Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
21/08/2024, 11:53
Static task
static1
Behavioral task
behavioral1
Sample
af1a5caf344d7e1d3853b93d4f8870dc8e1923aa0ec402082fe437c04e15987d.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
af1a5caf344d7e1d3853b93d4f8870dc8e1923aa0ec402082fe437c04e15987d.exe
Resource
win10v2004-20240802-en
General
-
Target
af1a5caf344d7e1d3853b93d4f8870dc8e1923aa0ec402082fe437c04e15987d.exe
-
Size
1.1MB
-
MD5
e8196031924f935ff5c0ef93d4a24ab4
-
SHA1
eeb6a3ff13e3e42db0e15c4387dddfdfa0e6b74a
-
SHA256
af1a5caf344d7e1d3853b93d4f8870dc8e1923aa0ec402082fe437c04e15987d
-
SHA512
6e040cc1591109bf93c4de1497790e25ce35d28bc5db8ab5e7ced8163a639600eb951039ecdaab868bc4b2bd24541fc29cdb16e6507f053a1621e350d248551c
-
SSDEEP
24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QR:acallSllG4ZM7QzMi
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2804 svchcst.exe -
Executes dropped EXE 24 IoCs
pid Process 2804 svchcst.exe 584 svchcst.exe 2608 svchcst.exe 3016 svchcst.exe 2604 svchcst.exe 1424 svchcst.exe 1748 svchcst.exe 868 svchcst.exe 2996 svchcst.exe 2668 svchcst.exe 1968 svchcst.exe 2344 svchcst.exe 376 svchcst.exe 2680 svchcst.exe 2264 svchcst.exe 580 svchcst.exe 2648 svchcst.exe 2500 svchcst.exe 2064 svchcst.exe 1612 svchcst.exe 1048 svchcst.exe 2540 svchcst.exe 1604 svchcst.exe 1600 svchcst.exe -
Loads dropped DLL 42 IoCs
pid Process 1680 WScript.exe 1680 WScript.exe 2624 WScript.exe 2992 WScript.exe 2992 WScript.exe 2992 WScript.exe 1740 WScript.exe 2192 WScript.exe 2192 WScript.exe 1216 WScript.exe 2192 WScript.exe 1216 WScript.exe 2192 WScript.exe 2192 WScript.exe 2052 WScript.exe 1060 WScript.exe 1060 WScript.exe 1060 WScript.exe 980 WScript.exe 980 WScript.exe 660 WScript.exe 660 WScript.exe 884 WScript.exe 884 WScript.exe 868 WScript.exe 868 WScript.exe 2832 WScript.exe 2832 WScript.exe 2904 WScript.exe 2904 WScript.exe 612 WScript.exe 612 WScript.exe 2940 WScript.exe 2940 WScript.exe 1360 WScript.exe 1360 WScript.exe 568 WScript.exe 568 WScript.exe 2132 WScript.exe 2132 WScript.exe 804 WScript.exe 804 WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 50 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language af1a5caf344d7e1d3853b93d4f8870dc8e1923aa0ec402082fe437c04e15987d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 984 af1a5caf344d7e1d3853b93d4f8870dc8e1923aa0ec402082fe437c04e15987d.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe 2804 svchcst.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 984 af1a5caf344d7e1d3853b93d4f8870dc8e1923aa0ec402082fe437c04e15987d.exe -
Suspicious use of SetWindowsHookEx 50 IoCs
pid Process 984 af1a5caf344d7e1d3853b93d4f8870dc8e1923aa0ec402082fe437c04e15987d.exe 984 af1a5caf344d7e1d3853b93d4f8870dc8e1923aa0ec402082fe437c04e15987d.exe 2804 svchcst.exe 2804 svchcst.exe 584 svchcst.exe 584 svchcst.exe 2608 svchcst.exe 2608 svchcst.exe 3016 svchcst.exe 3016 svchcst.exe 2604 svchcst.exe 2604 svchcst.exe 1424 svchcst.exe 1424 svchcst.exe 1748 svchcst.exe 1748 svchcst.exe 868 svchcst.exe 868 svchcst.exe 2996 svchcst.exe 2996 svchcst.exe 2668 svchcst.exe 2668 svchcst.exe 1968 svchcst.exe 1968 svchcst.exe 2344 svchcst.exe 2344 svchcst.exe 376 svchcst.exe 376 svchcst.exe 2680 svchcst.exe 2680 svchcst.exe 2264 svchcst.exe 2264 svchcst.exe 580 svchcst.exe 580 svchcst.exe 2648 svchcst.exe 2648 svchcst.exe 2500 svchcst.exe 2500 svchcst.exe 2064 svchcst.exe 2064 svchcst.exe 1612 svchcst.exe 1612 svchcst.exe 1048 svchcst.exe 1048 svchcst.exe 2540 svchcst.exe 2540 svchcst.exe 1604 svchcst.exe 1604 svchcst.exe 1600 svchcst.exe 1600 svchcst.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 984 wrote to memory of 1680 984 af1a5caf344d7e1d3853b93d4f8870dc8e1923aa0ec402082fe437c04e15987d.exe 30 PID 984 wrote to memory of 1680 984 af1a5caf344d7e1d3853b93d4f8870dc8e1923aa0ec402082fe437c04e15987d.exe 30 PID 984 wrote to memory of 1680 984 af1a5caf344d7e1d3853b93d4f8870dc8e1923aa0ec402082fe437c04e15987d.exe 30 PID 984 wrote to memory of 1680 984 af1a5caf344d7e1d3853b93d4f8870dc8e1923aa0ec402082fe437c04e15987d.exe 30 PID 1680 wrote to memory of 2804 1680 WScript.exe 33 PID 1680 wrote to memory of 2804 1680 WScript.exe 33 PID 1680 wrote to memory of 2804 1680 WScript.exe 33 PID 1680 wrote to memory of 2804 1680 WScript.exe 33 PID 2804 wrote to memory of 2624 2804 svchcst.exe 34 PID 2804 wrote to memory of 2624 2804 svchcst.exe 34 PID 2804 wrote to memory of 2624 2804 svchcst.exe 34 PID 2804 wrote to memory of 2624 2804 svchcst.exe 34 PID 2624 wrote to memory of 584 2624 WScript.exe 35 PID 2624 wrote to memory of 584 2624 WScript.exe 35 PID 2624 wrote to memory of 584 2624 WScript.exe 35 PID 2624 wrote to memory of 584 2624 WScript.exe 35 PID 584 wrote to memory of 2992 584 svchcst.exe 36 PID 584 wrote to memory of 2992 584 svchcst.exe 36 PID 584 wrote to memory of 2992 584 svchcst.exe 36 PID 584 wrote to memory of 2992 584 svchcst.exe 36 PID 2992 wrote to memory of 2608 2992 WScript.exe 37 PID 2992 wrote to memory of 2608 2992 WScript.exe 37 PID 2992 wrote to memory of 2608 2992 WScript.exe 37 PID 2992 wrote to memory of 2608 2992 WScript.exe 37 PID 2608 wrote to memory of 1740 2608 svchcst.exe 38 PID 2608 wrote to memory of 1740 2608 svchcst.exe 38 PID 2608 wrote to memory of 1740 2608 svchcst.exe 38 PID 2608 wrote to memory of 1740 2608 svchcst.exe 38 PID 2992 wrote to memory of 3016 2992 WScript.exe 39 PID 2992 wrote to memory of 3016 2992 WScript.exe 39 PID 2992 wrote to memory of 3016 2992 WScript.exe 39 PID 2992 wrote to memory of 3016 2992 WScript.exe 39 PID 3016 wrote to memory of 2388 3016 svchcst.exe 40 PID 3016 wrote to memory of 2388 3016 svchcst.exe 40 PID 3016 wrote to memory of 2388 3016 svchcst.exe 40 PID 3016 wrote to memory of 2388 3016 svchcst.exe 40 PID 1740 wrote to memory of 2604 1740 WScript.exe 41 PID 1740 wrote to memory of 2604 1740 WScript.exe 41 PID 1740 wrote to memory of 2604 1740 WScript.exe 41 PID 1740 wrote to memory of 2604 1740 WScript.exe 41 PID 2604 wrote to memory of 2192 2604 svchcst.exe 42 PID 2604 wrote to memory of 2192 2604 svchcst.exe 42 PID 2604 wrote to memory of 2192 2604 svchcst.exe 42 PID 2604 wrote to memory of 2192 2604 svchcst.exe 42 PID 2192 wrote to memory of 1424 2192 WScript.exe 43 PID 2192 wrote to memory of 1424 2192 WScript.exe 43 PID 2192 wrote to memory of 1424 2192 WScript.exe 43 PID 2192 wrote to memory of 1424 2192 WScript.exe 43 PID 1424 wrote to memory of 1216 1424 svchcst.exe 44 PID 1424 wrote to memory of 1216 1424 svchcst.exe 44 PID 1424 wrote to memory of 1216 1424 svchcst.exe 44 PID 1424 wrote to memory of 1216 1424 svchcst.exe 44 PID 2192 wrote to memory of 1748 2192 WScript.exe 45 PID 2192 wrote to memory of 1748 2192 WScript.exe 45 PID 2192 wrote to memory of 1748 2192 WScript.exe 45 PID 2192 wrote to memory of 1748 2192 WScript.exe 45 PID 1216 wrote to memory of 868 1216 WScript.exe 46 PID 1216 wrote to memory of 868 1216 WScript.exe 46 PID 1216 wrote to memory of 868 1216 WScript.exe 46 PID 1216 wrote to memory of 868 1216 WScript.exe 46 PID 868 wrote to memory of 2248 868 svchcst.exe 47 PID 868 wrote to memory of 2248 868 svchcst.exe 47 PID 868 wrote to memory of 2248 868 svchcst.exe 47 PID 868 wrote to memory of 2248 868 svchcst.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\af1a5caf344d7e1d3853b93d4f8870dc8e1923aa0ec402082fe437c04e15987d.exe"C:\Users\Admin\AppData\Local\Temp\af1a5caf344d7e1d3853b93d4f8870dc8e1923aa0ec402082fe437c04e15987d.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"6⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"8⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"10⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"12⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"14⤵
- System Location Discovery: System Language Discovery
PID:2248
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1748
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2996 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"12⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2052 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2668 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"14⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1060 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1968 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"16⤵
- System Location Discovery: System Language Discovery
PID:1160
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2344 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"16⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:980 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:376 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"18⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:660 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2680 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"20⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:884 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2264 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"22⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:868 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:580 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"24⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2832 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2648 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"26⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2904 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2500 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"28⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:612 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2064 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"30⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2940 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1612 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"32⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1360 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1048 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"34⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:568 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2540 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"36⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2132 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1604 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"38⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:804 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1600 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"40⤵
- System Location Discovery: System Language Discovery
PID:960
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"14⤵
- System Location Discovery: System Language Discovery
PID:2584
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"8⤵
- System Location Discovery: System Language Discovery
PID:2388
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92B
MD567b9b3e2ded7086f393ebbc36c5e7bca
SHA1e6299d0450b9a92a18cc23b5704a2b475652c790
SHA25644063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d
SHA512826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09
-
Filesize
696B
MD56a10838e65cf3aedda11230ee7f407b7
SHA17878e96feb82d309b74e4fe98ad256d3bfd63d08
SHA25679b9776ab8d5f525f63ccab50ff6d79e7a7daeb47894ce971b63ab072314009e
SHA5127fd419656935cef9e30f36f618df90399b015dc281dea6b30f12ba7bf2c07a58e7aa570ea5fd1f04b3643be33eb1d8521787c94384cb7ef0ec8d5459a8c50eaa
-
Filesize
753B
MD55fb7bc16d617d3e0776046ccfaa6e47e
SHA1078f0c3e072e11f1a7cc9581a9adab599763dd9b
SHA25623b55f8e0edde2abb5366aa7f27d2a2f8a14800e78674f3178c2b15599d093a8
SHA512962d13fb0f64e48dd0a41ac60021f388edb62d95da1e17e69b3f28c3630a3f25e9539847edcc5848e739a4b36ce10f370afac8cb716aca5e4116605e9f648bc3
-
Filesize
696B
MD5dcda7be7bee467e770890045f8b7ae2a
SHA1c2d1c9669b5115473dd2fcb27bb76aed83afdcd1
SHA2565818c70269cba768813218e1a65265488b4c36ebee593535af98a52bf1eeed33
SHA5125a69286101d6a3f52a919910584f2618e2e7adcf8b77806b5e4ecd8b881a86693df968818cec771b93b50d05849e165da0d66c5cfb121297f56cf7bef804a408
-
Filesize
696B
MD5cd3670279cfd4857ab7ae976f56ad473
SHA12b4136cb5f5aa98e7cf48135db771fe497da942f
SHA2569824342f00af60b70c73fd0b0b08c54f1439d6f6964ce1286a7eec748047041f
SHA51230e7536c3209027ad3df30edd10d69b666a936c4184f3ad26ebf683ae2d066607b9eda521955af0a3cb235d6d84cc5c6fda747525bef19ec3a5016db66945889
-
Filesize
696B
MD55465e98b54b47d65941e5d12deb27c9d
SHA150e5e6ced6e5e332b303de4fa146482fbdf782d5
SHA25638f339c2f4c0d7ea1ba1500460c63bc626a2465b3ca48c4d63ee2b0f3eafb82a
SHA51250c6bc8c7da8c036c909672ade71b08aea49bc58474c40e660d7dc23c3a9869cfad82b4dc96335057ecd5bd1011f3db712f667b4085555e3dc6fb90de56b1c3a
-
Filesize
696B
MD524e4a44b907089d788280d647e33c77e
SHA1ac5a4e397dea243c0022c55319e7c7035d013905
SHA2567fcd076a55f0b7c8e9407217aee7e68893461d15cb8d2946ac5250af35137211
SHA512c4a8dac1c1d5dfa976cc3e8fd299e423ab620463983b8c602be8a83ecc6598eb3f1d60a7370806e1f85a52dd91e4f1337a6dff2e99459f9a1e429a1ffb65a00b
-
Filesize
696B
MD5c91530bbaec9815f2db19bd6645b8729
SHA1ea901a28f06bfbfc1dc9c3391910a87bfaf07020
SHA2567924a95b4fb309a069dcb92b65632f01f9db2560b224d4812ebb84130994ab8d
SHA5127ebce2d0627561189c27073f3e43e84e6164c3c4a63fe4172d2c1214fe799795393573038fb3dd75359327e7cca4eec17889749411e289480580f568b02e6588
-
Filesize
696B
MD5be85ce7bb02d959078db568ee3a8905d
SHA1e3598468f1db49d961a98da4deda91a619b56985
SHA2564d76969f7a746574f6be0eca7b1939230ca7607610f12f82b670f4b7bf829806
SHA5128ffd0d9432c57b2a445afb0701de88903bee1df5295b7ec14042623bfd5d72d0d3cdf198bbdce55be06439c8ac594ddc9bcf53f425bf9e9c9ebb299f6d8150cb
-
Filesize
696B
MD55ef4272f4d6f345fc8cc1b2f059c81b4
SHA178bcb559f775d70e10396e1d6d7b95c28d2645d1
SHA25619f8d5209b4a5789cdfd5b67cb0b9f6c3546c62912bcb1ef1c69a15602beb652
SHA512002693255c600456d965b5a7e36f780deec4d80cd9fe56f7f974b8762e2b140002a1dabf4b059d6163c9cc00a0e1e9da71899e13347fb4bb2985bbc7058469cb
-
Filesize
696B
MD5c5ae655707a21f6473c5f382a787e100
SHA11d2078ebfae286212eb90e60c9dbce5e70ac24f1
SHA256baf83e476c96ab1af7a7482de26dae9909744fad6d12c6ae818f51b834cecb50
SHA512af80731f380d75a643ab885ba152cb7118297ab4e70ff44dd96b7bae8542881f0d06cdbe0ac524cdc30ddca970c2b27adf6398f8efc6e510cea6cc0b2a59b34f
-
Filesize
696B
MD570e226fbd8b4b3f2ddf8a8753a77586a
SHA1a81a39d08f77479d0ee65599dd2749031c32fc19
SHA2563eb2bfca11e83ada63c9e426764e07267c058964f959ca5e0c3f0f8933e40026
SHA512f8c3f2f4172e8cabb856cbc2527dae48cba6d740a8ad9844bb32013ccba200b4c03dfdbe3713d9caa5f7416b8729cba4d516a73989b388c952ab08205b3cd4b8
-
Filesize
696B
MD5910e8b4a682865877d5b4c6b32ac2db3
SHA17df0ffdcff6b2f1d51878af2ca989990c399c005
SHA2560eaa114fec2febec98337efcccfbb2863979005935decd44f9cd7db110b33b9f
SHA512eb3e30e57f8ae59dc62d7c7f6c20296c7105a3fead464229b7b037924a20127266c0f09a6090cdeae4bea0f728f6213b2da67b44c3cd85a662c6b0cdf34c24bb
-
Filesize
1.1MB
MD56f28f6d71b4c0a6a1cf8b531effc6778
SHA142b182137c690aca32f9c55277dfaede38857009
SHA256bff72364674f8d50a3c78533c8cffda72a0fefba40dd9a68948a9be87d410f2b
SHA512b0d8159098aee3e4f84759145b105bf136853fdbe1bd56852a5a749fa254cca729b1847028c9832a065d2bc32f9637f4b439e90b3025a32232bc50e134fbab79
-
Filesize
1.1MB
MD56947a2c72380d085326d3c8eb0810236
SHA16a1dd3944aa5ec6bef6914fb48720466a632f2c7
SHA256de8d791abfd37cf9f31981c4930281367ba64ed8e9b8e53c0b19a1a464ace1e5
SHA512b92d93464a8fe49a021bfda14ae043272990242b420d7b96a442547b837ac29ce7262ef0f1de0c4ecf48df7326b11714ed88f88a5f17873166633326af9e09d6
-
Filesize
1.1MB
MD556c639706e44e42d7d2036db9720871b
SHA1c5fcb76775aa65efa3fb69519c35dd837103f6ce
SHA2560d5a735b13219eaea8efed1dd1e0436aebeee2fdee5fe794f2677d2a39f7ae81
SHA51210c29daaf543a521fa8d9c8690a629d2614003a871046ab86d92f78b3719a83177a5e1dbdd516a50ae9df5105f97e2489d343196e0892430f7fdf5a7ad5794a7
-
Filesize
1.1MB
MD56a449d034be3fce19c4dc196da7019ee
SHA120eb3caac22e6fbe940677a424bfd6c3467b02d3
SHA256e02955c376930ff7a5fd2baa9003f2ae88a79bf926ed9a35fdd3d75ec1c67e64
SHA51274ad9a53b265fbf56b910394a7226a3591c3ce32a656003b35cbcc8aa78dea6047d2f72b52c95129191e82db0cf3d634c19cad810a2a818a7108b8cddf531780
-
Filesize
1.1MB
MD580fbd7cf955089c8e21d3ab225a76493
SHA12c2fe8bea02749dc50bb9cf43c1f83b92ebbf1de
SHA2561a34083112fe16b506d15926f2f7cfdf944ad79c6486ca20568620454d94666e
SHA512ca228282f14954c0c7bdf7aacd23bdae6c69e01741b6978b325e07425010af21cd3c432bebe974e1ca99dfcb3533caf496af1f24e172ac20445301c3ec8622ed
-
Filesize
1.1MB
MD5fd46a351f36c898575ccd273c9e8ba62
SHA1172608b3ca02d9ae49ed2303075bbabac3addfe1
SHA256d2e26580e3ad396e9c494fdac73ec85ee2cff4045f73e73f46c183af691a6788
SHA51285de9268a76e454a529210eec9ec415b657a9e1e653dacdefa29967057d56f958b5eb40a974ff8dd0da5cc495d6953a0212a44796e2e62d3ceb3503e4da9ebc6