5e4583c6479000d634552f0c23e4a590cbcf6bd181b9ac8d130d18872879ea24

Analysis

max time kernel
126s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/09/2024, 10:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e4583c6479000d634552f0c23e4a590cbcf6bd181b9ac8d130d18872879ea24.exe
Size

1.1MB
MD5

2314f8f414886a307e856550b634d1ba
SHA1

9458579c61b98fc134ad36ad9610e42afc84e026
SHA256

5e4583c6479000d634552f0c23e4a590cbcf6bd181b9ac8d130d18872879ea24
SHA512

6a8447f142befbd4d5f91501e042746b459ae1e0ce97b3159be5514e8a8b7bf4a2f695c428be4e33657c7949d551040b698b3e0aa0bde9a52a3d6bcc83bf4edf
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QJ:CcaClSFlG4ZM7QzM6

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2596	svchcst.exe

Executes dropped EXE 21 IoCs

pid	Process
2596	svchcst.exe
776	svchcst.exe
3036	svchcst.exe
1204	svchcst.exe
1820	svchcst.exe
992	svchcst.exe
2788	svchcst.exe
1744	svchcst.exe
1828	svchcst.exe
2956	svchcst.exe
1920	svchcst.exe
1616	svchcst.exe
2088	svchcst.exe
1600	svchcst.exe
2252	svchcst.exe
2660	svchcst.exe
1236	svchcst.exe
916	svchcst.exe
3024	svchcst.exe
1380	svchcst.exe
676	svchcst.exe

Loads dropped DLL 40 IoCs

pid	Process
2964	WScript.exe
2964	WScript.exe
1740	WScript.exe
1740	WScript.exe
2768	WScript.exe
2768	WScript.exe
1044	WScript.exe
1044	WScript.exe
1348	WScript.exe
1348	WScript.exe
2292	WScript.exe
2292	WScript.exe
1588	WScript.exe
1588	WScript.exe
1552	WScript.exe
1552	WScript.exe
1352	WScript.exe
1352	WScript.exe
2804	WScript.exe
2804	WScript.exe
2948	WScript.exe
1132	WScript.exe
1132	WScript.exe
1868	WScript.exe
1868	WScript.exe
980	WScript.exe
980	WScript.exe
3012	WScript.exe
3012	WScript.exe
2604	WScript.exe
2604	WScript.exe
2636	WScript.exe
2636	WScript.exe
308	WScript.exe
308	WScript.exe
1028	WScript.exe
1028	WScript.exe
2188	WScript.exe
2188	WScript.exe
972	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 45 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5e4583c6479000d634552f0c23e4a590cbcf6bd181b9ac8d130d18872879ea24.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2388	5e4583c6479000d634552f0c23e4a590cbcf6bd181b9ac8d130d18872879ea24.exe
2388	5e4583c6479000d634552f0c23e4a590cbcf6bd181b9ac8d130d18872879ea24.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe
2596	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2388	5e4583c6479000d634552f0c23e4a590cbcf6bd181b9ac8d130d18872879ea24.exe

Suspicious use of SetWindowsHookEx 44 IoCs

pid	Process
2388	5e4583c6479000d634552f0c23e4a590cbcf6bd181b9ac8d130d18872879ea24.exe
2388	5e4583c6479000d634552f0c23e4a590cbcf6bd181b9ac8d130d18872879ea24.exe
2596	svchcst.exe
2596	svchcst.exe
776	svchcst.exe
776	svchcst.exe
3036	svchcst.exe
3036	svchcst.exe
1204	svchcst.exe
1204	svchcst.exe
1820	svchcst.exe
1820	svchcst.exe
992	svchcst.exe
992	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
1744	svchcst.exe
1744	svchcst.exe
1828	svchcst.exe
1828	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
1920	svchcst.exe
1920	svchcst.exe
1616	svchcst.exe
1616	svchcst.exe
2088	svchcst.exe
2088	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
1236	svchcst.exe
1236	svchcst.exe
916	svchcst.exe
916	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
1380	svchcst.exe
1380	svchcst.exe
676	svchcst.exe
676	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 2964	2388	5e4583c6479000d634552f0c23e4a590cbcf6bd181b9ac8d130d18872879ea24.exe	31
PID 2388 wrote to memory of 2964	2388	5e4583c6479000d634552f0c23e4a590cbcf6bd181b9ac8d130d18872879ea24.exe	31
PID 2388 wrote to memory of 2964	2388	5e4583c6479000d634552f0c23e4a590cbcf6bd181b9ac8d130d18872879ea24.exe	31
PID 2388 wrote to memory of 2964	2388	5e4583c6479000d634552f0c23e4a590cbcf6bd181b9ac8d130d18872879ea24.exe	31
PID 2388 wrote to memory of 2424	2388	5e4583c6479000d634552f0c23e4a590cbcf6bd181b9ac8d130d18872879ea24.exe	32
PID 2388 wrote to memory of 2424	2388	5e4583c6479000d634552f0c23e4a590cbcf6bd181b9ac8d130d18872879ea24.exe	32
PID 2388 wrote to memory of 2424	2388	5e4583c6479000d634552f0c23e4a590cbcf6bd181b9ac8d130d18872879ea24.exe	32
PID 2388 wrote to memory of 2424	2388	5e4583c6479000d634552f0c23e4a590cbcf6bd181b9ac8d130d18872879ea24.exe	32
PID 2964 wrote to memory of 2596	2964	WScript.exe	34
PID 2964 wrote to memory of 2596	2964	WScript.exe	34
PID 2964 wrote to memory of 2596	2964	WScript.exe	34
PID 2964 wrote to memory of 2596	2964	WScript.exe	34
PID 2596 wrote to memory of 1740	2596	svchcst.exe	35
PID 2596 wrote to memory of 1740	2596	svchcst.exe	35
PID 2596 wrote to memory of 1740	2596	svchcst.exe	35
PID 2596 wrote to memory of 1740	2596	svchcst.exe	35
PID 1740 wrote to memory of 776	1740	WScript.exe	36
PID 1740 wrote to memory of 776	1740	WScript.exe	36
PID 1740 wrote to memory of 776	1740	WScript.exe	36
PID 1740 wrote to memory of 776	1740	WScript.exe	36
PID 776 wrote to memory of 2768	776	svchcst.exe	37
PID 776 wrote to memory of 2768	776	svchcst.exe	37
PID 776 wrote to memory of 2768	776	svchcst.exe	37
PID 776 wrote to memory of 2768	776	svchcst.exe	37
PID 776 wrote to memory of 1564	776	svchcst.exe	38
PID 776 wrote to memory of 1564	776	svchcst.exe	38
PID 776 wrote to memory of 1564	776	svchcst.exe	38
PID 776 wrote to memory of 1564	776	svchcst.exe	38
PID 2768 wrote to memory of 3036	2768	WScript.exe	39
PID 2768 wrote to memory of 3036	2768	WScript.exe	39
PID 2768 wrote to memory of 3036	2768	WScript.exe	39
PID 2768 wrote to memory of 3036	2768	WScript.exe	39
PID 3036 wrote to memory of 1044	3036	svchcst.exe	40
PID 3036 wrote to memory of 1044	3036	svchcst.exe	40
PID 3036 wrote to memory of 1044	3036	svchcst.exe	40
PID 3036 wrote to memory of 1044	3036	svchcst.exe	40
PID 1044 wrote to memory of 1204	1044	WScript.exe	41
PID 1044 wrote to memory of 1204	1044	WScript.exe	41
PID 1044 wrote to memory of 1204	1044	WScript.exe	41
PID 1044 wrote to memory of 1204	1044	WScript.exe	41
PID 1204 wrote to memory of 1348	1204	svchcst.exe	42
PID 1204 wrote to memory of 1348	1204	svchcst.exe	42
PID 1204 wrote to memory of 1348	1204	svchcst.exe	42
PID 1204 wrote to memory of 1348	1204	svchcst.exe	42
PID 1348 wrote to memory of 1820	1348	WScript.exe	43
PID 1348 wrote to memory of 1820	1348	WScript.exe	43
PID 1348 wrote to memory of 1820	1348	WScript.exe	43
PID 1348 wrote to memory of 1820	1348	WScript.exe	43
PID 1820 wrote to memory of 2292	1820	svchcst.exe	44
PID 1820 wrote to memory of 2292	1820	svchcst.exe	44
PID 1820 wrote to memory of 2292	1820	svchcst.exe	44
PID 1820 wrote to memory of 2292	1820	svchcst.exe	44
PID 2292 wrote to memory of 992	2292	WScript.exe	45
PID 2292 wrote to memory of 992	2292	WScript.exe	45
PID 2292 wrote to memory of 992	2292	WScript.exe	45
PID 2292 wrote to memory of 992	2292	WScript.exe	45
PID 992 wrote to memory of 1588	992	svchcst.exe	46
PID 992 wrote to memory of 1588	992	svchcst.exe	46
PID 992 wrote to memory of 1588	992	svchcst.exe	46
PID 992 wrote to memory of 1588	992	svchcst.exe	46
PID 1588 wrote to memory of 2788	1588	WScript.exe	47
PID 1588 wrote to memory of 2788	1588	WScript.exe	47
PID 1588 wrote to memory of 2788	1588	WScript.exe	47
PID 1588 wrote to memory of 2788	1588	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\5e4583c6479000d634552f0c23e4a590cbcf6bd181b9ac8d130d18872879ea24.exe
"C:\Users\Admin\AppData\Local\Temp\5e4583c6479000d634552f0c23e4a590cbcf6bd181b9ac8d130d18872879ea24.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1740
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:776
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1348
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:992
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2788
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1552
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1744
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1352
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1828
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2804
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2956
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1920
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1132
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1616
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1868
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2088
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:980
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1600
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3012
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2252
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2604
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2660
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1236
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:308
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:916
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1028
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3024
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1380
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:972
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:676
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1564
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
53b00e0fc9949e011d4e59440041928e

SHA1
f8ac0362a8cd499a53ae2a937eccc23bd75734f5

SHA256
ffbfe9c1f5c26925e0f2673e5feee0d99cbcf11960ea4975eef48c013eb151ba

SHA512
05c0d062589e172edcdcd8338861a1fd95d5d5d1d530991f06944782217fd9c1c49f180662ca01e46c5d2a1d566712c204f10335778b71bd3ed1d0048d336f11

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1cd04c63c025f0297f2ae60e978d92a1

SHA1
047246564f4b2ab71494a82cef25f5bcdeb63469

SHA256
c5d481502d8e9429512066a0eb058459e0d7d60fbfc4aed5169b3ea47966c9ed

SHA512
dede45f2ae3b7da526e64e82f5e550d9f29d7ad0409fe97a0067bcd8ad70859a8f05441dcad0f2364710f8d9bf58997ffea6874b4797948b61486570394325a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6a10838e65cf3aedda11230ee7f407b7

SHA1
7878e96feb82d309b74e4fe98ad256d3bfd63d08

SHA256
79b9776ab8d5f525f63ccab50ff6d79e7a7daeb47894ce971b63ab072314009e

SHA512
7fd419656935cef9e30f36f618df90399b015dc281dea6b30f12ba7bf2c07a58e7aa570ea5fd1f04b3643be33eb1d8521787c94384cb7ef0ec8d5459a8c50eaa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b80e64a84f22d05c1da6e47ce54973aa

SHA1
5cad9390328f2c7439c775fabb7a0456663085d9

SHA256
9dd0f5f176d3fad7c0eb3bdd6f14036a878cbce9fd50fb1a47318da147bfd82e

SHA512
983affb7f9189c1eb80982438c288ee607e7ee91675b6a6e854873c476961b39ddec66801e0a09bedd0f133a0132693a5fed5c8ff0f8c3d3aa4f470fdb8c39b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f262d0722b88145e786399f42047785d

SHA1
9f4426b6ac52bb0456945b0619fcd355d118a0b7

SHA256
f20592c5d5216a153e7d9fc67c87e2d3346f3781014162462e824a5dbc4c7aef

SHA512
da8aa8fd4f84c224f7c6f3fe483b030e2307f3313c003f17f6b9c943f9ea9d052d9d9297f93fdf49428eedd235ef6d7efe0199e1620e55cb052f2ca3cb492eb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0297693238c8d2753940dd61243ddfd8

SHA1
c5e61e727061ecb2475cfd052102d1ec3f837ad8

SHA256
2c553c736dbf82875ba83b712b4d0a0e5b63b0e4089f0882755bbf078c22c0a5

SHA512
042527b1ea8d7e3cc25f8cc72c357e39ef822e78eb9c5802613ff806f9869fff49e63ebd0d8e52754c5a918fd76640dd0bc7a1a1dfd5e82cecfcfcc13c8579cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6e11da1c8a05db963ff0dda7c43866e0

SHA1
e1343d4a94a629047631b0c53a0501eace14d2a9

SHA256
2605d23ba5b4a9fc117704a99d9351dfffc81f22681becb9aa59d72a64a6a8f6

SHA512
74be18fd41e091762e317fd4565c13d36832ca7d8fbcb60631c8e818c25f447db2ed4b3bc20e4a97da5efeb3ab66dbe815f34776b3db338a1e7d41abc57c99ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
44c38fa25d3a9963483b583388b6f47b

SHA1
e9b37eb8bcbe2ddda96178ee7502616660cfce57

SHA256
004b640ccc72e36c16e85661847b12fff228d63de834042accadde333aa33e36

SHA512
c39bd240b263314169cef9af85a8e8a89146e96400026936b68a69a7c732d301c16561971dbeaee752e2618f2a592bff5a6a91ee75893522e77f574176887905

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
06a252a9516053e44ec8e64f1ebf0533

SHA1
29ac97e0cdade946c4feb81ad3f78d70953a2277

SHA256
6b8a799c3d4b977adb7220f6790b2ac09080ca3ccde5a2c33c83b33ea905928c

SHA512
0775aabeef7c910e03efc40f96143025a2ee3544dd656c78d09ef63c85d040037752aabe72fdf3b636ee31422ae8de01b73c85e27247203d5efc1635eaf15b2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0deab118abcf8e078322ee46edd4cfd3

SHA1
b0f46f2ca33e8ea264812838f6c7a98d0c55a0bf

SHA256
344ce7e23c768177547510b0627c60667804530f220048e11f21e1cda521c502

SHA512
e7e4c041addbecf42ec91877dac6c89a207a3c1eb0247d56c6e4844852a3c7a3a716809d5040d01b03ab332bd155a4f4fb014abc896b9598ac52218c74a1f3c0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a6723d81dd75369a43431bd61814ac74

SHA1
c3d950a8d9f5738222594d01dcaae3fcb467d548

SHA256
add1a22f571c2dfbfda508d6ad632223ab81690c73a376500e56855afeb1752b

SHA512
d7a42037066b1b1d1dffbc792aef400ca374665b012f02de40a6ff118482acd14555edabd6750defb402a6cf4e273a132c1856103202e47aa090119546718727

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1f4fd9a46db21a4c4413ef6389d596cf

SHA1
d815ff074e268368070ddc3225f3d69ce7f59522

SHA256
41bfb43a210c50a7f17dd93abe449871fd2a1546003dea12867d1c289f446e58

SHA512
447ea69d0a7596472a19f21974cf4e9242dc23f7e5aa9172f0a45b7d878662fdcff66ce07fd6aceebd5c2a04408b4aecdcac6960fd461d74bc9d96cb3055a5be

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
fa6fcc1923606f6a9e6b53a3fb17edfc

SHA1
5374b5fdb65cb6b65896698af0fcc16d209cf7db

SHA256
de23157722f414376128a1245faf4a39b060fc3a4a639f766a5911fde2dfc818

SHA512
8e5021ce1e034770487c44057c93aa848dd54a7407aae16d436b1e1b3868428128f7a84ff09be91531d1fa332df021279ee45c4d839dfb199f2ae7c10303cb1a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
82abc5a54aeaed1b17687c9b9c9b65e7

SHA1
a3a18e290f7c2a841091a10d81d92c7d844e9f8a

SHA256
aef2fc811323712e9a90e9fd4d32bb3abd6bbc14a092d4f592c94dc2772a67ab

SHA512
659492da34fcc5282e410d8e2f9f2de6443975809c4825a3f70c73db89d6c396240d01c164a4cc72cc69c47b12327af525eb1193867558d31a1bca0cb1fa8bd4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2d9d95123959d919a70239d390d4af1b

SHA1
f40e67d63184abc3b796e03719e9a218d752fe62

SHA256
468aea266623ba58add65ede1c4c23ed5bd1246b06487341e508518cefee5355

SHA512
5f6fb9d765cac0d76f730332996cae59bc5b11ab74f45e680d2ffd03c5ce57ebebdc33d902209c7fe9e7d5a8205b0822721be7dda0fdde841003c503b8dec333

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a9cae6022cb106bd9011e7ad2bbf65c7

SHA1
e597e55fbaef11f6ff0ed95952842ba24b0cd929

SHA256
aa3af6d8a681c670eb5e55300007318e983e3722b4dbffb73420ea68d88e721b

SHA512
ad8eb16dbad9c5743c76ff995f941cb233311ea7131beec0f61e71a48f1b58fefc2d1146c07e726d8b0f38c94470f570ee749671e0f848374fca1a8eee33de71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
12ccd82f220754258226efc6c04447e1

SHA1
0e00a539273264394faae0d7836ae49ef95b332f

SHA256
0ca7a73d45d52d63c8a2c5f1feec672f40d0c76a30d03d4c2c7456157d19a56e

SHA512
223f2c9226107f863aaf7afd166218c57fd0d49bc8a0c349eed14fb359aae0c885d0d2deb6801aaa4d4f72a133ce634c57d761663888ae1b61e8ec70e006a784

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d306c494363d96e09698c84f4e043d03

SHA1
f6abc075ee5c4af9807b56df31e98b1cfb20c77c

SHA256
9ef4f72ab6061c0059f96066eab61bd61b14d476ad21a4fe528bc7feef42cc99

SHA512
c1eda35c55371a7e34a09ba3bdcd4726e61ccf8f82d2e8a14c626e90b7f25766474dc4fda4d0233819304a0cc2ae0bad1061b23d42aa923273226acee00c32c4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
01c2daaf8b1f686e9bfd0da86bae53c2

SHA1
bd12c3d9b7ecf71cd0facd0f5622da6175fb4d1c

SHA256
77beb45a7123baeb1d6ef1c968525a69a5001a82fde68c129603ccaa75fee347

SHA512
1db84b65684507e2e2b38636c7709d6250c0c2b971e568dc08415b337ec5b54ce850d5e6046f01475458a9691a51a0bffb22397253a4d24d85f0a95f8813603f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a41cce2e0062280903ba9f9cb02967f9

SHA1
5d8efc69d32963fc03b1cc0740fb5f52b58ad102

SHA256
9de2e9d7e1faa2219f212c84889ddd3e015d8472d6ee9235eb8a593eb1519094

SHA512
d582e2727bc07df8a9c1d1d155ffbc83a47ef75c361c36522d41533b58999da670f9fefadf57d50b814a9a938eada0669c6e942dbb676fac0203b1d52b60fb0c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
23d1a54cd4b21ecc1f6e994ed2314c19

SHA1
e6c0caaf739f4d57ad562bbb3f0dd6b21ca514f4

SHA256
e60deeba0eeef1b6b768ae8f37ae919cabbe42c69bffe9aafe0ae780080b94a9

SHA512
dfc27c22473fee4d0bef59617415ec7e0f2871851cd28b224a53627b5f08dee7bc138a1a54ee4a15ce9b71cadf6dbdb28a2e5cf287ea22481c6b550723bc8368

Download Submit
memory/2388-10-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download