144b575f5a338ef839c7aa6e51f473ea349bb68bb7ed149448bdd3c385df7606

Analysis

max time kernel
126s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/09/2024, 08:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

144b575f5a338ef839c7aa6e51f473ea349bb68bb7ed149448bdd3c385df7606.exe
Size

1.1MB
MD5

063991894cab7e00e6f9aba38f13bdae
SHA1

bc734b6fd26a049b93769079fe85f489378f014e
SHA256

144b575f5a338ef839c7aa6e51f473ea349bb68bb7ed149448bdd3c385df7606
SHA512

2786bb047f5de340feb06d528dcf6acb41a8ff1fea0508dbcf757993a27f7e3d0ae736c7129968fb715e62caedb5dcdee7f34c5219a62ba31af66fef4ef671e4
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Q7:CcaClSFlG4ZM7QzMs

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2988	svchcst.exe

Executes dropped EXE 21 IoCs

pid	Process
2988	svchcst.exe
2152	svchcst.exe
2520	svchcst.exe
2912	svchcst.exe
2116	svchcst.exe
1488	svchcst.exe
3012	svchcst.exe
2472	svchcst.exe
2560	svchcst.exe
2504	svchcst.exe
888	svchcst.exe
3004	svchcst.exe
1848	svchcst.exe
2172	svchcst.exe
640	svchcst.exe
2068	svchcst.exe
2144	svchcst.exe
1252	svchcst.exe
2164	svchcst.exe
2900	svchcst.exe
2964	svchcst.exe

Loads dropped DLL 42 IoCs

pid	Process
1912	WScript.exe
1912	WScript.exe
2580	WScript.exe
2580	WScript.exe
1884	WScript.exe
1884	WScript.exe
1728	WScript.exe
1728	WScript.exe
2248	WScript.exe
2248	WScript.exe
780	WScript.exe
780	WScript.exe
2212	WScript.exe
2212	WScript.exe
1520	WScript.exe
1520	WScript.exe
2728	WScript.exe
2728	WScript.exe
2528	WScript.exe
2528	WScript.exe
2940	WScript.exe
2940	WScript.exe
2260	WScript.exe
2260	WScript.exe
1540	WScript.exe
1540	WScript.exe
1272	WScript.exe
1272	WScript.exe
2072	WScript.exe
2072	WScript.exe
2360	WScript.exe
2360	WScript.exe
2604	WScript.exe
2604	WScript.exe
1948	WScript.exe
1948	WScript.exe
1472	WScript.exe
1472	WScript.exe
2972	WScript.exe
2780	WScript.exe
2972	WScript.exe
2780	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 43 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	144b575f5a338ef839c7aa6e51f473ea349bb68bb7ed149448bdd3c385df7606.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2348	144b575f5a338ef839c7aa6e51f473ea349bb68bb7ed149448bdd3c385df7606.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2348	144b575f5a338ef839c7aa6e51f473ea349bb68bb7ed149448bdd3c385df7606.exe

Suspicious use of SetWindowsHookEx 44 IoCs

pid	Process
2348	144b575f5a338ef839c7aa6e51f473ea349bb68bb7ed149448bdd3c385df7606.exe
2348	144b575f5a338ef839c7aa6e51f473ea349bb68bb7ed149448bdd3c385df7606.exe
2988	svchcst.exe
2988	svchcst.exe
2152	svchcst.exe
2152	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2116	svchcst.exe
2116	svchcst.exe
1488	svchcst.exe
1488	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
2472	svchcst.exe
2472	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
888	svchcst.exe
888	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
1848	svchcst.exe
1848	svchcst.exe
2172	svchcst.exe
2172	svchcst.exe
640	svchcst.exe
640	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2900	svchcst.exe
2900	svchcst.exe
2964	svchcst.exe
2964	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 1912	2348	144b575f5a338ef839c7aa6e51f473ea349bb68bb7ed149448bdd3c385df7606.exe	30
PID 2348 wrote to memory of 1912	2348	144b575f5a338ef839c7aa6e51f473ea349bb68bb7ed149448bdd3c385df7606.exe	30
PID 2348 wrote to memory of 1912	2348	144b575f5a338ef839c7aa6e51f473ea349bb68bb7ed149448bdd3c385df7606.exe	30
PID 2348 wrote to memory of 1912	2348	144b575f5a338ef839c7aa6e51f473ea349bb68bb7ed149448bdd3c385df7606.exe	30
PID 1912 wrote to memory of 2988	1912	WScript.exe	33
PID 1912 wrote to memory of 2988	1912	WScript.exe	33
PID 1912 wrote to memory of 2988	1912	WScript.exe	33
PID 1912 wrote to memory of 2988	1912	WScript.exe	33
PID 2988 wrote to memory of 2580	2988	svchcst.exe	34
PID 2988 wrote to memory of 2580	2988	svchcst.exe	34
PID 2988 wrote to memory of 2580	2988	svchcst.exe	34
PID 2988 wrote to memory of 2580	2988	svchcst.exe	34
PID 2580 wrote to memory of 2152	2580	WScript.exe	35
PID 2580 wrote to memory of 2152	2580	WScript.exe	35
PID 2580 wrote to memory of 2152	2580	WScript.exe	35
PID 2580 wrote to memory of 2152	2580	WScript.exe	35
PID 2152 wrote to memory of 1884	2152	svchcst.exe	36
PID 2152 wrote to memory of 1884	2152	svchcst.exe	36
PID 2152 wrote to memory of 1884	2152	svchcst.exe	36
PID 2152 wrote to memory of 1884	2152	svchcst.exe	36
PID 1884 wrote to memory of 2520	1884	WScript.exe	37
PID 1884 wrote to memory of 2520	1884	WScript.exe	37
PID 1884 wrote to memory of 2520	1884	WScript.exe	37
PID 1884 wrote to memory of 2520	1884	WScript.exe	37
PID 2520 wrote to memory of 1728	2520	svchcst.exe	38
PID 2520 wrote to memory of 1728	2520	svchcst.exe	38
PID 2520 wrote to memory of 1728	2520	svchcst.exe	38
PID 2520 wrote to memory of 1728	2520	svchcst.exe	38
PID 1728 wrote to memory of 2912	1728	WScript.exe	39
PID 1728 wrote to memory of 2912	1728	WScript.exe	39
PID 1728 wrote to memory of 2912	1728	WScript.exe	39
PID 1728 wrote to memory of 2912	1728	WScript.exe	39
PID 2912 wrote to memory of 2248	2912	svchcst.exe	40
PID 2912 wrote to memory of 2248	2912	svchcst.exe	40
PID 2912 wrote to memory of 2248	2912	svchcst.exe	40
PID 2912 wrote to memory of 2248	2912	svchcst.exe	40
PID 2248 wrote to memory of 2116	2248	WScript.exe	41
PID 2248 wrote to memory of 2116	2248	WScript.exe	41
PID 2248 wrote to memory of 2116	2248	WScript.exe	41
PID 2248 wrote to memory of 2116	2248	WScript.exe	41
PID 2116 wrote to memory of 780	2116	svchcst.exe	42
PID 2116 wrote to memory of 780	2116	svchcst.exe	42
PID 2116 wrote to memory of 780	2116	svchcst.exe	42
PID 2116 wrote to memory of 780	2116	svchcst.exe	42
PID 780 wrote to memory of 1488	780	WScript.exe	43
PID 780 wrote to memory of 1488	780	WScript.exe	43
PID 780 wrote to memory of 1488	780	WScript.exe	43
PID 780 wrote to memory of 1488	780	WScript.exe	43
PID 1488 wrote to memory of 2212	1488	svchcst.exe	44
PID 1488 wrote to memory of 2212	1488	svchcst.exe	44
PID 1488 wrote to memory of 2212	1488	svchcst.exe	44
PID 1488 wrote to memory of 2212	1488	svchcst.exe	44
PID 2212 wrote to memory of 3012	2212	WScript.exe	45
PID 2212 wrote to memory of 3012	2212	WScript.exe	45
PID 2212 wrote to memory of 3012	2212	WScript.exe	45
PID 2212 wrote to memory of 3012	2212	WScript.exe	45
PID 3012 wrote to memory of 1520	3012	svchcst.exe	46
PID 3012 wrote to memory of 1520	3012	svchcst.exe	46
PID 3012 wrote to memory of 1520	3012	svchcst.exe	46
PID 3012 wrote to memory of 1520	3012	svchcst.exe	46
PID 1520 wrote to memory of 2472	1520	WScript.exe	47
PID 1520 wrote to memory of 2472	1520	WScript.exe	47
PID 1520 wrote to memory of 2472	1520	WScript.exe	47
PID 1520 wrote to memory of 2472	1520	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\144b575f5a338ef839c7aa6e51f473ea349bb68bb7ed149448bdd3c385df7606.exe
"C:\Users\Admin\AppData\Local\Temp\144b575f5a338ef839c7aa6e51f473ea349bb68bb7ed149448bdd3c385df7606.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1912
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2580
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2152
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2472
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2560
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2504
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:888
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2260
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3004
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1848
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1272
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2172
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:640
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2068
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2604
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2144
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1252
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1472
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2164
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2964
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2780
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
b57a66a415726a2a6716a7288331a5f4

SHA1
da3e169f36752b8504bcbc08984be7ce39503bc8

SHA256
f788e93cc28a9493b012a2ca5c12c14aff5ba7035311abab5fcd4bfa055029ba

SHA512
8ab01155bac73ebdd5f26be59de70bc75744b8f6bef91f8f4a05743342c706326106c38ed805192b37fc846e5d66e8699f0d847a6ee4125838bd95c6eed5cb18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1ac4421f71447c6f92ce3ac17a3d9d38

SHA1
97f4ebc5875af7ee54f93ba70089361ca88da8af

SHA256
615df52b00308d2a7f8aed927fd28d1e40b5ac6cf5e6da78ec69acd149618d59

SHA512
3d7d6a0124324731462a5e71d797c77e9942371fbdda8b870cb9d035db293ef1765e1890737fd89fd1b9d56941bd04745f93c95c844057830605365367ea410e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6491ffe6ef75436d9e660280f5c7fa8f

SHA1
aa563dfffa849153924e8a50f5b562663d1549b5

SHA256
61926578340a542bb64c6abd62437790f27fe9f3c91f6e7bc3268fe318333382

SHA512
7caf0a3528181a867f6a7d1e705531db6eb12a82faa881fde4693b6d1f57be05e589c9276fc6364204494cd9c65f355a35d1dafb0d02582346057b5c4b8c2193

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5ef4272f4d6f345fc8cc1b2f059c81b4

SHA1
78bcb559f775d70e10396e1d6d7b95c28d2645d1

SHA256
19f8d5209b4a5789cdfd5b67cb0b9f6c3546c62912bcb1ef1c69a15602beb652

SHA512
002693255c600456d965b5a7e36f780deec4d80cd9fe56f7f974b8762e2b140002a1dabf4b059d6163c9cc00a0e1e9da71899e13347fb4bb2985bbc7058469cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0192d17fea0102bde8e142aabd30379e

SHA1
f625075beef58c06ca68d43a3ba5cc1caa8efdfd

SHA256
98e8ea7a93d93f491f56d4026b5683e7fdeff25fe26f518e2e81a1319ef49719

SHA512
43002329c61c0fedc908a1838c1868573a5f6f64b4bad3295182b341562cd4b17710ce021e75157830b5b29d29141ae394b3addae4f8c180259f02cb44648163

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b9f42b67196579be4b48ef3493e40a6d

SHA1
f0a798a4aa9401ce637b3016829d6bc178b46b36

SHA256
5af7cfef4fc0b02f32178caf67f947bc09a9631a5ec201ffa67b2f4f470bbed2

SHA512
875207383356da783c8f932da091d7c1316a0859406a388a6a4b0e641cc15326ac5134a5dc3e5299cccd6c245456483db86f5f9652fec2fa049996259d166284

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c5ae655707a21f6473c5f382a787e100

SHA1
1d2078ebfae286212eb90e60c9dbce5e70ac24f1

SHA256
baf83e476c96ab1af7a7482de26dae9909744fad6d12c6ae818f51b834cecb50

SHA512
af80731f380d75a643ab885ba152cb7118297ab4e70ff44dd96b7bae8542881f0d06cdbe0ac524cdc30ddca970c2b27adf6398f8efc6e510cea6cc0b2a59b34f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f02b234115a56496bcd6642d1de04e5d

SHA1
d383b9d3c82fe145f25a9a6e7e4333151fd4ecc6

SHA256
9eca0120263ab4947d38369d9a4986744e61189382c1d313eb464ad449ea2651

SHA512
c446eccd822729a81d49321c88ecc0fba4e4f7b6f6277d2660c7f3a18a67614915ae24a96353bf93b039eb441f0c260c1961a1363f16524dbeaf2554626c1b4e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e5bba46683440caa1508061b6e638120

SHA1
538ff5b7cb3ca90cee3e60bae0b487f4b78912de

SHA256
9b324dbd185a14c0ebfd2cd2731f6bb32c501dfefa7aef4f65b137357502c65d

SHA512
466f00fee10e323273e5d1151062e9fcc36f5657a404c6dd3c0c9ecb56e5205930087e612b13a9c6d1a56df7e05a2bd9c14e95debd5e5aed96ad2ef867e8de4d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5465e98b54b47d65941e5d12deb27c9d

SHA1
50e5e6ced6e5e332b303de4fa146482fbdf782d5

SHA256
38f339c2f4c0d7ea1ba1500460c63bc626a2465b3ca48c4d63ee2b0f3eafb82a

SHA512
50c6bc8c7da8c036c909672ade71b08aea49bc58474c40e660d7dc23c3a9869cfad82b4dc96335057ecd5bd1011f3db712f667b4085555e3dc6fb90de56b1c3a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
9e8dca236ce949019c46b94428612ac9

SHA1
0917050afcbb7b94fce6fbb9827fb57de7432b0b

SHA256
bd9f06dbb8f2165c3b75da289ad7983f0c57328d236b2c68a2b5798188874fb3

SHA512
23ce9deba9286cbb24c1725503542b63d7e44ea7ada302e5aba6595f84398e2162008d7431f842cccfb2b8fae126216d85c566931d5fcc8c8c5625e2c05f44d6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c0b5050d31a3c3086d56cf03dbf39e65

SHA1
2f16721133b7efffc3b7c495803a409b47223c1f

SHA256
4eed6a5c4f010b8604f822c91683ba0cf9c2c1f7fd803bcd9c05bfd36d84f37a

SHA512
be8a9ade498e5b54e7ca07bb3f9f114962847942d282e46e2b4f3e53704b27b47853c7bc60e5fdfc777b6e1fa2f8d34aa0d3321354c8a6b81d1640ce7780d9d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e628c591336901ed147ff2b8ea23dcc9

SHA1
a93b2894fa82a74c1cfb35a4eba262968d188139

SHA256
638b5ee72ad921ef9cc6872c0d05c67e138b63c6c7ee851e0bc0b383dbcce582

SHA512
0e6f3ae7c0f804e5b2b892ff405eb79500ff5c5566c5754a436f86c543112fc5d971c577687e75dea8795533f79b06ff273e074fa397f59d6b6b529cf3fea1ce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f676987484d3d3721cb9d3ed4d6f6829

SHA1
90f09ab7f28ea4bd3f5a86e59d770d058dfafd20

SHA256
4ea8dbd964ffe4b7ea5a2edd29c7ce845126f6ec216af69aadb5315150b977f6

SHA512
7df3c4b585d98cb4285f458b37185edc3922e315b57ab26399009a3a50b830679e1073d152b2d045df7b18d0302e2909c5c8ff6bec330b8b784a90951fe977eb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ba95952d9049132ebb393414357cc823

SHA1
fe8d19708733bcf3793ccff3a91882b6e8d48936

SHA256
8f3d8f3f39b03ddf58d66cd83619b07c7fb038e68a5ee7448b9f9a43c976658f

SHA512
0187d046a4f93f145d95f129b708b9b2635c60984d13695c86761db175aaa8beb3cac3e47d9ef347fc0fb5b0b6180589b2a12323260783b5bf772669b80168d1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
295416a2378f3571df78e786a9ec7c6d

SHA1
7945b0b2fa8d93b4381c16fd4679d3c1ecf2c47b

SHA256
e948f0db77f4f33a2884862c01681d466590e3515ff9dd0dad897e8b2a945b10

SHA512
e4b55554da7231f08f076ee686b1dfa0ba6463b6cf320a19904e40ee73a8dd388f825ca4d7e049aa96e80a81273c3047b91c20e5374df9dc2964a47575f029d7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9b64a3fc8e565068d1e9fdbf1852176f

SHA1
55db04f47046f6a1c51929c1c41b083aaf3aa83d

SHA256
cf18d0ac861c65f51c9518b7dd06d9cd651310726cb3ee9b6e339a2771a5b013

SHA512
e28a142c6824e49a3011e46fa91b0de5d16135a4bb67276727a64d923207242b52700098ef88ae1f917925dc90c8e77b1ff3db751cd6a24bf4019cf17f745a1b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ce012f5dc35ace08107b029d72fd3914

SHA1
f893aafdd12166c9bb2a343af205ba20d7143cbb

SHA256
fbaa16eefdef3b5edcd1196f998dbb9a0dfb359ad35c386cdf8a96071a1111cd

SHA512
e62afa88298316da890816fdd21caa5b200864c59be5f733dcdc7ae9b0ff2068bb932ad31f97e7f920a1ce7a8007f99728862445c1bf286c30722cc929a2aa07

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
bf26d25d229ef78ee953252c11e58e7f

SHA1
ade94a43fafc3d9a4c6b7ce3aaca019f83590a7f

SHA256
39533bd500e5a3b76c278f68068a57f899da27b1b5f75f193fa3f59869f6dd3e

SHA512
e788d7fadb4650c7ae3aec56c86820fbbeee7d3a7c0b1bb8ce4cfe436d07b06c8672070a937156d540ce3058707ed8ddfe4c3ac650928b7c3606b8936427d7f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ec47b08331f93af4dbc76ed1a082b769

SHA1
63e89280b8707cccc1dba3e0df2d72078e0ddd1d

SHA256
e0b0af2e1645d12da3eed03fa5b84e4319cec78c4091dbef6246df5fefb67855

SHA512
06834dfb3ee4fc6d9930aade4b948ee52f010582f811e90d2fcd0d3cf47b3fed27eedd170da16303e5600165c0b1c8e0ceb2c8fa61af0f573229329ce2e43ec6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
4a78feb99d40666db5d33f68ad918eb4

SHA1
711a24733956940cb478806b991274cfc147fcb1

SHA256
d631d26720f3db4ff7a9f79094702209db49e0bc94f18c8fefafb5df42ab14fd

SHA512
3635e08e666e104df2f9061cd35cf49f2fc26a4119eeebe620ce368a65110c842e0be5d3f69667fb50f87f0bc0f01dc39543ee51c4d12ecf78d3f55cbc9c15c7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0d1c984d34cf3492fa4242d7001b983c

SHA1
6b14915deae8940cf6fc86f25d8622f3b11aab68

SHA256
29d1ee59bd430e2f10a6527ecc6c0474eb885ab0938caf8e2a8cb628bb4e1f2b

SHA512
1140638b27937534cbd0cb9a38b1146dcbc0a1f2b8849861e607df2243009da884bd09df33377d690631417758a0646e9fab85672256fc38bbd96aac07f49c9a

Download Submit
memory/2348-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download