979983e6b779e2e3702b3c42e59b3028cf4fba53f614ccb5de18a16e1b124f9b

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/09/2024, 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

979983e6b779e2e3702b3c42e59b3028cf4fba53f614ccb5de18a16e1b124f9b.exe
Size

1.1MB
MD5

29741b52d9ed019212c07e132666958c
SHA1

8243b7be2eb4a9388d65fc1d903f35265c802228
SHA256

979983e6b779e2e3702b3c42e59b3028cf4fba53f614ccb5de18a16e1b124f9b
SHA512

1064c1640b9d71563fed387d4b79be7fcaf74440c21020a3fa39316ce138fb9b4a841066a8d0a3088f074893bb1b2e724d9f1d625ffb8e002a758f5435d0cc75
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Q+:CcaClSFlG4ZM7QzM1

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2712	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2712	svchcst.exe
568	svchcst.exe
2432	svchcst.exe
2916	svchcst.exe
448	svchcst.exe
1720	svchcst.exe
2248	svchcst.exe
2380	svchcst.exe
2708	svchcst.exe
1488	svchcst.exe
2940	svchcst.exe
1684	svchcst.exe
1844	svchcst.exe
2292	svchcst.exe
1964	svchcst.exe
2104	svchcst.exe
2548	svchcst.exe
2596	svchcst.exe
968	svchcst.exe
2988	svchcst.exe
2916	svchcst.exe
2580	svchcst.exe
300	svchcst.exe

Loads dropped DLL 42 IoCs

pid	Process
2320	WScript.exe
2320	WScript.exe
2652	WScript.exe
2652	WScript.exe
2656	WScript.exe
752	WScript.exe
752	WScript.exe
752	WScript.exe
1620	WScript.exe
1764	WScript.exe
3020	WScript.exe
3020	WScript.exe
2068	WScript.exe
2068	WScript.exe
2600	WScript.exe
2600	WScript.exe
1584	WScript.exe
1584	WScript.exe
2684	WScript.exe
2684	WScript.exe
2908	WScript.exe
2908	WScript.exe
1672	WScript.exe
1672	WScript.exe
3000	WScript.exe
3000	WScript.exe
2884	WScript.exe
2884	WScript.exe
2296	WScript.exe
2296	WScript.exe
1936	WScript.exe
1936	WScript.exe
492	WScript.exe
492	WScript.exe
2096	WScript.exe
2096	WScript.exe
1432	WScript.exe
1432	WScript.exe
908	WScript.exe
908	WScript.exe
3040	WScript.exe
3040	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	979983e6b779e2e3702b3c42e59b3028cf4fba53f614ccb5de18a16e1b124f9b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2072	979983e6b779e2e3702b3c42e59b3028cf4fba53f614ccb5de18a16e1b124f9b.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2072	979983e6b779e2e3702b3c42e59b3028cf4fba53f614ccb5de18a16e1b124f9b.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2072	979983e6b779e2e3702b3c42e59b3028cf4fba53f614ccb5de18a16e1b124f9b.exe
2072	979983e6b779e2e3702b3c42e59b3028cf4fba53f614ccb5de18a16e1b124f9b.exe
2712	svchcst.exe
2712	svchcst.exe
568	svchcst.exe
568	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
448	svchcst.exe
448	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
2248	svchcst.exe
2248	svchcst.exe
2380	svchcst.exe
2380	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
1488	svchcst.exe
1488	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
1684	svchcst.exe
1684	svchcst.exe
1844	svchcst.exe
1844	svchcst.exe
2292	svchcst.exe
2292	svchcst.exe
1964	svchcst.exe
1964	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2548	svchcst.exe
2548	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
968	svchcst.exe
968	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2916	svchcst.exe
2916	svchcst.exe
2580	svchcst.exe
2580	svchcst.exe
300	svchcst.exe
300	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2320	2072	979983e6b779e2e3702b3c42e59b3028cf4fba53f614ccb5de18a16e1b124f9b.exe	30
PID 2072 wrote to memory of 2320	2072	979983e6b779e2e3702b3c42e59b3028cf4fba53f614ccb5de18a16e1b124f9b.exe	30
PID 2072 wrote to memory of 2320	2072	979983e6b779e2e3702b3c42e59b3028cf4fba53f614ccb5de18a16e1b124f9b.exe	30
PID 2072 wrote to memory of 2320	2072	979983e6b779e2e3702b3c42e59b3028cf4fba53f614ccb5de18a16e1b124f9b.exe	30
PID 2320 wrote to memory of 2712	2320	WScript.exe	32
PID 2320 wrote to memory of 2712	2320	WScript.exe	32
PID 2320 wrote to memory of 2712	2320	WScript.exe	32
PID 2320 wrote to memory of 2712	2320	WScript.exe	32
PID 2712 wrote to memory of 2652	2712	svchcst.exe	33
PID 2712 wrote to memory of 2652	2712	svchcst.exe	33
PID 2712 wrote to memory of 2652	2712	svchcst.exe	33
PID 2712 wrote to memory of 2652	2712	svchcst.exe	33
PID 2652 wrote to memory of 568	2652	WScript.exe	35
PID 2652 wrote to memory of 568	2652	WScript.exe	35
PID 2652 wrote to memory of 568	2652	WScript.exe	35
PID 2652 wrote to memory of 568	2652	WScript.exe	35
PID 568 wrote to memory of 2656	568	svchcst.exe	36
PID 568 wrote to memory of 2656	568	svchcst.exe	36
PID 568 wrote to memory of 2656	568	svchcst.exe	36
PID 568 wrote to memory of 2656	568	svchcst.exe	36
PID 2656 wrote to memory of 2432	2656	WScript.exe	37
PID 2656 wrote to memory of 2432	2656	WScript.exe	37
PID 2656 wrote to memory of 2432	2656	WScript.exe	37
PID 2656 wrote to memory of 2432	2656	WScript.exe	37
PID 2432 wrote to memory of 752	2432	svchcst.exe	38
PID 2432 wrote to memory of 752	2432	svchcst.exe	38
PID 2432 wrote to memory of 752	2432	svchcst.exe	38
PID 2432 wrote to memory of 752	2432	svchcst.exe	38
PID 752 wrote to memory of 2916	752	WScript.exe	39
PID 752 wrote to memory of 2916	752	WScript.exe	39
PID 752 wrote to memory of 2916	752	WScript.exe	39
PID 752 wrote to memory of 2916	752	WScript.exe	39
PID 2916 wrote to memory of 3000	2916	svchcst.exe	40
PID 2916 wrote to memory of 3000	2916	svchcst.exe	40
PID 2916 wrote to memory of 3000	2916	svchcst.exe	40
PID 2916 wrote to memory of 3000	2916	svchcst.exe	40
PID 752 wrote to memory of 448	752	WScript.exe	41
PID 752 wrote to memory of 448	752	WScript.exe	41
PID 752 wrote to memory of 448	752	WScript.exe	41
PID 752 wrote to memory of 448	752	WScript.exe	41
PID 448 wrote to memory of 1620	448	svchcst.exe	42
PID 448 wrote to memory of 1620	448	svchcst.exe	42
PID 448 wrote to memory of 1620	448	svchcst.exe	42
PID 448 wrote to memory of 1620	448	svchcst.exe	42
PID 1620 wrote to memory of 1720	1620	WScript.exe	43
PID 1620 wrote to memory of 1720	1620	WScript.exe	43
PID 1620 wrote to memory of 1720	1620	WScript.exe	43
PID 1620 wrote to memory of 1720	1620	WScript.exe	43
PID 1720 wrote to memory of 1764	1720	svchcst.exe	44
PID 1720 wrote to memory of 1764	1720	svchcst.exe	44
PID 1720 wrote to memory of 1764	1720	svchcst.exe	44
PID 1720 wrote to memory of 1764	1720	svchcst.exe	44
PID 1764 wrote to memory of 2248	1764	WScript.exe	45
PID 1764 wrote to memory of 2248	1764	WScript.exe	45
PID 1764 wrote to memory of 2248	1764	WScript.exe	45
PID 1764 wrote to memory of 2248	1764	WScript.exe	45
PID 2248 wrote to memory of 3020	2248	svchcst.exe	46
PID 2248 wrote to memory of 3020	2248	svchcst.exe	46
PID 2248 wrote to memory of 3020	2248	svchcst.exe	46
PID 2248 wrote to memory of 3020	2248	svchcst.exe	46
PID 3020 wrote to memory of 2380	3020	WScript.exe	47
PID 3020 wrote to memory of 2380	3020	WScript.exe	47
PID 3020 wrote to memory of 2380	3020	WScript.exe	47
PID 3020 wrote to memory of 2380	3020	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\979983e6b779e2e3702b3c42e59b3028cf4fba53f614ccb5de18a16e1b124f9b.exe
"C:\Users\Admin\AppData\Local\Temp\979983e6b779e2e3702b3c42e59b3028cf4fba53f614ccb5de18a16e1b124f9b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2652
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:568
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2380
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2068
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2708
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2600
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1488
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1584
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2940
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1684
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1844
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1672
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2292
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1964
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2104
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2296
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2548
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1936
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2596
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:492
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:968
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2988
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1432
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2916
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:908
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2580
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:300
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:1500
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        
        PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0deab118abcf8e078322ee46edd4cfd3

SHA1
b0f46f2ca33e8ea264812838f6c7a98d0c55a0bf

SHA256
344ce7e23c768177547510b0627c60667804530f220048e11f21e1cda521c502

SHA512
e7e4c041addbecf42ec91877dac6c89a207a3c1eb0247d56c6e4844852a3c7a3a716809d5040d01b03ab332bd155a4f4fb014abc896b9598ac52218c74a1f3c0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
43800a5fe8b6b986d4c595dac668de8c

SHA1
b7308617d08597d8e82e6ef6513e4603597b4b5c

SHA256
5209905f4edc5206453c2ef71c8fb69241fd4a8e89d4979c060c29625ef49707

SHA512
292c2c3156561332d14b22116ec80ec349e0bad1d3f47500ae2483fd8e7f340444223af2f0fa72aee78104057c66bd93372883b769dcc9a097a389ae6ba451fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1af246ca0660faf0fa7da4b4c9c61316

SHA1
c050b0bd311f2e5240cd7e9df583e41b133e9521

SHA256
2b84bcefb62d7564e2e7d1be8105a26f798b4c73cca142c054da02262f61ede8

SHA512
3fadf6605620aea1f9c9e94d62193fc416af6d5272bc675d399ea1ea96a070b4de69cab61736cea89c744ce3b203f0790d617789d25811a6ca535fc9f6159793

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d6998fa6acf02bf81ca3b787bf2aac86

SHA1
c3c08503b40c243120c2815bec43823d1457c93f

SHA256
5f2a7d05a52819de3a4caa28c4b355ca484eea50de6ed9ce8078d244de25e365

SHA512
068536d1ae495d6610534c4536f6024b33bac2e935cb37f99668affefcb8d1fcd8c420e150b6e5807a58157eec83b24cc9017e7cb7b597a7523decdfbaf2a8e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8b412aa0b6687b4da946906a06c460fa

SHA1
180bb2d6f0645242e91d23e76043c0301916f7f5

SHA256
923ae6b14f6c2bebf34efcf9db8485390ca298cdb952df04bc457df9c45647b3

SHA512
73d949f5159a7c976e250d20b975fff6469d5c41b47488d9738a3466dfb372c7977846f6d8fbf676e07715a5fe284ca1597b74f090e0b55301314f71522ac143

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
57e51d7e4374cd875109b11b9b8deb29

SHA1
aa5554bdcf8417f4b5fc9242f1de625e2fb820bf

SHA256
054ccb4671ec5693715c290f0bed875878cda62addcb38ef21257c59037fe30a

SHA512
6f58d52a71466d92d7da68e1bfdd91db03619d810eae2622b4e5623d2ad4e30e294d885c8c5405b775aa3256e3acbd0442a3bb2a4b6eb50001ee5f8848d66da3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
73dd42e0ba8cff47f0542d7d8aa40f90

SHA1
ffbb1b56415be5abcf4613aed3136768f2edbc38

SHA256
c73b4e554a4ae515ae3aa320a19d752e3d848d00ed0cd8f084081ed530b8fc3d

SHA512
efd0075f9e70dd557271bdbcd782a083ae2cde8cd5674bf7f8cf63064847951adfcbaa9c9cff91c57d19c7308d0b7bf4754bfbe8fce6ec0e41d920bde7f5a67e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
85fa416be0b995c6e53ce5e2df106d8a

SHA1
bcffe6d0eb7594897fb6c1c1e6e409bacd04f009

SHA256
f08a191ea7850c2d2e0fa0cd1f40254eecb8dcb63a9dfa94cc8a97f609c49293

SHA512
5d92938d833d0555e94027148d0d9fc064274885bb4992f4e5840e7be03b629a3d2dc3703f9a7aa7614cb46ee19f9cfe26c69cc2e3a162f4be9045e5da18efbf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1c4a20bad462e2ead31b207cd4b0dd1b

SHA1
e6037559a47f711d0e930c907b6c33269cb8ecb9

SHA256
7cbf5f523fb2c8a62f6308bc56b5ff19556c167b7ce2c9e2d74329835c79d29e

SHA512
78e63943987dbb5fa66f2b9865002911c5225dbcba3e89ea0de4ed94dbd211e965e766073e19205a55a7d83cc631e87c50b9f6815d83fced9f41a72c842c145b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a4e2d4727487955ad59bf2d1a6661981

SHA1
e52949b5d7226aaf75d3713ed2ff1283edab2259

SHA256
4b2d44fd28dcc86d4f73784cea9ac601d2e69574ea0fc6214b3481b10687e0e2

SHA512
f3c59196a57237caa7ad762e2e31bb3b95156eb33cdad7d7b28244842a733160a74c6568452252ce2add95980fe653dc5322a3d1722f9d798289557351b5ea55

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f2d2f31794455ef80ea8a41b0b218045

SHA1
926c4e45922f43c6afc2cb31d96b5b35d4db3cae

SHA256
698e3bc7681704e68728030dcceb12377aae02f71e91a5fd15c12b686ba00141

SHA512
36cc2c9bd29c6bd97c2bd7eef7b9bffc512ebabf43d089a2866a66efc4f4f3f7d92b2d0719ae61ad07c38b89b1c0a4b59df57f84beef76c88bd376125048d714

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b8a4e7c167f1f32f57255da24e4fe4f7

SHA1
0985be9ce16545d33081be818983fddf4a62c3fa

SHA256
65625e841d772f0f26ebc115e2e31d193d33d5a8e242561ed71e0d27dfbf6754

SHA512
ae93e8267807732bf47c5ebf28ec96a24ac199e029e8622264459b61bf74afe0c94724fc41464c2cdfe1d13621acc6d95154c0db9c05dc5ceef0e9d966b2a703

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c0e7285006dddfafd03a391dea681be1

SHA1
f9934e4a826f5ea4a2d9a21e0ccca5d184e27fd2

SHA256
6c277d023a9186d66df79aeb2bb2dafb458cf069a3ec26d67e204c27f3a63907

SHA512
6ef330c537e1dbabef0cc7e4304490918093e330fbbeb6fe426a5606635e0cb8fb256dc64a5c9fec590aed9840ac3f87708ad589baba49956b9cdd041a0fa621

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
8b38bb6450ff6f29ff8ca43146c7a3e4

SHA1
36b1249d4a6f93c17d2b55ec8006805ab48d4b8a

SHA256
6385c67365f279da90f1c3f2364e2476f04bbe57e7b2dec0151caf9bd8adee56

SHA512
99415cedbb8ad9f69ae33c21457f77df00bd2e55cb9b635cc1c5121567d37785774d553f8d92a79b5293d4dd09995d28435e3b73bb20077db0932468bf2133c6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
5e8f3f7f0a8f2cd6c53d4d0517636a1d

SHA1
eafcf7a7fae3f9246ea25b7b93696032beda4912

SHA256
e10adf9a53893b20fe8122d5139da3e40d5fb3acfe392958f94630dff1a52ffb

SHA512
fc52d746415aa592fda139c50bec15c1a00330dbcbff85fdf2bb999311524ecb63b1d79a485556633d290672da21b92e35a329b6d78f9b07a203866c926e61f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
00cc30612a67e665188323f15ce4a0d0

SHA1
46e7d7d61ca9350bfd81950f05d10f300622ce27

SHA256
325672dc790a1fe32ee426a40a3d11b16d0267646176bbfd31a481e678697b3b

SHA512
205dda57332c0687202bc89c150a0eef56a532bd2476d242a91d8682c815766e6368d40c9a8d7248ff185212aa9b4a5c5ac1be66e7d45d30c857a3713c94f043

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
721dd1ff75e5271946ada5bded9a7bf7

SHA1
78c3e76068a2de87b15c0c2b89ff073dbfa19c56

SHA256
71529164f4c84066831424d10ea1dc3bfffd0e4592b6b99636c58824ae9609db

SHA512
42211bcc3f2ef4212eaec8efd1426cfeab6ca945341358a0859df98f66529a1e423391d95e9349fc90a7ade9ba87fbcaef86b98925dd56e36c88569e843c3b4a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
707cb3efb4a700d44f154b6c3cf2fe8e

SHA1
d9368f25bc3e8bed9a04a58a6a891147c5634dab

SHA256
8207472ded20986e9996b76dd9d21f2a32a18f04651a262ed1b56710d55ee6d8

SHA512
82ad890c5eabb45c467d19ab310f8befd981c5942c2b1be9f0e0ea91a592d5d094c519f4188323badb12355305b5ddf455bc6bb1cfaaf4abbc36c62393db32e3

Download Submit
memory/2072-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download