Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
25-08-2024 23:25
Static task
static1
Behavioral task
behavioral1
Sample
331334a26394c97dc7d51cc2f907971dffde09f2c905de0cedce299f8dd7ddef.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
331334a26394c97dc7d51cc2f907971dffde09f2c905de0cedce299f8dd7ddef.exe
Resource
win10v2004-20240802-en
General
-
Target
331334a26394c97dc7d51cc2f907971dffde09f2c905de0cedce299f8dd7ddef.exe
-
Size
1.1MB
-
MD5
61504593aacc72b2c2a76badb51e55b0
-
SHA1
1ed451c0d8b037d8716ba49c04a362aaf45dd5c1
-
SHA256
331334a26394c97dc7d51cc2f907971dffde09f2c905de0cedce299f8dd7ddef
-
SHA512
7fa12b7ce0069d07f6a7e048d74d1cca7526e6093150127b717177818569173e9e899797b94e2d1efa2ca35a89908443c8b44667cac1bee5ae5dc2d32d01697d
-
SSDEEP
24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Q5:CcaClSFlG4ZM7QzMK
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2968 svchcst.exe -
Executes dropped EXE 23 IoCs
pid Process 2968 svchcst.exe 2004 svchcst.exe 2132 svchcst.exe 2228 svchcst.exe 2988 svchcst.exe 1556 svchcst.exe 2156 svchcst.exe 1656 svchcst.exe 3064 svchcst.exe 664 svchcst.exe 2704 svchcst.exe 1920 svchcst.exe 1856 svchcst.exe 2464 svchcst.exe 1508 svchcst.exe 2972 svchcst.exe 2656 svchcst.exe 2612 svchcst.exe 2812 svchcst.exe 1888 svchcst.exe 2124 svchcst.exe 2232 svchcst.exe 2460 svchcst.exe -
Loads dropped DLL 46 IoCs
pid Process 1028 WScript.exe 1028 WScript.exe 2716 WScript.exe 2716 WScript.exe 2420 WScript.exe 2420 WScript.exe 1416 WScript.exe 1416 WScript.exe 1692 WScript.exe 1692 WScript.exe 880 WScript.exe 880 WScript.exe 2080 WScript.exe 2080 WScript.exe 1604 WScript.exe 1604 WScript.exe 2912 WScript.exe 2912 WScript.exe 2776 WScript.exe 2776 WScript.exe 1252 WScript.exe 1252 WScript.exe 2224 WScript.exe 2224 WScript.exe 2228 WScript.exe 2228 WScript.exe 2988 WScript.exe 2988 WScript.exe 2220 WScript.exe 2220 WScript.exe 1644 WScript.exe 1644 WScript.exe 2904 WScript.exe 2904 WScript.exe 588 WScript.exe 588 WScript.exe 1140 WScript.exe 1140 WScript.exe 3056 WScript.exe 3056 WScript.exe 2796 WScript.exe 2796 WScript.exe 1532 WScript.exe 1532 WScript.exe 1564 WScript.exe 1564 WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 48 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 331334a26394c97dc7d51cc2f907971dffde09f2c905de0cedce299f8dd7ddef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3032 331334a26394c97dc7d51cc2f907971dffde09f2c905de0cedce299f8dd7ddef.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe 2968 svchcst.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3032 331334a26394c97dc7d51cc2f907971dffde09f2c905de0cedce299f8dd7ddef.exe -
Suspicious use of SetWindowsHookEx 48 IoCs
pid Process 3032 331334a26394c97dc7d51cc2f907971dffde09f2c905de0cedce299f8dd7ddef.exe 3032 331334a26394c97dc7d51cc2f907971dffde09f2c905de0cedce299f8dd7ddef.exe 2968 svchcst.exe 2968 svchcst.exe 2004 svchcst.exe 2004 svchcst.exe 2132 svchcst.exe 2132 svchcst.exe 2228 svchcst.exe 2228 svchcst.exe 2988 svchcst.exe 2988 svchcst.exe 1556 svchcst.exe 1556 svchcst.exe 2156 svchcst.exe 2156 svchcst.exe 1656 svchcst.exe 1656 svchcst.exe 3064 svchcst.exe 3064 svchcst.exe 664 svchcst.exe 664 svchcst.exe 2704 svchcst.exe 2704 svchcst.exe 1920 svchcst.exe 1920 svchcst.exe 1856 svchcst.exe 1856 svchcst.exe 2464 svchcst.exe 2464 svchcst.exe 1508 svchcst.exe 1508 svchcst.exe 2972 svchcst.exe 2972 svchcst.exe 2656 svchcst.exe 2656 svchcst.exe 2612 svchcst.exe 2612 svchcst.exe 2812 svchcst.exe 2812 svchcst.exe 1888 svchcst.exe 1888 svchcst.exe 2124 svchcst.exe 2124 svchcst.exe 2232 svchcst.exe 2232 svchcst.exe 2460 svchcst.exe 2460 svchcst.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3032 wrote to memory of 1028 3032 331334a26394c97dc7d51cc2f907971dffde09f2c905de0cedce299f8dd7ddef.exe 30 PID 3032 wrote to memory of 1028 3032 331334a26394c97dc7d51cc2f907971dffde09f2c905de0cedce299f8dd7ddef.exe 30 PID 3032 wrote to memory of 1028 3032 331334a26394c97dc7d51cc2f907971dffde09f2c905de0cedce299f8dd7ddef.exe 30 PID 3032 wrote to memory of 1028 3032 331334a26394c97dc7d51cc2f907971dffde09f2c905de0cedce299f8dd7ddef.exe 30 PID 1028 wrote to memory of 2968 1028 WScript.exe 32 PID 1028 wrote to memory of 2968 1028 WScript.exe 32 PID 1028 wrote to memory of 2968 1028 WScript.exe 32 PID 1028 wrote to memory of 2968 1028 WScript.exe 32 PID 2968 wrote to memory of 2716 2968 svchcst.exe 33 PID 2968 wrote to memory of 2716 2968 svchcst.exe 33 PID 2968 wrote to memory of 2716 2968 svchcst.exe 33 PID 2968 wrote to memory of 2716 2968 svchcst.exe 33 PID 2716 wrote to memory of 2004 2716 WScript.exe 35 PID 2716 wrote to memory of 2004 2716 WScript.exe 35 PID 2716 wrote to memory of 2004 2716 WScript.exe 35 PID 2716 wrote to memory of 2004 2716 WScript.exe 35 PID 2004 wrote to memory of 2420 2004 svchcst.exe 36 PID 2004 wrote to memory of 2420 2004 svchcst.exe 36 PID 2004 wrote to memory of 2420 2004 svchcst.exe 36 PID 2004 wrote to memory of 2420 2004 svchcst.exe 36 PID 2420 wrote to memory of 2132 2420 WScript.exe 37 PID 2420 wrote to memory of 2132 2420 WScript.exe 37 PID 2420 wrote to memory of 2132 2420 WScript.exe 37 PID 2420 wrote to memory of 2132 2420 WScript.exe 37 PID 2132 wrote to memory of 1416 2132 svchcst.exe 38 PID 2132 wrote to memory of 1416 2132 svchcst.exe 38 PID 2132 wrote to memory of 1416 2132 svchcst.exe 38 PID 2132 wrote to memory of 1416 2132 svchcst.exe 38 PID 1416 wrote to memory of 2228 1416 WScript.exe 39 PID 1416 wrote to memory of 2228 1416 WScript.exe 39 PID 1416 wrote to memory of 2228 1416 WScript.exe 39 PID 1416 wrote to memory of 2228 1416 WScript.exe 39 PID 2228 wrote to memory of 1692 2228 svchcst.exe 40 PID 2228 wrote to memory of 1692 2228 svchcst.exe 40 PID 2228 wrote to memory of 1692 2228 svchcst.exe 40 PID 2228 wrote to memory of 1692 2228 svchcst.exe 40 PID 1692 wrote to memory of 2988 1692 WScript.exe 41 PID 1692 wrote to memory of 2988 1692 WScript.exe 41 PID 1692 wrote to memory of 2988 1692 WScript.exe 41 PID 1692 wrote to memory of 2988 1692 WScript.exe 41 PID 2988 wrote to memory of 880 2988 svchcst.exe 42 PID 2988 wrote to memory of 880 2988 svchcst.exe 42 PID 2988 wrote to memory of 880 2988 svchcst.exe 42 PID 2988 wrote to memory of 880 2988 svchcst.exe 42 PID 880 wrote to memory of 1556 880 WScript.exe 43 PID 880 wrote to memory of 1556 880 WScript.exe 43 PID 880 wrote to memory of 1556 880 WScript.exe 43 PID 880 wrote to memory of 1556 880 WScript.exe 43 PID 1556 wrote to memory of 2080 1556 svchcst.exe 44 PID 1556 wrote to memory of 2080 1556 svchcst.exe 44 PID 1556 wrote to memory of 2080 1556 svchcst.exe 44 PID 1556 wrote to memory of 2080 1556 svchcst.exe 44 PID 2080 wrote to memory of 2156 2080 WScript.exe 45 PID 2080 wrote to memory of 2156 2080 WScript.exe 45 PID 2080 wrote to memory of 2156 2080 WScript.exe 45 PID 2080 wrote to memory of 2156 2080 WScript.exe 45 PID 2156 wrote to memory of 1604 2156 svchcst.exe 46 PID 2156 wrote to memory of 1604 2156 svchcst.exe 46 PID 2156 wrote to memory of 1604 2156 svchcst.exe 46 PID 2156 wrote to memory of 1604 2156 svchcst.exe 46 PID 1604 wrote to memory of 1656 1604 WScript.exe 47 PID 1604 wrote to memory of 1656 1604 WScript.exe 47 PID 1604 wrote to memory of 1656 1604 WScript.exe 47 PID 1604 wrote to memory of 1656 1604 WScript.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\331334a26394c97dc7d51cc2f907971dffde09f2c905de0cedce299f8dd7ddef.exe"C:\Users\Admin\AppData\Local\Temp\331334a26394c97dc7d51cc2f907971dffde09f2c905de0cedce299f8dd7ddef.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"6⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"8⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"10⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"12⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"14⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"16⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1656 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"18⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2912 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3064 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"20⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2776 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:664 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"22⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1252 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2704 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"24⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2224 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1920 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"26⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2228 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1856 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"28⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2988 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2464 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"30⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2220 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1508 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"32⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1644 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2972 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"34⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2904 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2656 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"36⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:588 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2612 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"38⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1140 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2812 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"40⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3056 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1888 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"42⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2796 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2124 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"44⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1532 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2232 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"46⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1564 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2460 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"48⤵
- System Location Discovery: System Language Discovery
PID:2256
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92B
MD567b9b3e2ded7086f393ebbc36c5e7bca
SHA1e6299d0450b9a92a18cc23b5704a2b475652c790
SHA25644063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d
SHA512826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09
-
Filesize
753B
MD5d1eba0335f1325906676b38df3ad2865
SHA1e721e8d10fd94caa983cd5ffd2a606b63b067011
SHA256fa307aed536f6972b8a84bfe5d2d5c8fcee94b01239b47216370f8173fb62964
SHA512f84b49ad4a2518fe6591ff4a3861e6ed847ec12a5c7df7b40173832be8edbdf31ceb19dd263e93103757ba809901be9ad663eae6da6fdb7c33d906493e8083c3
-
Filesize
696B
MD5ae63ded87a90f9812749cac189d07a57
SHA15a37ba565ce8c2445ff71f7c3d7adc38cb68627f
SHA2566251cc562aff44a7222fe555019800d44c515c0319748fae595621d92f5d9236
SHA512293cf9a753b1456071db8840910ec3ee7a0a00342caeb27a3bf7c150b54e51a22673e8262fd4376bad6c29eff3b3a77c1c47c1e10c49abffaba899b9193d9429
-
Filesize
696B
MD53353d1633bca569636039038a518d927
SHA1780e7b0504ce0c3eb7a2d5ab9cc18b9d0596bd34
SHA2566f9daffcca457b49869f9b22fe00e63b4c232c9e13998ab908b91909aa446b8d
SHA51266a8b0877d6c6f196b85b4e8bf7d67da20fd3749543d65b54599233fc68f476445e70f9ad8e54cb3a71676c6b8a51957f11df2442883f1283c6d526884ec0c18
-
Filesize
696B
MD5b5e11596fa3b5ec67af0232750a3cadb
SHA180cb25f5250390b6b2130c8b4eefc9872cc4939d
SHA256d6429bbb3e3d5c86f30efdb3aa599d47eb8f130c1d0f2a6345e3e9387f7670b3
SHA51206c71dd481c8936cb5c8a259111986a31b94e7bf73267a081e2162e16b3bffc633a257b5dcf2fd64c7bcc95a20ee841d5d07ca2ea5a16b7f862aec9cde5f17f2
-
Filesize
696B
MD5c94fda6716d92036e02a0e70b433735f
SHA1eb4e57b1461e03a201dbfd20dd308ca88694e55d
SHA256ca8d32856a5ad76e2bf41249ee83a498c238f51d9d3addbd5ca456ee6a6108ba
SHA512bf4b3613a4d6d2854f7750a73f84579a3022c2aaae770c392c3d4b273cbb2b493028f8109856ba66ee4636bcfac53b61b7f9b689002858a040b62b47d097d24f
-
Filesize
696B
MD5298f56408ef5bfe14b938d85e57c843d
SHA1691d78c4c4887333b4679d3e340a7a04caad13a3
SHA256b5738b726b24c9d220bd7256e4abb2e97215d50416bf67983cc82dc83b46298a
SHA512227bf6d7e70568144112dc142ef60fa38f2b5f39196e3d3377a120b78fa86382726021f024bf5413548df0ce1734bb905d28e56de4dd80c6f21c05ab2a5ef83e
-
Filesize
696B
MD5d04e4fa1d3c8ba67f98c8e40c157ed97
SHA1c0d95df53f8a804370ce7230fd02b9e58f75ec22
SHA256b0544b1226f7cfd08fbffa33537e742cae314ef9ebc6a146d9aae7ead895ae1f
SHA5127436211ec14314df3689406a0b828f28a337929922fe1d381569b3eedc40dd9639764a73adfb033ede68ff760c5c0429de44a865e96f105cd0a2b6ec80269890
-
Filesize
696B
MD51a9d2727f5157f704f57fb2f0e0a7939
SHA14085542ccb9a53b29208916307ee515880d6410f
SHA25646c5d3b8a158fe319dfd325df66634b1bdef724bab79b7007f565e44beb34f31
SHA5127ec52df630965769dae3e05a1b9fd489c7d5413ea77b28cbe2435e839f80d7eabdbbcc74af4cf544b9f0f57403a505501b08753ffeaec8cf6c32972fc3e72d68
-
Filesize
696B
MD566dec81d7f7dc4e36f9d8151fe38056a
SHA1fc169994b2239eb407778d28d35025f7c9a1658e
SHA256a09a3c722b494400011829c5645415020d39c8e6ec90f466fc3109a1ba49db2a
SHA5123e8af1d301ba9228d5afcfaa1e1d3e6f931c5f0ba5e19c74f73b88ddf7c4baa7b24f13533679096f6c94871985de9e47d0f91362ec2ee9132b1e1b772d56fbcc
-
Filesize
696B
MD5aa6578debd9e5045ad239d59ebeb6d15
SHA12a25e6293914cd6ada6649f34506c8bcf35494aa
SHA2567acb095ca5298eb1d1e2ba7f02c1b876d7d28684762a9d180ae2ed8c9e68beb2
SHA512150796c7aad73d1732103e41bd01d3c181b4a0afd37b673d184d5c6c643622704e7692b668e231a319549c2bb378f4d83c7ede82caf81dd15c934b81936e22b2
-
Filesize
1.1MB
MD51e469ebc91d6a75c01334fe9d164afed
SHA14f3aff7c09721aded279e99941c9fde919d248a6
SHA256bb16ac1618c63dbf8ae0b828b8f53b0c506417e47a3a4f7ce3df25b3db0f785b
SHA512202a69a18bc3d3bd1db80ece695a3f6ec062161bb02895c2c07481bdafe83f96c1e2f2e1c0aadc6d24be7bc0812ea0a444f01b1ba8fde9c73e50945d1a30fb73
-
Filesize
1.1MB
MD520ef2b12c9ac4ef9c450654fe49ca077
SHA17a2f69d812e04ac899e1638f460d478d2ee9feef
SHA256d571e77b680297a25b72bc899f029295a161800af8def0a3af9f3f5b4140d973
SHA5123adb1f58d1dac69276fc84ac13af7025488c9bbbe47ac064d91e614b8a7adf3d2fd4882fab2682af149d0c1f578484f62f72c57018c666161dd13bba2065caf8
-
Filesize
1.1MB
MD50b532730c1e4cbc4f597159fe784a6f6
SHA130798d1f6e86a9747037ccc88a9c35d89bea449c
SHA2565bc99108c10e01f911d6db1bac9ad7c8381a80b101f21c2bf4335e3887a1459a
SHA51210216e3d393fa989ab620ad218ffe1f7e1ef38877f76a5221b59734abbe7e0af7bf789e328b2616db8496444ca05fc684568cd4688960bf62db6e7f30460283b
-
Filesize
1.1MB
MD587005137326a7dd82e8c208c40d1934a
SHA109838b8c34f0a33859e9f2de3064b051399c7406
SHA256dfe3fa0285b197297ffe7407bebd4f93aa56f45b34c6fd55f8a6feaa0dc873fb
SHA5125f4ea0570fef4651054d1eab99874f8cbcaa5ca903de79ae3dfb0457174ce836a5b1a0bba8d2582d30bda7137f01838059a7880313758ca81f546251bcebe67c
-
Filesize
1.1MB
MD53a3d4a29893cfed7725817128460698b
SHA11439cff38fa61cd61270ec84d99acf318d073c9f
SHA256c726d7a4e110fec32e4df55ed7143b826efb5923a9195391709d609903d47a5e
SHA512412796da59950cad913d23b13bd0bbbeb5806d7cf1b7f6b9d7a13935e6dca45b9793e3f49a7eafc980a1b70213513003827dbcbf43379b1e85da735a17e18ef8
-
Filesize
1.1MB
MD5db5b32eb50fdb85bcaf6d25af11e0e60
SHA14c927a44bd32fc9bbc36969bf0ec0f42280850f5
SHA2564719c4f3461da22df7d6a3431eaf6989a5a1eeda357a7c99acad5d2742d56644
SHA5123ed26322e03f7107aa9e63bf1e6e17d44543eaf32546c6023916b2231c698fcd69171f64513c005e4e7b44b0011ea26ff68dd487ff0f35241426e71cb8f39e69
-
Filesize
1.1MB
MD5dd8f05a4ff18f928737ca92ffa453914
SHA159570f476b87dcaeaf33569c8fd01cabc73158ca
SHA256c3fb42cf05d13dac13f07ae95edad6df6a4bbf10cb086869ba0f42a00b294ac2
SHA51230e39161332353cfe0a33d5109bf5f9009fd2d2fcbf79a9143b9a7a3315088e3d673b97813b6119309cf1900ea2945d02223107a94a76ac55c90b4117ae1429d
-
Filesize
1.1MB
MD544ea9a7b5eb04822ec99758df53e378a
SHA1561e80288abc9a9fab588d418b1547ab5ba9d741
SHA256d4da29530f1f03509a38f714c4f2d71adb5537508edefea1841d9718399130c4
SHA512e3c6d00085ce05921a6a210d09ead2dcd6caf48564f7e782d3a8d5f475600022a5dfa3e5dcc1eedac02926209758ff266b760d20e9bada0b35921d631eb43aa6
-
Filesize
1.1MB
MD50d289e5d35b5312bdf2e1aef44f0549b
SHA1feee949527ffcd2c75273cef167d9d15e6aae50d
SHA256b49c257e16f8acc809e2a4a3a77527667e812cfa461640a1963622f608afc67f
SHA5121d3a871be1ec89755aac80a6a7ccf78968c4f6a7f2fdd4ad5a794cc401e746ccbde25f9116e9f7cf1bdc78c4240201e28c55efd1cb97af7ecca06fd541c9a1f6
-
Filesize
1.1MB
MD5af8a5525760d50898235514a410f849f
SHA1801a60d6bde5040a4d81851f056402a731f0c971
SHA256c53bfef698602bc46ed8c7beb2c712bdaf44d72b4e920b5a9a20014b4f61df39
SHA512970b12cdd257bac450f5604218cd2ca7195fbd9cdac3324faec8116153b1d9b54ef87df79bf6194a4a05a9fee614d5e908f0d9f19ad13508fd3253ec84d098ee
-
Filesize
1.1MB
MD548414dd74ebd979926b2eb3e660dd6da
SHA193338478d9a072f069212e1ca2f03287509b6320
SHA2568225be0286a0ca4e8f7aacd3a30b731d6465af239254fc4dd26ca40932b53083
SHA512802e435d76c156fdb800b593fd36b5b7f3a34b43899acee492f72f1856cc3f504e742897d5b35f62fae4c444496b06c0b40735ceb6da9984d7011f9af74901f5