1bd1af37a2d374d2628cf16b79dd75464bdfea6294fe438c76e8c57f17685266

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/09/2024, 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bd1af37a2d374d2628cf16b79dd75464bdfea6294fe438c76e8c57f17685266.exe
Size

1.1MB
MD5

dc5d1e9cb9933554ab659e0a98eb5ec5
SHA1

7b433a9b972d2121bc39b476cb0be1306e6131b8
SHA256

1bd1af37a2d374d2628cf16b79dd75464bdfea6294fe438c76e8c57f17685266
SHA512

6a72b307ea77df10de1159ca4ef0e32ffbff1ebd1985fe46585df323e7ab00283198b7211a6799a5d00a3b9c357e74012d3da691d0e030d9103c21326c585a54
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Q5:CcaClSFlG4ZM7QzMK

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2656	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2656	svchcst.exe
2356	svchcst.exe
3056	svchcst.exe
640	svchcst.exe
2320	svchcst.exe
2980	svchcst.exe
1008	svchcst.exe
2584	svchcst.exe
2644	svchcst.exe
1844	svchcst.exe
484	svchcst.exe
2112	svchcst.exe
3012	svchcst.exe
2376	svchcst.exe
2020	svchcst.exe
2340	svchcst.exe
2640	svchcst.exe
1408	svchcst.exe
1972	svchcst.exe
692	svchcst.exe
280	svchcst.exe
2064	svchcst.exe
2572	svchcst.exe

Loads dropped DLL 44 IoCs

pid	Process
1652	WScript.exe
1652	WScript.exe
2636	WScript.exe
2636	WScript.exe
2312	WScript.exe
1508	WScript.exe
1424	WScript.exe
1424	WScript.exe
1424	WScript.exe
1424	WScript.exe
820	WScript.exe
820	WScript.exe
1524	WScript.exe
1524	WScript.exe
2884	WScript.exe
2884	WScript.exe
912	WScript.exe
912	WScript.exe
2940	WScript.exe
2940	WScript.exe
916	WScript.exe
916	WScript.exe
2268	WScript.exe
2268	WScript.exe
2548	WScript.exe
2548	WScript.exe
1448	WScript.exe
1448	WScript.exe
2996	WScript.exe
2996	WScript.exe
2584	WScript.exe
2584	WScript.exe
2792	WScript.exe
2792	WScript.exe
1128	WScript.exe
1128	WScript.exe
1704	WScript.exe
1704	WScript.exe
2156	WScript.exe
2156	WScript.exe
1544	WScript.exe
1544	WScript.exe
2260	WScript.exe
2260	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1bd1af37a2d374d2628cf16b79dd75464bdfea6294fe438c76e8c57f17685266.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2524	1bd1af37a2d374d2628cf16b79dd75464bdfea6294fe438c76e8c57f17685266.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2524	1bd1af37a2d374d2628cf16b79dd75464bdfea6294fe438c76e8c57f17685266.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2524	1bd1af37a2d374d2628cf16b79dd75464bdfea6294fe438c76e8c57f17685266.exe
2524	1bd1af37a2d374d2628cf16b79dd75464bdfea6294fe438c76e8c57f17685266.exe
2656	svchcst.exe
2656	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
3056	svchcst.exe
3056	svchcst.exe
640	svchcst.exe
640	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
1844	svchcst.exe
1844	svchcst.exe
484	svchcst.exe
484	svchcst.exe
2112	svchcst.exe
2112	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
2376	svchcst.exe
2376	svchcst.exe
2020	svchcst.exe
2020	svchcst.exe
2340	svchcst.exe
2340	svchcst.exe
2640	svchcst.exe
2640	svchcst.exe
1408	svchcst.exe
1408	svchcst.exe
1972	svchcst.exe
1972	svchcst.exe
692	svchcst.exe
692	svchcst.exe
280	svchcst.exe
280	svchcst.exe
2064	svchcst.exe
2064	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 1652	2524	1bd1af37a2d374d2628cf16b79dd75464bdfea6294fe438c76e8c57f17685266.exe	30
PID 2524 wrote to memory of 1652	2524	1bd1af37a2d374d2628cf16b79dd75464bdfea6294fe438c76e8c57f17685266.exe	30
PID 2524 wrote to memory of 1652	2524	1bd1af37a2d374d2628cf16b79dd75464bdfea6294fe438c76e8c57f17685266.exe	30
PID 2524 wrote to memory of 1652	2524	1bd1af37a2d374d2628cf16b79dd75464bdfea6294fe438c76e8c57f17685266.exe	30
PID 1652 wrote to memory of 2656	1652	WScript.exe	32
PID 1652 wrote to memory of 2656	1652	WScript.exe	32
PID 1652 wrote to memory of 2656	1652	WScript.exe	32
PID 1652 wrote to memory of 2656	1652	WScript.exe	32
PID 2656 wrote to memory of 2636	2656	svchcst.exe	33
PID 2656 wrote to memory of 2636	2656	svchcst.exe	33
PID 2656 wrote to memory of 2636	2656	svchcst.exe	33
PID 2656 wrote to memory of 2636	2656	svchcst.exe	33
PID 2636 wrote to memory of 2356	2636	WScript.exe	34
PID 2636 wrote to memory of 2356	2636	WScript.exe	34
PID 2636 wrote to memory of 2356	2636	WScript.exe	34
PID 2636 wrote to memory of 2356	2636	WScript.exe	34
PID 2356 wrote to memory of 2312	2356	svchcst.exe	35
PID 2356 wrote to memory of 2312	2356	svchcst.exe	35
PID 2356 wrote to memory of 2312	2356	svchcst.exe	35
PID 2356 wrote to memory of 2312	2356	svchcst.exe	35
PID 2312 wrote to memory of 3056	2312	WScript.exe	37
PID 2312 wrote to memory of 3056	2312	WScript.exe	37
PID 2312 wrote to memory of 3056	2312	WScript.exe	37
PID 2312 wrote to memory of 3056	2312	WScript.exe	37
PID 3056 wrote to memory of 1508	3056	svchcst.exe	38
PID 3056 wrote to memory of 1508	3056	svchcst.exe	38
PID 3056 wrote to memory of 1508	3056	svchcst.exe	38
PID 3056 wrote to memory of 1508	3056	svchcst.exe	38
PID 1508 wrote to memory of 640	1508	WScript.exe	39
PID 1508 wrote to memory of 640	1508	WScript.exe	39
PID 1508 wrote to memory of 640	1508	WScript.exe	39
PID 1508 wrote to memory of 640	1508	WScript.exe	39
PID 640 wrote to memory of 1424	640	svchcst.exe	40
PID 640 wrote to memory of 1424	640	svchcst.exe	40
PID 640 wrote to memory of 1424	640	svchcst.exe	40
PID 640 wrote to memory of 1424	640	svchcst.exe	40
PID 1424 wrote to memory of 2320	1424	WScript.exe	41
PID 1424 wrote to memory of 2320	1424	WScript.exe	41
PID 1424 wrote to memory of 2320	1424	WScript.exe	41
PID 1424 wrote to memory of 2320	1424	WScript.exe	41
PID 2320 wrote to memory of 820	2320	svchcst.exe	42
PID 2320 wrote to memory of 820	2320	svchcst.exe	42
PID 2320 wrote to memory of 820	2320	svchcst.exe	42
PID 2320 wrote to memory of 820	2320	svchcst.exe	42
PID 1424 wrote to memory of 2980	1424	WScript.exe	43
PID 1424 wrote to memory of 2980	1424	WScript.exe	43
PID 1424 wrote to memory of 2980	1424	WScript.exe	43
PID 1424 wrote to memory of 2980	1424	WScript.exe	43
PID 2980 wrote to memory of 2360	2980	svchcst.exe	44
PID 2980 wrote to memory of 2360	2980	svchcst.exe	44
PID 2980 wrote to memory of 2360	2980	svchcst.exe	44
PID 2980 wrote to memory of 2360	2980	svchcst.exe	44
PID 820 wrote to memory of 1008	820	WScript.exe	45
PID 820 wrote to memory of 1008	820	WScript.exe	45
PID 820 wrote to memory of 1008	820	WScript.exe	45
PID 820 wrote to memory of 1008	820	WScript.exe	45
PID 1008 wrote to memory of 1524	1008	svchcst.exe	46
PID 1008 wrote to memory of 1524	1008	svchcst.exe	46
PID 1008 wrote to memory of 1524	1008	svchcst.exe	46
PID 1008 wrote to memory of 1524	1008	svchcst.exe	46
PID 1524 wrote to memory of 2584	1524	WScript.exe	47
PID 1524 wrote to memory of 2584	1524	WScript.exe	47
PID 1524 wrote to memory of 2584	1524	WScript.exe	47
PID 1524 wrote to memory of 2584	1524	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\1bd1af37a2d374d2628cf16b79dd75464bdfea6294fe438c76e8c57f17685266.exe
"C:\Users\Admin\AppData\Local\Temp\1bd1af37a2d374d2628cf16b79dd75464bdfea6294fe438c76e8c57f17685266.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2356
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:820
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2584
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2644
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:912
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1844
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:484
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:916
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2112
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3012
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2548
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2376
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1448
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2020
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2340
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2640
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1408
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1128
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1972
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1704
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:692
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:280
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1544
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2064
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2260
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2572
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:1532
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
a585bde7dd638455128e590cf4a66488

SHA1
ae558c58b8d5b80f60490384ff3f7f3bbe7ad0c5

SHA256
9825a3fe3cdab39df61897d195272cebd58684edc7aa04d9ff21781fb2e3ce00

SHA512
e866bbdb091527f76052c551001511af5b5090a945da0d365b07bdbbc46c6ac8a4454c545c7c22765b4785fb385ffabcaea6558b30ed03b49af34183a1652851

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b01deb2dadc8260c4bcb435df78599d9

SHA1
7ac78543d19aefbe54d4e7d12d045cff0e7934f0

SHA256
4f88b370f98b6357f72a7942c293827b72164112e87fbbb6c842d9b206ab53b0

SHA512
319c1925e74af3cace9d3c3fafb7ff3c28ae3240e1d67da7d05ed25b7ec523eec9a974f21ff9914e602334c192e5801a55695ad705dbaa2a32e3b08e7996bb4b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
bd0cc8385e2c94da465451e7bd8d4303

SHA1
6866d3d8d4bc37bbd976b44b74d4cef9b018da66

SHA256
099ad392a60ee09509cf2982deb126acb373115124e33c1c9d18931fa32af630

SHA512
5212403107457416b6b8e3c033c9521f744845edbf0c9bba5c962bea5946c2a24e1081cf472e907b3e16fb593b98c119802e3162e5260b30574f2c086af3d6b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
344b0286b823cd492e5ca9c83c00ba11

SHA1
b76dbac9b5724f5b1e11a10ed7a2125edb16259b

SHA256
04ea89515062031f99eb08fad07de798532e0adea7ff18c0c9a8b1e3a1d4dbbd

SHA512
9aba17235e4f1bd62f45545cfa0e4f302c0471732b33a8398b462e334126c5a3e74fdcbe17db70029184cc1207f558efc46b868475fb607ad536288b0796bb80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3f88ed4a802ff96db44e34ad53ac06c2

SHA1
446fe4e265af02ea012b5a8d5d0e7a0c9867f1ed

SHA256
04a5abb92c689fa7b9d768a067b1d9bd16c0a5d856c67c7f7881d62662ae0911

SHA512
f1afaf53ee96969d58902836b841ca7feed9769c81d9b2d63b72db5d7cf04d6a659b50869f8dba0d650aa6833d892261c0c3dd918e8bfbed13237e6333c47fdf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
38a699d07d8879db6356427ad5568cde

SHA1
a13f87e47243e126c2ea20018877fbeac913a320

SHA256
33039fb8b50833ea2836de980992405e10426ad862007f2fef2a96147dccc7bb

SHA512
b5373577a397c0eb493b1173f0fa5a583fe10b986eced439f39997707622fdb54dad7f39311c0148da02b9f0eda2c097d6d9e98b6a7c7d4aa5996e7cc5f4791d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
379619305716718fbeeab2f364946c39

SHA1
b663cf106c4673549692fa39d25e9e8f4561cd64

SHA256
c844bc25686320e65c1b5259a6d0d6d47f61709f46e2c8eb2ad3f9c3b9333d84

SHA512
b2c91d0f1cbc9e253bb3bb339acbab0e31eef31188cc00132c423fee2a85c7a91132c9259b99b23a149f6ba1172b8522e2d8350f88dbb735ad8d7a32f71e2ed8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
052d0351a5a2283ca385805bf30cc37b

SHA1
0f86c2c33b5641b89bcc430a98956447cb8f6f06

SHA256
643f8c0adfd63b72f9419f5b077829fa7f6d454b738cbcaeead63cd1feb4a9af

SHA512
6e4f1c407fa96a3ed03b416fcf4cb300f7ecefd2e67ddc0d45407b0f97f254ffa55cf34fac7c8ed1e69ece8704fae1d483612948dab8fb6d0c9d39e06bbb23ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
4e9605159361f93230fef3cc5ad4301c

SHA1
64e6d5673487e049cc4e96650b507641062ca1bf

SHA256
2abd0c0ae088f6c911f23add50e985c447f1c62c8a45f848698b08d6e6dd20e7

SHA512
5cf02982826cc6e08ea33c4ce5d186ad4277493480cf08c2df56a7deea87e58a6df3a95097c96409a89317528933e0999d4ccddc2403024bd04b6e1c312f42fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
51b2348c37bbedcb127fa176820f5ea2

SHA1
6e70ca09179127890e64c4ffa345b2af573c39fa

SHA256
7b37f5580068bfba5583d762d9b64c8ee6468a9e064547f230757c4be595bd02

SHA512
0f9755ae0408b0dd6e1279bfa8c5dfbe63b3775a81a3c5b342c5e56e7521d292b0c4e94053e6fa0c3da233f3af60aae2dc28749f991ea81fd9bf2627698a343e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
308b7da7ec377746fab239c88940c7ea

SHA1
62356f1d6078f5587c1e0fa2201b199ebfdd0372

SHA256
3c6e5a89529248f6074cab8ca705d7f399c2808e185a451f2520d767e7aecd77

SHA512
bfd886261d3c9ae90f40968acb30b229e8d6754768bee5430f246594b5f81952de101a572cedb84bd1ab9a39cb607ec981287e9e03ea45b829744c47ee9bc877

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a7a7dcf9cf793584c92e7c58e857495d

SHA1
09ce1a7401bbbfcc0f22bbbad3e1a6676a6983e5

SHA256
c751b05561131c0b88fdf778542ee5ee903a42e7a17f673a1acbf6c27ecbd5ec

SHA512
2fac37fad6f599814f0693b6fc1c04e75a1ffbce14f590dc813f312d3317f4492dd49c80aed3b8a5b8ede00646ce408e22910bd842805d55ea61112858300543

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
fa49c09ef61754a00f931a54b5a2a9f1

SHA1
e276fa35cfd861dac4d2212fdc66dbca38c6fcc6

SHA256
ba459799e24fb3ba416dc61d3e055e6e45f7b6cfcbe0ee6245c4065bafffc0aa

SHA512
9590cb38472c862f2193624f961e998dcfa97986c78ef655783898b6cf514640946e4ae2bc005ebd44aca0306f39a50eca752f9b8e833fe3dab19a91d281d79d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7c87b569103f17744a88ff02f10c4fb4

SHA1
b31e3967a8b00dddd4efa3df67092156bbec7ad6

SHA256
6ce281254ea2b71746e30bfd57764827dd8eed5b5f01a9feb37174e0a90ee9a1

SHA512
d4eb5249deabe6a02220e57965f45e496a2ca77e4f665f87522bc7406c66166cae7008ac9e0b8842f9cd306e83b52b07bdef5c5207d96ebde6e06e4330a4c1b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ae0d3a910ec0918200eade5cac901af5

SHA1
1217a613ed44dc887ae615197ca0c47777bba69a

SHA256
720fac5630fd6e67f6de3c3418b9b6dc159818bff73432094a4d5a841dea365f

SHA512
f0961380a43c390c0b7d1300c97122965b8aea22b83afc94f0a880961511b266950a3f509b8c93a59e54eccc0897845bbe9a21f7d95e2ac10a04a8a6bc696d98

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f05928db645de3641712db43f5efe97c

SHA1
ecaa1f9e0e22b3bd55096b7292d6c1e1fd794345

SHA256
cbd3632d21d211cb70ea8ac218f49a82cb8825c73e0f57b06f3b1d45aec46bb9

SHA512
aca8f492a78ad049c6de150f87bec846835161e0c5ad61ca31affdaeb0e99b210d217fdd712a2aaf14f29dc73b7aea2b0e35b6dff755d008c9a250982ba89d58

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1b289e1ebcd246c748d0602f5f494fc4

SHA1
0bc15f46ad5d696746e5da8212ebc7d7436534a3

SHA256
9cb24cc898e3d16eece5aff9e7c813afe8fa504529bef2706c09a435a9d0a624

SHA512
dfd36c20a7bd92954c52251defc029b8564c28d0cde80b7b56a7804c9612cf3ba80a0b747e545ceccefeadc4c7665abf69910736342a870d0e5431d44f081b8c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
97df711522db5b4eaa570d43e10e4c52

SHA1
046521923d836cbee97a24bf667d174398253f2e

SHA256
2658f629606e2570edfa05dc11296a230b6bd1a98185d6781277638fedcc6e0c

SHA512
5e75f931d5ef040aa03e030dcea06f58df67c45a9d52b0b7e9c86dbcaadf83ba47dd4e5b2543ff3fd9d94079366aebb1f170722328648203b65304e3cb2e28e3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a7994335aaf8d91f8693041271f43425

SHA1
e86a0ca00dd6423bf0e59045e9da3d399f715735

SHA256
2e469ee18ab6b65e807f9faed7f91189be548a5ee2e0f5dec9c1827792b93c3e

SHA512
f00695dd87c14c76a6216d3db34f5083ed7db4a842dcdf10c8a989b0706e9277958d188984e827317340c95293b4c34c40e8ff961fd511862702db11e9a42fe5

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e1f02101e0be05eb9423f143de39e6e0

SHA1
78ce91f50bcb31fc374b127878401f36535eaf77

SHA256
d8eaad8c8040fc0756659820f01dcc627090caf9a2a3a52666a7856b134b7558

SHA512
8a826dfad0123ebd88964abffbe8a66752c2018fd6273522b64fd4e8044158facf4c4f5f0e0743a1cc408c88fc92a9151aa86844b8cbe56257bf971962b25348

Download Submit
memory/2524-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download