b316293cffa277ce7fc2394938193b8f1f17d8e9118818acdc9cc5484694fcaa

Analysis

max time kernel
82s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22/08/2024, 21:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b316293cffa277ce7fc2394938193b8f1f17d8e9118818acdc9cc5484694fcaa.exe
Size

1.1MB
MD5

2f5fc04bfcc4be9a354350d44dcc7d3b
SHA1

a51a852328104e0f2f04a005ef333cf729945b98
SHA256

b316293cffa277ce7fc2394938193b8f1f17d8e9118818acdc9cc5484694fcaa
SHA512

459c0c19b64e445d0c7adc16c3e0bc3e081e31fddb86d7e27e3c0efd504d579c7bdf8ea754a7dc9abda566a4b302690b07ed48ac42831ca7787f992605a8344a
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QM:CcaClSFlG4ZM7QzML

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2692	svchcst.exe

Executes dropped EXE 16 IoCs

pid	Process
2692	svchcst.exe
2360	svchcst.exe
3012	svchcst.exe
324	svchcst.exe
2068	svchcst.exe
2496	svchcst.exe
1956	svchcst.exe
1116	svchcst.exe
2916	svchcst.exe
1520	svchcst.exe
3008	svchcst.exe
2968	svchcst.exe
2220	svchcst.exe
1668	svchcst.exe
1792	svchcst.exe
3052	svchcst.exe

Loads dropped DLL 24 IoCs

pid	Process
2776	WScript.exe
2776	WScript.exe
1020	WScript.exe
1020	WScript.exe
388	WScript.exe
2900	WScript.exe
2284	WScript.exe
2284	WScript.exe
2284	WScript.exe
760	WScript.exe
1724	WScript.exe
2868	WScript.exe
2320	WScript.exe
1168	WScript.exe
1168	WScript.exe
2320	WScript.exe
2320	WScript.exe
3012	WScript.exe
3012	WScript.exe
2184	WScript.exe
2184	WScript.exe
2188	WScript.exe
2188	WScript.exe
1928	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b316293cffa277ce7fc2394938193b8f1f17d8e9118818acdc9cc5484694fcaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2388	b316293cffa277ce7fc2394938193b8f1f17d8e9118818acdc9cc5484694fcaa.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2388	b316293cffa277ce7fc2394938193b8f1f17d8e9118818acdc9cc5484694fcaa.exe

Suspicious use of SetWindowsHookEx 34 IoCs

pid	Process
2388	b316293cffa277ce7fc2394938193b8f1f17d8e9118818acdc9cc5484694fcaa.exe
2388	b316293cffa277ce7fc2394938193b8f1f17d8e9118818acdc9cc5484694fcaa.exe
2692	svchcst.exe
2692	svchcst.exe
2360	svchcst.exe
2360	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
324	svchcst.exe
324	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
1956	svchcst.exe
1956	svchcst.exe
1116	svchcst.exe
1116	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
1520	svchcst.exe
1520	svchcst.exe
3008	svchcst.exe
3008	svchcst.exe
2968	svchcst.exe
2968	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
1668	svchcst.exe
1668	svchcst.exe
1792	svchcst.exe
1792	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 2776	2388	b316293cffa277ce7fc2394938193b8f1f17d8e9118818acdc9cc5484694fcaa.exe	29
PID 2388 wrote to memory of 2776	2388	b316293cffa277ce7fc2394938193b8f1f17d8e9118818acdc9cc5484694fcaa.exe	29
PID 2388 wrote to memory of 2776	2388	b316293cffa277ce7fc2394938193b8f1f17d8e9118818acdc9cc5484694fcaa.exe	29
PID 2388 wrote to memory of 2776	2388	b316293cffa277ce7fc2394938193b8f1f17d8e9118818acdc9cc5484694fcaa.exe	29
PID 2776 wrote to memory of 2692	2776	WScript.exe	31
PID 2776 wrote to memory of 2692	2776	WScript.exe	31
PID 2776 wrote to memory of 2692	2776	WScript.exe	31
PID 2776 wrote to memory of 2692	2776	WScript.exe	31
PID 2692 wrote to memory of 1020	2692	svchcst.exe	32
PID 2692 wrote to memory of 1020	2692	svchcst.exe	32
PID 2692 wrote to memory of 1020	2692	svchcst.exe	32
PID 2692 wrote to memory of 1020	2692	svchcst.exe	32
PID 2692 wrote to memory of 388	2692	svchcst.exe	33
PID 2692 wrote to memory of 388	2692	svchcst.exe	33
PID 2692 wrote to memory of 388	2692	svchcst.exe	33
PID 2692 wrote to memory of 388	2692	svchcst.exe	33
PID 1020 wrote to memory of 2360	1020	WScript.exe	34
PID 1020 wrote to memory of 2360	1020	WScript.exe	34
PID 1020 wrote to memory of 2360	1020	WScript.exe	34
PID 1020 wrote to memory of 2360	1020	WScript.exe	34
PID 388 wrote to memory of 3012	388	WScript.exe	35
PID 388 wrote to memory of 3012	388	WScript.exe	35
PID 388 wrote to memory of 3012	388	WScript.exe	35
PID 388 wrote to memory of 3012	388	WScript.exe	35
PID 3012 wrote to memory of 2696	3012	svchcst.exe	37
PID 3012 wrote to memory of 2696	3012	svchcst.exe	37
PID 3012 wrote to memory of 2696	3012	svchcst.exe	37
PID 3012 wrote to memory of 2696	3012	svchcst.exe	37
PID 3012 wrote to memory of 2900	3012	svchcst.exe	36
PID 3012 wrote to memory of 2900	3012	svchcst.exe	36
PID 3012 wrote to memory of 2900	3012	svchcst.exe	36
PID 3012 wrote to memory of 2900	3012	svchcst.exe	36
PID 2900 wrote to memory of 324	2900	WScript.exe	38
PID 2900 wrote to memory of 324	2900	WScript.exe	38
PID 2900 wrote to memory of 324	2900	WScript.exe	38
PID 2900 wrote to memory of 324	2900	WScript.exe	38
PID 324 wrote to memory of 2284	324	svchcst.exe	39
PID 324 wrote to memory of 2284	324	svchcst.exe	39
PID 324 wrote to memory of 2284	324	svchcst.exe	39
PID 324 wrote to memory of 2284	324	svchcst.exe	39
PID 2284 wrote to memory of 2068	2284	WScript.exe	40
PID 2284 wrote to memory of 2068	2284	WScript.exe	40
PID 2284 wrote to memory of 2068	2284	WScript.exe	40
PID 2284 wrote to memory of 2068	2284	WScript.exe	40
PID 2068 wrote to memory of 1044	2068	svchcst.exe	41
PID 2068 wrote to memory of 1044	2068	svchcst.exe	41
PID 2068 wrote to memory of 1044	2068	svchcst.exe	41
PID 2068 wrote to memory of 1044	2068	svchcst.exe	41
PID 2284 wrote to memory of 2496	2284	WScript.exe	42
PID 2284 wrote to memory of 2496	2284	WScript.exe	42
PID 2284 wrote to memory of 2496	2284	WScript.exe	42
PID 2284 wrote to memory of 2496	2284	WScript.exe	42
PID 2496 wrote to memory of 760	2496	svchcst.exe	43
PID 2496 wrote to memory of 760	2496	svchcst.exe	43
PID 2496 wrote to memory of 760	2496	svchcst.exe	43
PID 2496 wrote to memory of 760	2496	svchcst.exe	43
PID 760 wrote to memory of 1956	760	WScript.exe	44
PID 760 wrote to memory of 1956	760	WScript.exe	44
PID 760 wrote to memory of 1956	760	WScript.exe	44
PID 760 wrote to memory of 1956	760	WScript.exe	44
PID 1956 wrote to memory of 1724	1956	svchcst.exe	45
PID 1956 wrote to memory of 1724	1956	svchcst.exe	45
PID 1956 wrote to memory of 1724	1956	svchcst.exe	45
PID 1956 wrote to memory of 1724	1956	svchcst.exe	45

C:\Users\Admin\AppData\Local\Temp\b316293cffa277ce7fc2394938193b8f1f17d8e9118818acdc9cc5484694fcaa.exe
"C:\Users\Admin\AppData\Local\Temp\b316293cffa277ce7fc2394938193b8f1f17d8e9118818acdc9cc5484694fcaa.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1020
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2360
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:388
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3012
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:324
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1044
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1724
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1116
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2916
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2320
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1520
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1168
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3008
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2968
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3012
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2220
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1668
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3052
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1792
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
a993725428e7f5e4c784b50025847243

SHA1
d184ebd7150c0a283da3798e3ddd9391899f5876

SHA256
438b34609cac42a1df0dd4c6cf5f45ff2dbc8a6dbfc6ee9ff7f7d25732b00b07

SHA512
0cb9f32f6ee8a6763ed304990aab535e99b983e730cdf5b86019009884e0a4454b3c5bdfc95b8a973e02d6c534d04bcdbf36310fe19d05e3a74b6451e243c645

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
55765ba68da8820ee35d2d4d1dedeac0

SHA1
19f5f147056f3d837a11d6b08a7fc9544f9927f6

SHA256
1eb237d283717ac45bdfef217d3d09fb4ef73db3838859057c94e488b329c522

SHA512
61b6361b8dfef2067016c50e830db1fc768d0654a3f643cf4b4cb1193de722f74401e73f719d8cff5a443058adfa7e3cd0dfc502f25dd249cdc36a7056c81c18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0297693238c8d2753940dd61243ddfd8

SHA1
c5e61e727061ecb2475cfd052102d1ec3f837ad8

SHA256
2c553c736dbf82875ba83b712b4d0a0e5b63b0e4089f0882755bbf078c22c0a5

SHA512
042527b1ea8d7e3cc25f8cc72c357e39ef822e78eb9c5802613ff806f9869fff49e63ebd0d8e52754c5a918fd76640dd0bc7a1a1dfd5e82cecfcfcc13c8579cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
379619305716718fbeeab2f364946c39

SHA1
b663cf106c4673549692fa39d25e9e8f4561cd64

SHA256
c844bc25686320e65c1b5259a6d0d6d47f61709f46e2c8eb2ad3f9c3b9333d84

SHA512
b2c91d0f1cbc9e253bb3bb339acbab0e31eef31188cc00132c423fee2a85c7a91132c9259b99b23a149f6ba1172b8522e2d8350f88dbb735ad8d7a32f71e2ed8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
03088ab16e4136b8d3a3366505b767ed

SHA1
e1d73c9dc7e6009659519b33b3dd80f3011adad8

SHA256
b31956814f1bc7c1e47a025622160df37664a3ee8e6d2016ce8919f1fba63a59

SHA512
0c841cc8236b405951c5bdf0ea7c620ef32ab930077442e5c1f2eca9fe474c113e1377829e8072afdbfd9a0f0b2797cf156b2f861395d14b851abc7b365ec11a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7a01dad1af2b3e0327e1d352436bbcd7

SHA1
10612930777b11e8edeb9bd33c74a6a2404c9d6b

SHA256
185fe22d4d1af7aee3fd8cf94dcfe20c5daf320764d2c96c2ad5f2cff4cd1655

SHA512
1fee128690213b1ffd6c1f95d9894f52c2b0374ca99b16795028fab6b364298c1d678c3f92775c410c0fe7a1a71a33d3db5635e5bb6c71449feb60c9f5316616

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
619955d43a58558c766025119a5a66cb

SHA1
cfb43d2b9cb68699667ca8d4929e71b25ed115ab

SHA256
a129bff17a859b7b2d6681f519c985c661797dd508ac249d30f02a0a78858cee

SHA512
20f9499cddf2fb824365830736255a1dce689da0e94fa8e999ee4e28883e65637410710ea01204b5f3d48213f697461288da2b7a535511da87f848b1e6e83bc6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b43cc190210c9c6b2742cc52bd8296bc

SHA1
5476b0b4ca6b80be460b3e183f51d50599750324

SHA256
0081c1fe196153e4e7651f0c4a3888bda7623ba8f76218b8df10dc5147d778c0

SHA512
dee2b38b2222020a8fdf2bb241461b3e58978761cfa4c2099184badfc7a98d4acdd0f75d9417a94928a62da7f7c10e9cc04546636e88004897dd3c73cabeed27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0192d17fea0102bde8e142aabd30379e

SHA1
f625075beef58c06ca68d43a3ba5cc1caa8efdfd

SHA256
98e8ea7a93d93f491f56d4026b5683e7fdeff25fe26f518e2e81a1319ef49719

SHA512
43002329c61c0fedc908a1838c1868573a5f6f64b4bad3295182b341562cd4b17710ce021e75157830b5b29d29141ae394b3addae4f8c180259f02cb44648163

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a4e2d4727487955ad59bf2d1a6661981

SHA1
e52949b5d7226aaf75d3713ed2ff1283edab2259

SHA256
4b2d44fd28dcc86d4f73784cea9ac601d2e69574ea0fc6214b3481b10687e0e2

SHA512
f3c59196a57237caa7ad762e2e31bb3b95156eb33cdad7d7b28244842a733160a74c6568452252ce2add95980fe653dc5322a3d1722f9d798289557351b5ea55

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0bccab32e5846f9f4dc9874c8afa259e

SHA1
e3bf776668afe4d7d68f39f3293e18a0c54d27ed

SHA256
29ae25f6bcb4169c9762b194780c437862222cd1eb68cf452ae3ac96b55b66e3

SHA512
2974b8746957cc93bb0f3b8f7ef9428c45a6fba8a836df220fcf01caa5400b28da1126a871b3a8ec8f2bf43cbd351a65787ff2412374f54dfd4b319635e7a5ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d1cd2ec141fafd1cb328a03c1ed913c7

SHA1
bb73a50dceb6760a41c4526eed2c756d30ffd1d2

SHA256
1dbbb1ced31182990bfe7ce3e229231016bd65719aa4c2343430c35f061c41bd

SHA512
229d5306db4f02fab23bd59ebfb3afb9373a9ded83c7ee513029fa2995a481aeae195afb2b36a7ea0058305260925280642158846f8a0c2ead4a3bfd2a576472

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
78f5e3554a59888a2ccb40ca692d2611

SHA1
2aea5d331226787c13c912806f910f4b8a6a1d88

SHA256
6e253d80f024ad664f3e09ec938c86601d716d852a026e78d2f5181847db6e0b

SHA512
16a075a19e7feefd52369926bf95c80f2792d11f6473e0fd0e4fb980c02bc632d36b1cd1c12d17e607cdb1b465de0dea2c6a617ed0551bc10ddbb2b10b8397b2

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
83c4532248859507513306c75af7498d

SHA1
767c44b42c7b619170e098f12b622b58f472b22b

SHA256
334b308f6e59ac357be18d7643acb120e71ed06cec2921540258c5cd9781db01

SHA512
729029c90068530085660e57aca52feffecf764afc6cce509bec63febcdfa9144e89b94987ba115d1b39f794ac3954cbc63178aab6159f2266c7f431e04f0bf1

Download Submit
memory/2388-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download