877b41d86abc4beb79d798175647ad063e866d81398ad90f4bdd39ac1e758b5a

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
20/08/2024, 05:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

877b41d86abc4beb79d798175647ad063e866d81398ad90f4bdd39ac1e758b5a.exe
Size

1.1MB
MD5

a472034ab1e38c50b3ecdd2f9ba40899
SHA1

bcf111d864f02fe541447d6a9b84eb5850bba6bb
SHA256

877b41d86abc4beb79d798175647ad063e866d81398ad90f4bdd39ac1e758b5a
SHA512

fa0701a0917dad6bd61b92002b29ef7dc1af2ce91ecec5e00b73a58b232680917843c435a44fdcf779d411d7abaa23794c33244a1d82f6e52178e74ed5ffbb33
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qr:CcaClSFlG4ZM7QzM8

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2148	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2148	svchcst.exe
2072	svchcst.exe
1932	svchcst.exe
2128	svchcst.exe
2524	svchcst.exe
2476	svchcst.exe
1816	svchcst.exe
1596	svchcst.exe
2880	svchcst.exe
2796	svchcst.exe
1960	svchcst.exe
2020	svchcst.exe
844	svchcst.exe
2004	svchcst.exe
3008	svchcst.exe
2032	svchcst.exe
2120	svchcst.exe
2236	svchcst.exe
2660	svchcst.exe
2548	svchcst.exe
3036	svchcst.exe
1984	svchcst.exe
952	svchcst.exe

Loads dropped DLL 44 IoCs

pid	Process
2692	WScript.exe
2692	WScript.exe
2952	WScript.exe
2952	WScript.exe
2876	WScript.exe
556	WScript.exe
556	WScript.exe
556	WScript.exe
1328	WScript.exe
1328	WScript.exe
1228	WScript.exe
1228	WScript.exe
2120	WScript.exe
2120	WScript.exe
2720	WScript.exe
2720	WScript.exe
2380	WScript.exe
2380	WScript.exe
1480	WScript.exe
1480	WScript.exe
2904	WScript.exe
2904	WScript.exe
2264	WScript.exe
2264	WScript.exe
556	WScript.exe
556	WScript.exe
1776	WScript.exe
1776	WScript.exe
1000	WScript.exe
1000	WScript.exe
2592	WScript.exe
2592	WScript.exe
3020	WScript.exe
3020	WScript.exe
2184	WScript.exe
2184	WScript.exe
2240	WScript.exe
2240	WScript.exe
1676	WScript.exe
1676	WScript.exe
1276	WScript.exe
1276	WScript.exe
956	WScript.exe
956	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	877b41d86abc4beb79d798175647ad063e866d81398ad90f4bdd39ac1e758b5a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2708	877b41d86abc4beb79d798175647ad063e866d81398ad90f4bdd39ac1e758b5a.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2708	877b41d86abc4beb79d798175647ad063e866d81398ad90f4bdd39ac1e758b5a.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2708	877b41d86abc4beb79d798175647ad063e866d81398ad90f4bdd39ac1e758b5a.exe
2708	877b41d86abc4beb79d798175647ad063e866d81398ad90f4bdd39ac1e758b5a.exe
2148	svchcst.exe
2148	svchcst.exe
2072	svchcst.exe
2072	svchcst.exe
1932	svchcst.exe
1932	svchcst.exe
2128	svchcst.exe
2128	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1596	svchcst.exe
1596	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
2020	svchcst.exe
2020	svchcst.exe
844	svchcst.exe
844	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
3008	svchcst.exe
3008	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2120	svchcst.exe
2120	svchcst.exe
2236	svchcst.exe
2236	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
3036	svchcst.exe
3036	svchcst.exe
1984	svchcst.exe
1984	svchcst.exe
952	svchcst.exe
952	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2692	2708	877b41d86abc4beb79d798175647ad063e866d81398ad90f4bdd39ac1e758b5a.exe	31
PID 2708 wrote to memory of 2692	2708	877b41d86abc4beb79d798175647ad063e866d81398ad90f4bdd39ac1e758b5a.exe	31
PID 2708 wrote to memory of 2692	2708	877b41d86abc4beb79d798175647ad063e866d81398ad90f4bdd39ac1e758b5a.exe	31
PID 2708 wrote to memory of 2692	2708	877b41d86abc4beb79d798175647ad063e866d81398ad90f4bdd39ac1e758b5a.exe	31
PID 2692 wrote to memory of 2148	2692	WScript.exe	33
PID 2692 wrote to memory of 2148	2692	WScript.exe	33
PID 2692 wrote to memory of 2148	2692	WScript.exe	33
PID 2692 wrote to memory of 2148	2692	WScript.exe	33
PID 2148 wrote to memory of 2952	2148	svchcst.exe	34
PID 2148 wrote to memory of 2952	2148	svchcst.exe	34
PID 2148 wrote to memory of 2952	2148	svchcst.exe	34
PID 2148 wrote to memory of 2952	2148	svchcst.exe	34
PID 2952 wrote to memory of 2072	2952	WScript.exe	35
PID 2952 wrote to memory of 2072	2952	WScript.exe	35
PID 2952 wrote to memory of 2072	2952	WScript.exe	35
PID 2952 wrote to memory of 2072	2952	WScript.exe	35
PID 2072 wrote to memory of 2876	2072	svchcst.exe	36
PID 2072 wrote to memory of 2876	2072	svchcst.exe	36
PID 2072 wrote to memory of 2876	2072	svchcst.exe	36
PID 2072 wrote to memory of 2876	2072	svchcst.exe	36
PID 2876 wrote to memory of 1932	2876	WScript.exe	37
PID 2876 wrote to memory of 1932	2876	WScript.exe	37
PID 2876 wrote to memory of 1932	2876	WScript.exe	37
PID 2876 wrote to memory of 1932	2876	WScript.exe	37
PID 1932 wrote to memory of 556	1932	svchcst.exe	38
PID 1932 wrote to memory of 556	1932	svchcst.exe	38
PID 1932 wrote to memory of 556	1932	svchcst.exe	38
PID 1932 wrote to memory of 556	1932	svchcst.exe	38
PID 556 wrote to memory of 2128	556	WScript.exe	39
PID 556 wrote to memory of 2128	556	WScript.exe	39
PID 556 wrote to memory of 2128	556	WScript.exe	39
PID 556 wrote to memory of 2128	556	WScript.exe	39
PID 2128 wrote to memory of 1328	2128	svchcst.exe	40
PID 2128 wrote to memory of 1328	2128	svchcst.exe	40
PID 2128 wrote to memory of 1328	2128	svchcst.exe	40
PID 2128 wrote to memory of 1328	2128	svchcst.exe	40
PID 556 wrote to memory of 2524	556	WScript.exe	41
PID 556 wrote to memory of 2524	556	WScript.exe	41
PID 556 wrote to memory of 2524	556	WScript.exe	41
PID 556 wrote to memory of 2524	556	WScript.exe	41
PID 2524 wrote to memory of 1652	2524	svchcst.exe	42
PID 2524 wrote to memory of 1652	2524	svchcst.exe	42
PID 2524 wrote to memory of 1652	2524	svchcst.exe	42
PID 2524 wrote to memory of 1652	2524	svchcst.exe	42
PID 1328 wrote to memory of 2476	1328	WScript.exe	43
PID 1328 wrote to memory of 2476	1328	WScript.exe	43
PID 1328 wrote to memory of 2476	1328	WScript.exe	43
PID 1328 wrote to memory of 2476	1328	WScript.exe	43
PID 2476 wrote to memory of 1228	2476	svchcst.exe	44
PID 2476 wrote to memory of 1228	2476	svchcst.exe	44
PID 2476 wrote to memory of 1228	2476	svchcst.exe	44
PID 2476 wrote to memory of 1228	2476	svchcst.exe	44
PID 1228 wrote to memory of 1816	1228	WScript.exe	45
PID 1228 wrote to memory of 1816	1228	WScript.exe	45
PID 1228 wrote to memory of 1816	1228	WScript.exe	45
PID 1228 wrote to memory of 1816	1228	WScript.exe	45
PID 1816 wrote to memory of 2120	1816	svchcst.exe	46
PID 1816 wrote to memory of 2120	1816	svchcst.exe	46
PID 1816 wrote to memory of 2120	1816	svchcst.exe	46
PID 1816 wrote to memory of 2120	1816	svchcst.exe	46
PID 2120 wrote to memory of 1596	2120	WScript.exe	47
PID 2120 wrote to memory of 1596	2120	WScript.exe	47
PID 2120 wrote to memory of 1596	2120	WScript.exe	47
PID 2120 wrote to memory of 1596	2120	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\877b41d86abc4beb79d798175647ad063e866d81398ad90f4bdd39ac1e758b5a.exe
"C:\Users\Admin\AppData\Local\Temp\877b41d86abc4beb79d798175647ad063e866d81398ad90f4bdd39ac1e758b5a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2148
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2952
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2072
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1596
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2880
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2380
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2796
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1960
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2020
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:844
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:556
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2004
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1776
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3008
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1000
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2032
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2120
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2236
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2660
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2240
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2548
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3036
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1276
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1984
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:956
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:952
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
15e204ca2ec36d83158b6685f9b69998

SHA1
9d1a1e7c19e66272d4f823f7d1c147c727a55428

SHA256
4d6dba135db59478e5ac8642337c2a59778703eafe1ab846d937a3a5305e2d0e

SHA512
3feff5b8145b0f3b9e0890de6fe1d2957f1715d8c344563ef1d535837cfbbd4759ed20f3733365c0146c736a6e5ef82174ca313573c056e2fc6eddb78340a4ba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c91530bbaec9815f2db19bd6645b8729

SHA1
ea901a28f06bfbfc1dc9c3391910a87bfaf07020

SHA256
7924a95b4fb309a069dcb92b65632f01f9db2560b224d4812ebb84130994ab8d

SHA512
7ebce2d0627561189c27073f3e43e84e6164c3c4a63fe4172d2c1214fe799795393573038fb3dd75359327e7cca4eec17889749411e289480580f568b02e6588

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1cd04c63c025f0297f2ae60e978d92a1

SHA1
047246564f4b2ab71494a82cef25f5bcdeb63469

SHA256
c5d481502d8e9429512066a0eb058459e0d7d60fbfc4aed5169b3ea47966c9ed

SHA512
dede45f2ae3b7da526e64e82f5e550d9f29d7ad0409fe97a0067bcd8ad70859a8f05441dcad0f2364710f8d9bf58997ffea6874b4797948b61486570394325a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a7abbe21bd06224da6044ceefc079882

SHA1
45948d51fb8d65cd1032448311043927dcfa0d2f

SHA256
5f4905388f1de9cd98bc931f1f041dd2543394219661a271c11fff5b0d8222b2

SHA512
3371b7d36aadb7aa31617ba0d8cb23e2ccd36c8268946e8ec526e98e61d0312622b089331f05a36775fd59174fa8a68595e664a665feeb9afce17c906a8b1bd5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3ed43de1cee96aaf1d64189d4482a672

SHA1
a346f6b3eca7b8442021d9878288d91084d00d79

SHA256
b2905e040a668759a3fbdc7f07ff57b3e197bbeec24099b65734e884c1e0bd98

SHA512
8f8536a36603c14a567034f0119212a6b3bf9dd52afcbe213b4e26c737394fe838baf0743440f62cd5d61d8d9c694279679e155920a9af3c2cac1549d43040dc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
02bec440e11bdc76b5de3232abd91f03

SHA1
2118a1f2249848ea084c7d98709f7ba7906e43a3

SHA256
4382e8d6fd98aeb7c574b195019c1687ac6628e8f97485614ad743ae5a0616b0

SHA512
f86e900e6bd38151fad12b160c0489823bd18d15609346172ca1f815593e69f9269cb28a0eaea6a588a29d41343f3b9d4c6489cc3c50e2b24a31720de26e0411

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
38a699d07d8879db6356427ad5568cde

SHA1
a13f87e47243e126c2ea20018877fbeac913a320

SHA256
33039fb8b50833ea2836de980992405e10426ad862007f2fef2a96147dccc7bb

SHA512
b5373577a397c0eb493b1173f0fa5a583fe10b986eced439f39997707622fdb54dad7f39311c0148da02b9f0eda2c097d6d9e98b6a7c7d4aa5996e7cc5f4791d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d9ab21af2046aedc3484d569036c3ef7

SHA1
ade5e9eb5b1180a77a2164e61f74beb411cdfb56

SHA256
90b8f17e573879b63c512e7c0dd6ff9454d177163e2d95d0090b2ef22ae5ec79

SHA512
cb8c202cd3d66ee897982e42257320dfef0a23eb96b9a3189869e9a0ce030d4baaa8c0a6fc5e197d2d19d742b0d7b3f34adb12933192dd6e4b1388433755d1ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
910e8b4a682865877d5b4c6b32ac2db3

SHA1
7df0ffdcff6b2f1d51878af2ca989990c399c005

SHA256
0eaa114fec2febec98337efcccfbb2863979005935decd44f9cd7db110b33b9f

SHA512
eb3e30e57f8ae59dc62d7c7f6c20296c7105a3fead464229b7b037924a20127266c0f09a6090cdeae4bea0f728f6213b2da67b44c3cd85a662c6b0cdf34c24bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3fe126921f6537cf36cd507b1649ffbb

SHA1
445c8796d072bb5829f0af8421e3eb7da34add70

SHA256
b4af7c7ab452f12e0ea38532d00cfa19cf99247ef169e5e698acd882e72750a6

SHA512
5d8527210f01cc30bda93521cdbd9828d03f2af3e2810996ad8c60cf62a35e415c0e54a34e00847ae30bf2718e8c431b65ed4f509c11986a8eb54ed6ed64ac94

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
9627e3850f4f7495f6d36ebae56aa594

SHA1
001694633bc632a7ae2812ed74828335bec77531

SHA256
0aeaf02fb74a0799c8eccaa37e1586435318608e7945b8084fe87f956822cb25

SHA512
03986ee3b4faf96fdb2bdeb1c41e216c81e1c0f7d4403b69c7e7e39baa45e2806d57fad32904bdf04728eb9db7570d94341e73bf8a1f6ba1964072a65de4e894

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
eebe2d00938d9a2d5ca2e934114f9128

SHA1
ed03659c0c6fde34e76ca889889595154e0cf607

SHA256
ebc47ee0c7fd35cb276cdb5d0c5fcfcecc002051ff13fda06ff912361640fd2b

SHA512
17674e69b3765c26ce855a3afd9ed37afb4e4d0c4146e59d4ea8e51405208d430f5e013428349e630ac13baf8a4ebabbc02f2cd5371e5d7a7b7762f0ce61c151

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
93b9c93e621026a6e2ef92d097528eea

SHA1
236d3be93b0e30dad7ba7708cc098a4ed26c54e7

SHA256
19dc72019a599b4461f9532d21324c22f78a7a530b4c9eda028b06f449477fb4

SHA512
4664a2d5a94544feed33fd7d62aa826cfaa00dff8328c22464e70e39fc66bb6d9a319d9e3448cd4a6f737b055aaa67bb28a16dfe5c3864e8ce538ef57f852b8a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ce9c2733b647fe88dce2fae6db3ee329

SHA1
fda538c1f1e34838220b236241a86f4fa86c31db

SHA256
686b7b24d4c32446e8040713c7b410a5d05f761273287521adcec15752eaf55d

SHA512
54ee5c58314d7d0e79f3c39f32791991a1a815d568b9a4d523e081ee7c22542f26444ee5fcb36d6b93d5761819e43a7920f40d775e7537fc5e0bf6ecfc6034e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
477b9d92b3c1c74deb55990c6761edb0

SHA1
0d9c6336fd2735e7b9b2a79696052ef5990bbd3f

SHA256
2b486cf7fcdbe319aa4ce98dc99a8f7c2ab0f09edff5c7d80e99ec8cd84adda6

SHA512
6778442a353386998503e9dac645cc930f1cfb35ee6abe935ffa50115f602631c376c343b33c99d9ddbb79bb5abb2e07bd7dfa1785023253e17d8471e1cbaf3d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
31819b1d9767e25e25103f244ada097e

SHA1
c88636533934a02403a106f6996e29377bfee56a

SHA256
035be3acde59602a0017152b41cdba08ad371fb7ab1aa87444eb9ec55924b10b

SHA512
976f4b92470e33292df023e4924c13cc325787d732f92ea8ff77a8bc4c480e004f0915b57519e84bcc374fe2db3480be5d934a9d50531855dbaa615bb767cb93

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
635fdf4f68c4740d2ec236304463c616

SHA1
47e059d145f79ae3e084e11970a1f304091582fb

SHA256
5cc4af61fc531b33e9a6a0609bd7e8912fd4566acd788014c3258e1ae106e4bb

SHA512
74819bce1ed99f7f90e173d03c5962cd53cc5d74a1bf5b91be6470c9f1778782a453be344c33dfa80ef3290f09ce7e5757ddaf5ec541a311d3f32237cffda6da

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
43ada8b6900adbd875bdb5611663d9b7

SHA1
a2e247f161e5135a0717d8f2e15827a7f7baa30e

SHA256
68a7d1f7c7b302e2532d4ecc2e302d40b4d6e4962ec41ca1589891b089646e11

SHA512
f59d0925b4f7bd576b4a8483f308dca7ed670b6d4af1206ed412fd39faabe27caf41a456c03fce5b1e0419c38f9c53827c9dc553f247eaa68e62c2f6a8f418dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
faf2f174007d9f0fcd3f248ec8d93f3d

SHA1
f97c9a16c95404174cb381412a96074a2e961d03

SHA256
147b93d88091910657d9491aad9590493f5eddb341c154d6aa974a058274ef0c

SHA512
243d979df5547126f068e725f6fe60637b4575da47c4c524748d43c7a989dde6e192708cc940c2c99b1099b5c63efbe88cbf1fae22e53cdd24781b832c0c0418

Download Submit
memory/2708-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download