253aa71ad448e722912f239fde055826b34383bd8d14773af08ef475b5fe53451a0a93e0bcc46fbeba3872198200f3c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
418e489a61f524eb101168676ee507c0

SHA1
c2d403388bfdccf0d75b4ef92dd8a453c413057c

SHA256
2ec2f981acbd3a091e05e93f06c952fdf6372e4d4d4ad78e7ddfe60043b1ad3c

SHA512
56033db0322098091059ab662f14f51c8bd98fc6784e3a5c553428c3c91d160fa5f784e43020fde5630515f87a2dbd7dff88865a5ecc4f349f6482eaef1b522a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e74576d29f1c1a7185cdf1e12b96a260

SHA1
f76ee203cb56b7dda62a2947ff1e2fc954efa777

SHA256
e31ecb9dcf31c19fbd131b31e5191375f7aeb708ffa678363de99e118715eb65

SHA512
934e3a9171de8fe03c9b398b4e79b3eee77845750ba2b0d16c3a38bc8299d3d72643cedfbb025df848f4c5ab302f5d4b145da13c2ac3ed96bdc1658791d4f5bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5c256ba320c7487a2c3cdb62bea97bb5

SHA1
2a28e5d7bd4483a40fb6035f1ec6fcf1d66cb2fc

SHA256
854aeaf6ba44537fc01088f8c336552a1aab4c6df84938d241c8616b6f0802e4

SHA512
bb55f293471dda9b074664d4cf2dad094f8f0c2479c1fd754dd85199d1d1b1012cfa3b050711ac0b59368d6bf1756cfcadcaff1e47d4f103a093a0b77782fdc0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
48e04b8c794b661550560f9e02af5bb4

SHA1
973d939e48bc7713c0338e95966219616bd415d0

SHA256
f3bfe9c6c363e0ef4e22d9990175cb4c1c5d7d087aa5a2cff9f912d5ac6676da

SHA512
23ca46c09e1c2c320c7c79e71056dc6cb78d1dbaa75f4cee92e63626fe1eef268d91c519a8a0219f816049d2babd0276d27471ccc57a05825ce339ea88eea778

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ebf405e49dade13da94f737cdc03dba1

SHA1
8a0c39e59beed0deb4e726566b235c42c70942bb

SHA256
d15af3885670c4fea9dd97da21025faa5fd2b42bddc310bad2893e23a3ed2bef

SHA512
bbdef781757a387898665650d8f951e7fc495770d34595d9badbe5a39d46ec49a06ec00cbe28ed5e2677e5eeea518241fb638580668baca8d7728c44f2069ea2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7c7211c6ab078878929bb3683f705560

SHA1
5a52049f54692294392837b5922d865e9c407022

SHA256
bb9e2a89c0fc9574eac35f2b2c4bc696f3642fc96ff2fd1f6a2d3467784fbeff

SHA512
4d9b5d0053b0f57651c08084c87416d2ae8613b9ea74651e51f251e5d806f36c194735e4f6f3152d7c72592f60f2a7e971ee82c60410762472942823b1956c38

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
9e8dca236ce949019c46b94428612ac9

SHA1
0917050afcbb7b94fce6fbb9827fb57de7432b0b

SHA256
bd9f06dbb8f2165c3b75da289ad7983f0c57328d236b2c68a2b5798188874fb3

SHA512
23ce9deba9286cbb24c1725503542b63d7e44ea7ada302e5aba6595f84398e2162008d7431f842cccfb2b8fae126216d85c566931d5fcc8c8c5625e2c05f44d6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
56b642f742552f48c6b8b9c099412a21

SHA1
c3cf968546d550feddcded0747d331305147e1e3

SHA256
a91e4afb0d2f495e9c4fd5031514174673505464922192f9d87832fc21ef119b

SHA512
43edab26c4c27b9458d393f139895b68ce6b230685fd112658b4046094beac5479329f63c9c836dace1e76984fc22b96aecdf0c0252cf656e6d1fe639abf403a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
57504391d983a03ffbddd5fc6d1e5dce

SHA1
32941d01859aef327b62e38fabb7faaa47a12e21

SHA256
4535d234d6445f8d9320d58a3c22ef6cc86383661d084d4386b8888d8c177712

SHA512
a5c69a55175a9ab901bf6e6c158af24596c03b4ce18b51327abb5966bc888947456eac849682b1a6e869f1e4eda448c5ca1da30c1b55dcdb87437af5772ec708

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
22114981f54a98800341bba0d1f1a718

SHA1
d2d3899aab5ec08ffec493763ffcd7070ebde988

SHA256
c24ec83bafa760d10e3b602530aecb4ab26afc1ba91d346b54487631356dbfe5

SHA512
4ff3ff50d4e87cef2fa670955d1e4e9866deac22cca98742eac83afec425ac92f4bf5318511b4a81fc07739f08b25698814bbb83bd95b40c1f7a9558c858c13e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
02ee908b42e91a32478e738b0a0cf393

SHA1
e0735402074b98e6b2270985ec6f81a085759eff

SHA256
a737c4b86107c2d244be70b8d9158b261b16755f2e891363f752bc358b95b387

SHA512
bcd5e4a2de86cc90f3648c356a4389eb76c7aa262d2196884e799186f3d7ce89573516e7affdf0edea68f3d79e9a1982fc275e6bedf6eb722c0db2d0e5b154a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9031fd5b0395ccb9dc2801bbdb0e42ab

SHA1
5e045e26dd13c338b26979e0733d372ca0e23eff

SHA256
6a8add7001606eb608c9b3bd14a4295958eb85155a6a34f491d69fde5ccb5adb

SHA512
205bca9c737ae1520e78ef1c36c5918b7374f0e2d60f052e0a11195c4f49aac2f57e25be1241d14e8927e0c1d398f9c0438f90ace1f4633699b89404523cb57f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a1c437bfe37b16481550077084ea598c

SHA1
79c9b96f7d5809557e306cd0a486573e4cfc17f9

SHA256
021099dc523321e33c4508792731d1f9e63e6feefb468aeedd2367a33d4e6661

SHA512
3aa4ac618f1eca8fa1d69051be7085254fd7e9ff0d85993e9459d2e17c18de40e4e0dfbda0b577a4d840c309d4a7911b780588fbddf44b8f30da480a68de229f

Download Submit
memory/2676-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download