Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
18/08/2024, 19:25
Static task
static1
Behavioral task
behavioral1
Sample
1196ebde2000490a156f6ce6f42ab8c3cdb2209dbff2d3b2b91d4ab289bf7f8d.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
1196ebde2000490a156f6ce6f42ab8c3cdb2209dbff2d3b2b91d4ab289bf7f8d.exe
Resource
win10v2004-20240802-en
General
-
Target
1196ebde2000490a156f6ce6f42ab8c3cdb2209dbff2d3b2b91d4ab289bf7f8d.exe
-
Size
1.1MB
-
MD5
706ebc05f625f5601927d95f1df25ce3
-
SHA1
09c9acf256fbb5392438c2b699918edefb42b55e
-
SHA256
1196ebde2000490a156f6ce6f42ab8c3cdb2209dbff2d3b2b91d4ab289bf7f8d
-
SHA512
4909fb82e45951d714bd10ebd1b938c1571e472ce6d6c94b090273e9d305dfd6f72035d7c7a257d72117f872b6d8cd4f3ac88be9f8ac80319098b324938c74ce
-
SSDEEP
24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qs:acallSllG4ZM7QzM7
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2756 svchcst.exe -
Executes dropped EXE 23 IoCs
pid Process 2756 svchcst.exe 2720 svchcst.exe 2120 svchcst.exe 2288 svchcst.exe 700 svchcst.exe 972 svchcst.exe 2472 svchcst.exe 2724 svchcst.exe 2612 svchcst.exe 1728 svchcst.exe 1744 svchcst.exe 2980 svchcst.exe 916 svchcst.exe 2552 svchcst.exe 2512 svchcst.exe 2760 svchcst.exe 2644 svchcst.exe 1824 svchcst.exe 3064 svchcst.exe 1124 svchcst.exe 1696 svchcst.exe 952 svchcst.exe 812 svchcst.exe -
Loads dropped DLL 46 IoCs
pid Process 2136 WScript.exe 2136 WScript.exe 2928 WScript.exe 2928 WScript.exe 2836 WScript.exe 2836 WScript.exe 1932 WScript.exe 1932 WScript.exe 820 WScript.exe 820 WScript.exe 1300 WScript.exe 1300 WScript.exe 1484 WScript.exe 1484 WScript.exe 1836 WScript.exe 1836 WScript.exe 2908 WScript.exe 2908 WScript.exe 2624 WScript.exe 2624 WScript.exe 2496 WScript.exe 2496 WScript.exe 1428 WScript.exe 1428 WScript.exe 2104 WScript.exe 2104 WScript.exe 780 WScript.exe 780 WScript.exe 1508 WScript.exe 1508 WScript.exe 2472 WScript.exe 2472 WScript.exe 784 WScript.exe 784 WScript.exe 2660 WScript.exe 2660 WScript.exe 2996 WScript.exe 2996 WScript.exe 1328 WScript.exe 1328 WScript.exe 1432 WScript.exe 1432 WScript.exe 1096 WScript.exe 1096 WScript.exe 1032 WScript.exe 1032 WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 48 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1196ebde2000490a156f6ce6f42ab8c3cdb2209dbff2d3b2b91d4ab289bf7f8d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1996 1196ebde2000490a156f6ce6f42ab8c3cdb2209dbff2d3b2b91d4ab289bf7f8d.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe 2756 svchcst.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1996 1196ebde2000490a156f6ce6f42ab8c3cdb2209dbff2d3b2b91d4ab289bf7f8d.exe -
Suspicious use of SetWindowsHookEx 48 IoCs
pid Process 1996 1196ebde2000490a156f6ce6f42ab8c3cdb2209dbff2d3b2b91d4ab289bf7f8d.exe 1996 1196ebde2000490a156f6ce6f42ab8c3cdb2209dbff2d3b2b91d4ab289bf7f8d.exe 2756 svchcst.exe 2756 svchcst.exe 2720 svchcst.exe 2720 svchcst.exe 2120 svchcst.exe 2120 svchcst.exe 2288 svchcst.exe 2288 svchcst.exe 700 svchcst.exe 700 svchcst.exe 972 svchcst.exe 972 svchcst.exe 2472 svchcst.exe 2472 svchcst.exe 2724 svchcst.exe 2724 svchcst.exe 2612 svchcst.exe 2612 svchcst.exe 1728 svchcst.exe 1728 svchcst.exe 1744 svchcst.exe 1744 svchcst.exe 2980 svchcst.exe 2980 svchcst.exe 916 svchcst.exe 916 svchcst.exe 2552 svchcst.exe 2552 svchcst.exe 2512 svchcst.exe 2512 svchcst.exe 2760 svchcst.exe 2760 svchcst.exe 2644 svchcst.exe 2644 svchcst.exe 1824 svchcst.exe 1824 svchcst.exe 3064 svchcst.exe 3064 svchcst.exe 1124 svchcst.exe 1124 svchcst.exe 1696 svchcst.exe 1696 svchcst.exe 952 svchcst.exe 952 svchcst.exe 812 svchcst.exe 812 svchcst.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1996 wrote to memory of 2136 1996 1196ebde2000490a156f6ce6f42ab8c3cdb2209dbff2d3b2b91d4ab289bf7f8d.exe 30 PID 1996 wrote to memory of 2136 1996 1196ebde2000490a156f6ce6f42ab8c3cdb2209dbff2d3b2b91d4ab289bf7f8d.exe 30 PID 1996 wrote to memory of 2136 1996 1196ebde2000490a156f6ce6f42ab8c3cdb2209dbff2d3b2b91d4ab289bf7f8d.exe 30 PID 1996 wrote to memory of 2136 1996 1196ebde2000490a156f6ce6f42ab8c3cdb2209dbff2d3b2b91d4ab289bf7f8d.exe 30 PID 2136 wrote to memory of 2756 2136 WScript.exe 33 PID 2136 wrote to memory of 2756 2136 WScript.exe 33 PID 2136 wrote to memory of 2756 2136 WScript.exe 33 PID 2136 wrote to memory of 2756 2136 WScript.exe 33 PID 2756 wrote to memory of 2928 2756 svchcst.exe 34 PID 2756 wrote to memory of 2928 2756 svchcst.exe 34 PID 2756 wrote to memory of 2928 2756 svchcst.exe 34 PID 2756 wrote to memory of 2928 2756 svchcst.exe 34 PID 2928 wrote to memory of 2720 2928 WScript.exe 35 PID 2928 wrote to memory of 2720 2928 WScript.exe 35 PID 2928 wrote to memory of 2720 2928 WScript.exe 35 PID 2928 wrote to memory of 2720 2928 WScript.exe 35 PID 2720 wrote to memory of 2836 2720 svchcst.exe 36 PID 2720 wrote to memory of 2836 2720 svchcst.exe 36 PID 2720 wrote to memory of 2836 2720 svchcst.exe 36 PID 2720 wrote to memory of 2836 2720 svchcst.exe 36 PID 2836 wrote to memory of 2120 2836 WScript.exe 37 PID 2836 wrote to memory of 2120 2836 WScript.exe 37 PID 2836 wrote to memory of 2120 2836 WScript.exe 37 PID 2836 wrote to memory of 2120 2836 WScript.exe 37 PID 2120 wrote to memory of 1932 2120 svchcst.exe 38 PID 2120 wrote to memory of 1932 2120 svchcst.exe 38 PID 2120 wrote to memory of 1932 2120 svchcst.exe 38 PID 2120 wrote to memory of 1932 2120 svchcst.exe 38 PID 1932 wrote to memory of 2288 1932 WScript.exe 39 PID 1932 wrote to memory of 2288 1932 WScript.exe 39 PID 1932 wrote to memory of 2288 1932 WScript.exe 39 PID 1932 wrote to memory of 2288 1932 WScript.exe 39 PID 2288 wrote to memory of 820 2288 svchcst.exe 40 PID 2288 wrote to memory of 820 2288 svchcst.exe 40 PID 2288 wrote to memory of 820 2288 svchcst.exe 40 PID 2288 wrote to memory of 820 2288 svchcst.exe 40 PID 820 wrote to memory of 700 820 WScript.exe 41 PID 820 wrote to memory of 700 820 WScript.exe 41 PID 820 wrote to memory of 700 820 WScript.exe 41 PID 820 wrote to memory of 700 820 WScript.exe 41 PID 700 wrote to memory of 1300 700 svchcst.exe 42 PID 700 wrote to memory of 1300 700 svchcst.exe 42 PID 700 wrote to memory of 1300 700 svchcst.exe 42 PID 700 wrote to memory of 1300 700 svchcst.exe 42 PID 1300 wrote to memory of 972 1300 WScript.exe 43 PID 1300 wrote to memory of 972 1300 WScript.exe 43 PID 1300 wrote to memory of 972 1300 WScript.exe 43 PID 1300 wrote to memory of 972 1300 WScript.exe 43 PID 972 wrote to memory of 1484 972 svchcst.exe 44 PID 972 wrote to memory of 1484 972 svchcst.exe 44 PID 972 wrote to memory of 1484 972 svchcst.exe 44 PID 972 wrote to memory of 1484 972 svchcst.exe 44 PID 1484 wrote to memory of 2472 1484 WScript.exe 45 PID 1484 wrote to memory of 2472 1484 WScript.exe 45 PID 1484 wrote to memory of 2472 1484 WScript.exe 45 PID 1484 wrote to memory of 2472 1484 WScript.exe 45 PID 2472 wrote to memory of 1836 2472 svchcst.exe 46 PID 2472 wrote to memory of 1836 2472 svchcst.exe 46 PID 2472 wrote to memory of 1836 2472 svchcst.exe 46 PID 2472 wrote to memory of 1836 2472 svchcst.exe 46 PID 1836 wrote to memory of 2724 1836 WScript.exe 47 PID 1836 wrote to memory of 2724 1836 WScript.exe 47 PID 1836 wrote to memory of 2724 1836 WScript.exe 47 PID 1836 wrote to memory of 2724 1836 WScript.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\1196ebde2000490a156f6ce6f42ab8c3cdb2209dbff2d3b2b91d4ab289bf7f8d.exe"C:\Users\Admin\AppData\Local\Temp\1196ebde2000490a156f6ce6f42ab8c3cdb2209dbff2d3b2b91d4ab289bf7f8d.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"6⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"8⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"10⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:700 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"12⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"14⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"16⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2724 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"18⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2908 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2612 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"20⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2624 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1728 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"22⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2496 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1744 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"24⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1428 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2980 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"26⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2104 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:916 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"28⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:780 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2552 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"30⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1508 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2512 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"32⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2472 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2760 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"34⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:784 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2644 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"36⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2660 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1824 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"38⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2996 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3064 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"40⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1328 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1124 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"42⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1432 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1696 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"44⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1096 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:952 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"46⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1032 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:812 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"48⤵
- System Location Discovery: System Language Discovery
PID:1668
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92B
MD567b9b3e2ded7086f393ebbc36c5e7bca
SHA1e6299d0450b9a92a18cc23b5704a2b475652c790
SHA25644063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d
SHA512826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09
-
Filesize
753B
MD5fbbbd97d1cd6c2b65ae5c6a96dd600f9
SHA1ee11ae0acc36af43ce3fec4f897ab0bef3a9092b
SHA2563646a35e98598cb938751885bc6f72e53daf0088420e0f1fcdc2a0f6a75e6b3e
SHA512a7c0fa66b6ac43c575d5fabf2ad025942d2a61075cb02a12aaa6ed77c591ff48d7953f8ba43bdc471a1d171349fd8a93fbc3b89b1fb66d989904a610f1e8618a
-
Filesize
696B
MD5aac0fba8016aa15609aa7abb5db077ae
SHA1f8afa6ff11a91f46eb961727ec6a5fad360fa1c9
SHA25676a6ce5f2e579dc37db23bb0e1ef5ebdd8b02e6b22b6f8da1a17964db237a8a0
SHA51226a4910f08563b7c4b1e1abba82fefdefcb43b7d1149d5e6c7dda36db4aa142c4b74bc64263f23a5177804e2191696795e0de5d5368ea6903b398415d435962e
-
Filesize
696B
MD56a10838e65cf3aedda11230ee7f407b7
SHA17878e96feb82d309b74e4fe98ad256d3bfd63d08
SHA25679b9776ab8d5f525f63ccab50ff6d79e7a7daeb47894ce971b63ab072314009e
SHA5127fd419656935cef9e30f36f618df90399b015dc281dea6b30f12ba7bf2c07a58e7aa570ea5fd1f04b3643be33eb1d8521787c94384cb7ef0ec8d5459a8c50eaa
-
Filesize
696B
MD581911744d71ed066085116eec2026095
SHA147cfe383cd90c80f367d20667fa26cd160507a8f
SHA2563154f7fe0c77b8441733285f257a444605ca5badb1148288aa7275033f75d3f5
SHA512e64925ee682737251c7d5f42a378a4f6c23a50a07a6811882547567725b59c172da356b235afc977d4c1e8209f5c1ba696b9dd54e7739f67a71c099c031d7396
-
Filesize
696B
MD5b80e64a84f22d05c1da6e47ce54973aa
SHA15cad9390328f2c7439c775fabb7a0456663085d9
SHA2569dd0f5f176d3fad7c0eb3bdd6f14036a878cbce9fd50fb1a47318da147bfd82e
SHA512983affb7f9189c1eb80982438c288ee607e7ee91675b6a6e854873c476961b39ddec66801e0a09bedd0f133a0132693a5fed5c8ff0f8c3d3aa4f470fdb8c39b9
-
Filesize
696B
MD556b642f742552f48c6b8b9c099412a21
SHA1c3cf968546d550feddcded0747d331305147e1e3
SHA256a91e4afb0d2f495e9c4fd5031514174673505464922192f9d87832fc21ef119b
SHA51243edab26c4c27b9458d393f139895b68ce6b230685fd112658b4046094beac5479329f63c9c836dace1e76984fc22b96aecdf0c0252cf656e6d1fe639abf403a
-
Filesize
696B
MD51c4a20bad462e2ead31b207cd4b0dd1b
SHA1e6037559a47f711d0e930c907b6c33269cb8ecb9
SHA2567cbf5f523fb2c8a62f6308bc56b5ff19556c167b7ce2c9e2d74329835c79d29e
SHA51278e63943987dbb5fa66f2b9865002911c5225dbcba3e89ea0de4ed94dbd211e965e766073e19205a55a7d83cc631e87c50b9f6815d83fced9f41a72c842c145b
-
Filesize
696B
MD50746413c017663c2889cbadf684741eb
SHA16a61f92238e17b83adba719b52d2f3d9cd205b8a
SHA2565e9eb3cc7e536ea1249b6bdb65b934565018fa760198e2b2c8f5537de84b86bd
SHA512e222a18584aadd15f5c4706601acc6fa30d6a08325f2679724eba4b2952e56d4d7e1a97c42ae88aefacfa59b87723118d2dd28c1541204715dc1e11b4867b05c
-
Filesize
696B
MD5a7abbe21bd06224da6044ceefc079882
SHA145948d51fb8d65cd1032448311043927dcfa0d2f
SHA2565f4905388f1de9cd98bc931f1f041dd2543394219661a271c11fff5b0d8222b2
SHA5123371b7d36aadb7aa31617ba0d8cb23e2ccd36c8268946e8ec526e98e61d0312622b089331f05a36775fd59174fa8a68595e664a665feeb9afce17c906a8b1bd5
-
Filesize
696B
MD56cc9dd78b42e2ca0e1deb237988b6ae2
SHA16ec16a7e43a4c558a19f125758d56ed9a180e6ee
SHA25611367ac6f6a1b237ca69aeeb571a435181256f8836d6910f036beb90e160f7b2
SHA512331f0ae896c0fb9906dd2fc2e3d58860073af97deb31cdb2184cc4bd104e2e066bfec6bdef0e16a8eda3d5605875fe7c03480b1e2d68bc9d7e3a2b237a3020a4
-
Filesize
696B
MD5e74576d29f1c1a7185cdf1e12b96a260
SHA1f76ee203cb56b7dda62a2947ff1e2fc954efa777
SHA256e31ecb9dcf31c19fbd131b31e5191375f7aeb708ffa678363de99e118715eb65
SHA512934e3a9171de8fe03c9b398b4e79b3eee77845750ba2b0d16c3a38bc8299d3d72643cedfbb025df848f4c5ab302f5d4b145da13c2ac3ed96bdc1658791d4f5bb
-
Filesize
696B
MD5297aff64991480fd92a4ce9fb4d40807
SHA1c586f7003f854f442db26448516e59826dfe41e9
SHA2565137a62e031c71093a7d6c2684519614bb5eed80fd8daa92912f085a6ab82b8a
SHA512f7a2fae80f26e6fb846ec9675c5a03932c8bd842d75f68cdb05c2f18e9397ed32774ce0a1f495e5618a5ce1b37e088c8991a69fb999559d1e2b0dd360cc96b4f
-
Filesize
1.1MB
MD502b37bf88f1ab7a2d7b74ecb09c804f3
SHA1292743dc43c43f316a8ac1135694b3670e2c5fcb
SHA25691c4a4418ac19c248a9dc1e0258dc3643d231fce4bcdf28277b34f30dae459ee
SHA512401ea98c5fa9670c28013744b7ef415239ab30f2456f40fdd31f545f51b7e9a162340fe13754d45d35ffce890a81cf43131ae0dff1438d233a97f1f459e30668
-
Filesize
1.1MB
MD5d505730b5d18a77ac2c57c8cba202148
SHA18e5ebe68cf8ea173bcfa60d698b02b80a00eb59b
SHA2569f2a4b4d7bebdd787d3a02e8d4b899dbe8588895d9095e2fdb16418417fa1df2
SHA5129f2bfe93c0ec4c64cf80bfc5165e216018e2143f59636f9eeee7507bebc932f51416a98b4103a4a333c3affc1394798075727dda1ad69fa81e4d7adfa3207bde
-
Filesize
1.1MB
MD5ffa7aa4bdf07dabe09908c5707dad6a2
SHA19aa3a9d22669a0fc0d392b57dfbb9b622c0635e0
SHA256b10ce4a29557979d8116658b26d5bccb42a023ec401567b982cdc082efe3f333
SHA512ab78bbe06084cffef1701e9b2e33d57ebb306cf646b2113b05af377ec5c51783a317288d6802f2e3d57e8ce88ee773d051d794eb38273d40531b333e8b06061a
-
Filesize
1.1MB
MD5c712974f3073193c55db010513b35643
SHA1c6c9e491e19ae81da3c77b4738306ef76e79f4d7
SHA256bafdb5720b562c47db405c5669c3f0ee79dc2314c053456eae83d3fcbc497e19
SHA512ec9bbacde99efdb64af51a2d5ba7595c976456fa843952d73b02c6c4b124f6f2aa617327a28ac3776e6050d6d9dce834f7137b801b4aac855f0c3ae996780c22
-
Filesize
1.1MB
MD5082ead1dadf9bdca5f5b7b939b0fcf15
SHA1b17069416cdc9e6f4a28f66256bf02df028418f9
SHA2563786111ab4165f77db72b998b94251042b515f5f92b14d5184d4db12b3cbbaa7
SHA512e654af6d0c7f14838216ea1ff99e107e0c2c361d0484108b4fa62533f4b8d9384eaefedca31f322f6138d2676f6a21b6d872b59d6b853a41531ded2faebeee0c
-
Filesize
1.1MB
MD578a9a649e51a45157eb6a24e50a4bfdc
SHA12729c6eb19a7bc13f38b7080bbd59dd7de500852
SHA25638a298f16067bd85e23e6de21b941519b9297c8ad1f4ea9c9d03b60eb9d46daa
SHA51213945264472d5b59f5b9c8fd1c617e8d27a030f2d789550bcf3823be821dbd14762b600d316762258ed389a013e32775c66ae6e48fab22f6f864f235a10253f1
-
Filesize
1.1MB
MD5872c976217cc1d41b337369c8a1824d3
SHA10d59e724ca91b7a8c061e163dfa6f9907293801b
SHA25632279b9277ac7e85fd47ef65021ad2ad39c20a92371730b496c88d14113e0b44
SHA5128ea47907a01fbb4abc7f8ec3abc81137f1b52e6aa268023762a69af106589472548145ef62069bc2a16f528731195d3c1eaa34a37d4af601e1e6c48892344b81
-
Filesize
1.1MB
MD5fbe410d7d4876cbba34a14712e2065d6
SHA13c5c7ab5445c353d4dadf322737cb687fa8478eb
SHA256ee3106c9a50b6925f2a530133108075ab0eb4d60b80a3f92cbc11ec19233c677
SHA51216c2f14e542926e71de2a28a5dbb575fa670f98f0de91463f2fca739cf2ee04ea9e697804a223f06a0c51883f6c67b39c706050b098ba8168712e00188d9064f
-
Filesize
1.1MB
MD56a04ba2b57d5ae9152448de183ea8307
SHA1ff3cf30fd7c96cb534f48185a4e6551526a8042a
SHA256d1c1c03f5822cfabb19eccd18fa11831d24ddadbd65cb5a7931819adf9a5422b
SHA51282cc8aac58559a0ca869609b54fa966bb28ac66875a3d2696c605055b081d88fe1c50f76342e57b7cd0001602f72185d263668f8df5780db52a65f7ea95b5e63
-
Filesize
1.1MB
MD5cb97cfb338f3d310fd25e840650c2550
SHA13504c0e827b200049ee3f3fa61a962dc0a698e51
SHA256ea6fd43c6879d61fcc2973d1b9423009952f13009cdacc22ead61dcf4c2bf456
SHA512ead1394b71ede85701ca0e0a6f1db0c2b2ba2d58413be054c61695236da14ffd8e74937b2f732a2434e0168b95508a8bf92b0f5f09860e6e8b696fc2811a7fa8