b30c6f131fccd02d6b75a7a6dcdbba60fbcbb8af3efec5d3765da6d6714ed68b

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
29/08/2024, 00:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b30c6f131fccd02d6b75a7a6dcdbba60fbcbb8af3efec5d3765da6d6714ed68b.exe
Size

1.1MB
MD5

dea323fdfa8ced4e017ab4b97f71808d
SHA1

f010c27b75cb3531fc81881e03bc008e0d0bd20f
SHA256

b30c6f131fccd02d6b75a7a6dcdbba60fbcbb8af3efec5d3765da6d6714ed68b
SHA512

3137360ead4a7eec174273c31a4a6ac414554166e0b5630060d0f81b89b165c3922acc7712cbc31dc0629464761e11dfd273abbbb47e038c9fae2e6ff8098523
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QL:CcaClSFlG4ZM7QzMc

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2936	svchcst.exe

Executes dropped EXE 20 IoCs

pid	Process
2936	svchcst.exe
2344	svchcst.exe
1452	svchcst.exe
2972	svchcst.exe
3060	svchcst.exe
1932	svchcst.exe
2468	svchcst.exe
2584	svchcst.exe
2912	svchcst.exe
2744	svchcst.exe
2008	svchcst.exe
2988	svchcst.exe
768	svchcst.exe
2796	svchcst.exe
868	svchcst.exe
1612	svchcst.exe
2772	svchcst.exe
2432	svchcst.exe
2648	svchcst.exe
2124	svchcst.exe

Loads dropped DLL 38 IoCs

pid	Process
2432	WScript.exe
2432	WScript.exe
2616	WScript.exe
2616	WScript.exe
2892	WScript.exe
2892	WScript.exe
1288	WScript.exe
1288	WScript.exe
2072	WScript.exe
2072	WScript.exe
1864	WScript.exe
1864	WScript.exe
776	WScript.exe
776	WScript.exe
776	WScript.exe
2396	WScript.exe
2396	WScript.exe
2840	WScript.exe
2840	WScript.exe
2936	WScript.exe
2936	WScript.exe
2980	WScript.exe
2980	WScript.exe
2340	WScript.exe
2340	WScript.exe
1716	WScript.exe
1716	WScript.exe
1808	WScript.exe
1808	WScript.exe
1852	WScript.exe
1852	WScript.exe
1328	WScript.exe
1328	WScript.exe
812	WScript.exe
812	WScript.exe
624	WScript.exe
624	WScript.exe
316	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 43 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b30c6f131fccd02d6b75a7a6dcdbba60fbcbb8af3efec5d3765da6d6714ed68b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2360	b30c6f131fccd02d6b75a7a6dcdbba60fbcbb8af3efec5d3765da6d6714ed68b.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2360	b30c6f131fccd02d6b75a7a6dcdbba60fbcbb8af3efec5d3765da6d6714ed68b.exe

Suspicious use of SetWindowsHookEx 42 IoCs

pid	Process
2360	b30c6f131fccd02d6b75a7a6dcdbba60fbcbb8af3efec5d3765da6d6714ed68b.exe
2360	b30c6f131fccd02d6b75a7a6dcdbba60fbcbb8af3efec5d3765da6d6714ed68b.exe
2936	svchcst.exe
2936	svchcst.exe
2344	svchcst.exe
2344	svchcst.exe
1452	svchcst.exe
1452	svchcst.exe
2972	svchcst.exe
2972	svchcst.exe
3060	svchcst.exe
3060	svchcst.exe
1932	svchcst.exe
1932	svchcst.exe
2468	svchcst.exe
2468	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2744	svchcst.exe
2744	svchcst.exe
2008	svchcst.exe
2008	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
768	svchcst.exe
768	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
868	svchcst.exe
868	svchcst.exe
1612	svchcst.exe
1612	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2124	svchcst.exe
2124	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2432	2360	b30c6f131fccd02d6b75a7a6dcdbba60fbcbb8af3efec5d3765da6d6714ed68b.exe	30
PID 2360 wrote to memory of 2432	2360	b30c6f131fccd02d6b75a7a6dcdbba60fbcbb8af3efec5d3765da6d6714ed68b.exe	30
PID 2360 wrote to memory of 2432	2360	b30c6f131fccd02d6b75a7a6dcdbba60fbcbb8af3efec5d3765da6d6714ed68b.exe	30
PID 2360 wrote to memory of 2432	2360	b30c6f131fccd02d6b75a7a6dcdbba60fbcbb8af3efec5d3765da6d6714ed68b.exe	30
PID 2432 wrote to memory of 2936	2432	WScript.exe	33
PID 2432 wrote to memory of 2936	2432	WScript.exe	33
PID 2432 wrote to memory of 2936	2432	WScript.exe	33
PID 2432 wrote to memory of 2936	2432	WScript.exe	33
PID 2936 wrote to memory of 2616	2936	svchcst.exe	34
PID 2936 wrote to memory of 2616	2936	svchcst.exe	34
PID 2936 wrote to memory of 2616	2936	svchcst.exe	34
PID 2936 wrote to memory of 2616	2936	svchcst.exe	34
PID 2616 wrote to memory of 2344	2616	WScript.exe	35
PID 2616 wrote to memory of 2344	2616	WScript.exe	35
PID 2616 wrote to memory of 2344	2616	WScript.exe	35
PID 2616 wrote to memory of 2344	2616	WScript.exe	35
PID 2344 wrote to memory of 2892	2344	svchcst.exe	36
PID 2344 wrote to memory of 2892	2344	svchcst.exe	36
PID 2344 wrote to memory of 2892	2344	svchcst.exe	36
PID 2344 wrote to memory of 2892	2344	svchcst.exe	36
PID 2892 wrote to memory of 1452	2892	WScript.exe	37
PID 2892 wrote to memory of 1452	2892	WScript.exe	37
PID 2892 wrote to memory of 1452	2892	WScript.exe	37
PID 2892 wrote to memory of 1452	2892	WScript.exe	37
PID 1452 wrote to memory of 1288	1452	svchcst.exe	38
PID 1452 wrote to memory of 1288	1452	svchcst.exe	38
PID 1452 wrote to memory of 1288	1452	svchcst.exe	38
PID 1452 wrote to memory of 1288	1452	svchcst.exe	38
PID 1288 wrote to memory of 2972	1288	WScript.exe	39
PID 1288 wrote to memory of 2972	1288	WScript.exe	39
PID 1288 wrote to memory of 2972	1288	WScript.exe	39
PID 1288 wrote to memory of 2972	1288	WScript.exe	39
PID 2972 wrote to memory of 2072	2972	svchcst.exe	40
PID 2972 wrote to memory of 2072	2972	svchcst.exe	40
PID 2972 wrote to memory of 2072	2972	svchcst.exe	40
PID 2972 wrote to memory of 2072	2972	svchcst.exe	40
PID 2072 wrote to memory of 3060	2072	WScript.exe	41
PID 2072 wrote to memory of 3060	2072	WScript.exe	41
PID 2072 wrote to memory of 3060	2072	WScript.exe	41
PID 2072 wrote to memory of 3060	2072	WScript.exe	41
PID 3060 wrote to memory of 1864	3060	svchcst.exe	42
PID 3060 wrote to memory of 1864	3060	svchcst.exe	42
PID 3060 wrote to memory of 1864	3060	svchcst.exe	42
PID 3060 wrote to memory of 1864	3060	svchcst.exe	42
PID 3060 wrote to memory of 776	3060	svchcst.exe	43
PID 3060 wrote to memory of 776	3060	svchcst.exe	43
PID 3060 wrote to memory of 776	3060	svchcst.exe	43
PID 3060 wrote to memory of 776	3060	svchcst.exe	43
PID 1864 wrote to memory of 1932	1864	WScript.exe	44
PID 1864 wrote to memory of 1932	1864	WScript.exe	44
PID 1864 wrote to memory of 1932	1864	WScript.exe	44
PID 1864 wrote to memory of 1932	1864	WScript.exe	44
PID 776 wrote to memory of 2468	776	WScript.exe	45
PID 776 wrote to memory of 2468	776	WScript.exe	45
PID 776 wrote to memory of 2468	776	WScript.exe	45
PID 776 wrote to memory of 2468	776	WScript.exe	45
PID 1932 wrote to memory of 1756	1932	svchcst.exe	46
PID 1932 wrote to memory of 1756	1932	svchcst.exe	46
PID 1932 wrote to memory of 1756	1932	svchcst.exe	46
PID 1932 wrote to memory of 1756	1932	svchcst.exe	46
PID 776 wrote to memory of 2584	776	WScript.exe	47
PID 776 wrote to memory of 2584	776	WScript.exe	47
PID 776 wrote to memory of 2584	776	WScript.exe	47
PID 776 wrote to memory of 2584	776	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\b30c6f131fccd02d6b75a7a6dcdbba60fbcbb8af3efec5d3765da6d6714ed68b.exe
"C:\Users\Admin\AppData\Local\Temp\b30c6f131fccd02d6b75a7a6dcdbba60fbcbb8af3efec5d3765da6d6714ed68b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2616
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2344
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1452
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:1756
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:776
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2468
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2584
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2396
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2912
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2744
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:1272
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2008
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2988
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2980
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:768
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2796
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:868
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1808
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1612
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1852
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2772
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1328
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2432
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:812
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2648
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:624
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2124
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:356
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:316
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        
        PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
1eec7260c827927dff2614954c98d570

SHA1
bf14bbfc22aaa74b51d2b685184489985c4bb6b9

SHA256
b204b668147357b2e275332ce738c1114e551cad632c890f965256bcfca96f2c

SHA512
e876a58bf7ee66709068176e9a20f1cd518279585fce66b9ea892086ab3e83b6f48353ac1dcad512df0d55e26ecf30f208ac93859eef99691f912f45912ad7de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a6723d81dd75369a43431bd61814ac74

SHA1
c3d950a8d9f5738222594d01dcaae3fcb467d548

SHA256
add1a22f571c2dfbfda508d6ad632223ab81690c73a376500e56855afeb1752b

SHA512
d7a42037066b1b1d1dffbc792aef400ca374665b012f02de40a6ff118482acd14555edabd6750defb402a6cf4e273a132c1856103202e47aa090119546718727

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5f2a40f410e1db471d583c90bb1bf208

SHA1
1e49ed23e02976dede24633c367ab8c92fb4fd9b

SHA256
03c04fafe55862423025fe6e16bbeda1dbded8150a0c0dd363164733051fe1e4

SHA512
98a4ba3960f66728d4a286c8cff2223742d701467a647b6d4a2f118a6e2c53c9a4f6c329a36c099b151d42279ba0823ff07a8df49c87d02a7470f595052f725c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
4f1c3e04fe09c26eac61a6a5e73d41a6

SHA1
5d61ea8f22af3a41286cfd2e03bf0d5fe912527e

SHA256
fcea651549aa97e3646b2b5857daab87dfa90158918203ea713fbc3d8dc96d2b

SHA512
23a253717242040b3497cc5dd9736a2a19adac084ebdf17f578f11a3c07aa584c78a8155ece8de4317293c4b75fca53b4cc225d05785f69e01d18ef6582e01f5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
98328aa8ad181fbf0b87edfc21155dce

SHA1
3ca100ca64d5f62a5dceef47f414c0953fd4f559

SHA256
a6928cf27564f6f983d8f62358463a2dee471715b220de03db8b72ebf105f20c

SHA512
75f298c982eeebf184fdd0612436583a863beba740bd55053539dc1b1c20103a1c6f5da46b41621eb00d601cdfc86c1705080a0da08fef7756637805dcb588ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
28167c064311357a30cc6de51b34120d

SHA1
cd6e8343bf5fa014ded5905fd8c6037eda277818

SHA256
e1a76a59c230fb740b85443e95d9db97f660e6d57f8f79060c51d3fb21f7af2a

SHA512
a8ca9a0804c9cb2c87148d82b2ffb169d766b6ea91b4106363b24d555c9a58594915364b6cb61a1757723e96f7095f06859ab83a6e1055d43c8e78e9b52c8b57

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ae75c3a96c26ddc15e3c678434b18374

SHA1
7abb4cd173f5c8565c891bc5305922439e880fed

SHA256
1b84f073d7c021672b1951a420b183f570b94f4d7c14c86698b22bbd353bf965

SHA512
e817ab91d4d73840a290ff2e999a5136328b315afa16ec831b6ddabea08cf07d8dd61b332cbeded13bde712e7c87538228ff8d163c0f659da84134f04e5a3b7e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7d2c3f227d42fae4a5b7fbcb491b74e3

SHA1
c1271bbd86747cc709b694ba9579a68b5e75a17c

SHA256
9353a2f27a61e571c5bc92ccc1046c1059c5fad8e1e2cafe63a9cc73e1169c33

SHA512
50330ad733975966b32fbedffb99a25cd13004d685e5788ef11f1f0fedfc62658e3e8f5ed0030fe60ecb02ba95ffa7d440c067a1e164cc3bc02ac5008b6a27d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ebf405e49dade13da94f737cdc03dba1

SHA1
8a0c39e59beed0deb4e726566b235c42c70942bb

SHA256
d15af3885670c4fea9dd97da21025faa5fd2b42bddc310bad2893e23a3ed2bef

SHA512
bbdef781757a387898665650d8f951e7fc495770d34595d9badbe5a39d46ec49a06ec00cbe28ed5e2677e5eeea518241fb638580668baca8d7728c44f2069ea2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
08e59d2d672728796d1d263f61b8e693

SHA1
e2cf49b43ffba5735bf7d9aa4e1da8c5a1a4a243

SHA256
f0504a6142a9709ba8612a4e55816d410dc92778bedea66d34316e77edd2f923

SHA512
328bc5a9404388f3ef192bb0e4da20cc34b9eacd974299461b5cc2f37ce7d7f9bb494e933fe7e8bca0baa037b40778b06965e76ce258b596b60e88bd6b2f4253

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f9d25791d9949ef33ed0c208f3d11851

SHA1
1cdf525209a1d7ade65168011e4de530de7bdc5a

SHA256
d3592a18c2a195dba2db76e25fb1516b2a9ef5297e9d72716e232d3540bc4481

SHA512
efb6f3882b9c75aa5193cf1bfeeb430b0a963681bf5367f535e3eb9c4e7c796c0aa1d0e3df9803c635ba6d863dc129a9ab30c954c6d4af27803036859d3d3113

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e15942796fb53aeb03d5d295cd15bc84

SHA1
c3885fe4d205586e984111acb5104f700dea0f1a

SHA256
7a8f564ea8834acd6507374c078405e3430184150ebfe3a40c8561598fc4ab57

SHA512
9fe8c17e344b97c2170cfbe49e7b696020c901399df9d168f732d97e6e533d8efa25c2c8604e5dc67a1acc7770ee1148bf41d60ca28a9cf2141f63b99c1caae0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d9bcb09c1519bb5a51437ee9972f3d77

SHA1
5b3fc86f02f27954d8063073a0bd758b82e3a685

SHA256
2088b5c354a43053e424d03a03a28fbff5be2fd5eeb1ef3216144a92253ce460

SHA512
e9808072d1fe024b199b6f7485ac37a912446811cd382fceef64a0cc207dc5134517287a46a3e0feaa76a725414d8810843129eb6e42c008c3cae0aca2018f1b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ba57a28d5677c5cc9eedc5c0c6adefd8

SHA1
5828266e67a0011e34433f57e124dc5f3b4dcd1a

SHA256
29163de8a48264f902a743f93c864304245dbcab17fa6783ddbfe63f038b13ed

SHA512
4ddda6001b59416f9cf3025cf9debdbffc8d55fbb4f6694b791974365e5cb8785a1a9290b3088991a30fc92d0b071c84153559182fbdb00b05971f32ebf8509a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d45d7b6dee758eaa5e93930324de1208

SHA1
11eaeb2e809b4ed4a2340f86d784d5c0db1f181e

SHA256
0f9430b73430d0be2036765b142ff3ef11ef759bd0fb7cc393fa8e31c72b5878

SHA512
e96e35cc5e5f78bda3c1774a9a3a5e072f110500e819e1e2b825c884a06cafa6613c1f19ca5fd9e23b375c390f09804dfc1f20f6615bcc8ad52657701072448d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
96ea5988f772a910e9b14a7a07df1aef

SHA1
454013ea5b768a925dd4618e95d82e9a748bada9

SHA256
f65e8f6f8f2a9c37c2733b93e3997d783375f3dae55e81e2cdca8b44b4717766

SHA512
4d5d0a48488d9df6d02516b6ff34e6844900a0fce6fb813e29d49e628abf238ded291e545e6e6c41a139f6ce622aac82d450b93f2bcf01164d80ec5f27ad5b2e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2db22526ae1d57f4e983d21e05c86eb8

SHA1
34ad6a919f07c9f7c8330f3ab1dbcf9c3004a877

SHA256
8f6be456253b510b3d9a88a36658fa943444b4732deee3a39f0f0473b5dbe8d8

SHA512
8da679590cbfbd183a4b1250298a23490c6afd8c75a824da48a00b108c37631a7650ebd3b0510c15e15476919af4495cb6f21293095991ff5efd0003743e1003

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7166e36bbdfd2fede05d1ef4f81db701

SHA1
55b46867733e7cb5cc7bea067c830e019d327fa6

SHA256
b00920a9ce635c19781fe7234fba1373b0cc539dc4c57721c402eefd2f464182

SHA512
c9c03ab7bd2007f69055aaf39fa61f681a260e0c4f8bc4591262f025df87cc3c6394c08657d3a0eaacd027a6dec05b0cda025ad4432797b1905e8b8482471e76

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
fb77a56afb509fa85f05c218682a3589

SHA1
352c292b362f7ea3b49d7e2eddf57af97c4071fe

SHA256
31d5d8abb233910f990c0c4b3ae4da15fb9ecf969ae903237d301441f360bbc7

SHA512
3e926e529b87ba7a1809f09211506fb47298de670146d18d4472b183856f6f18905f93b4e56bf27fe113cd57088dd0326de55b9a0025e6eed6952b46c0c9c636

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b6f91b5b2e5949dd00cdc0832f1954f9

SHA1
3f2e12ce351db2d4d3e88c9749ddfc4329a495f4

SHA256
5704749c1c80c1b8659c4a961a3328f7aeeb0599ac1815bf05aa0cd191927a01

SHA512
3a14b09233f4568b6ef9b7e4a620d7c3310dc3a373c1118a64603fb8f310abd0f8d3cf6e173350eb76dd348f15d486d0e0e7eb29935cf1b7611f6d69d39efde9

Download Submit
memory/2360-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download