c65ced090c6edc09bd7761f940c292b626b0f3c346ad676a29fd94a8be00817d

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/09/2024, 16:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c65ced090c6edc09bd7761f940c292b626b0f3c346ad676a29fd94a8be00817d.exe
Size

1.1MB
MD5

bceb8935ffcaa966cfe7956865070c3c
SHA1

ee43801806db0062b521e2ffc4e63eca93d44027
SHA256

c65ced090c6edc09bd7761f940c292b626b0f3c346ad676a29fd94a8be00817d
SHA512

d60074960825f33ddbdf8f8e83e4a33ee89cd30969b40a09387515381b6783d06dc1eb3592b8c921eed4dc01385f19b493889b6242e7765c2c35e1079727aaa2
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qh:CcaClSFlG4ZM7QzMC

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2844	svchcst.exe

Executes dropped EXE 22 IoCs

pid	Process
2844	svchcst.exe
1796	svchcst.exe
1236	svchcst.exe
956	svchcst.exe
828	svchcst.exe
1716	svchcst.exe
1992	svchcst.exe
2164	svchcst.exe
2840	svchcst.exe
2736	svchcst.exe
2384	svchcst.exe
2124	svchcst.exe
880	svchcst.exe
2368	svchcst.exe
2320	svchcst.exe
1912	svchcst.exe
1768	svchcst.exe
2796	svchcst.exe
2160	svchcst.exe
2212	svchcst.exe
1996	svchcst.exe
2488	svchcst.exe

Loads dropped DLL 41 IoCs

pid	Process
2324	WScript.exe
2324	WScript.exe
2584	WScript.exe
2584	WScript.exe
2304	WScript.exe
2304	WScript.exe
1596	WScript.exe
1596	WScript.exe
1640	WScript.exe
2360	WScript.exe
2360	WScript.exe
1664	WScript.exe
1664	WScript.exe
1576	WScript.exe
2852	WScript.exe
2852	WScript.exe
2852	WScript.exe
2696	WScript.exe
2696	WScript.exe
1452	WScript.exe
1452	WScript.exe
2100	WScript.exe
2100	WScript.exe
1896	WScript.exe
1896	WScript.exe
1436	WScript.exe
1436	WScript.exe
108	WScript.exe
108	WScript.exe
2580	WScript.exe
2580	WScript.exe
744	WScript.exe
744	WScript.exe
2560	WScript.exe
2560	WScript.exe
1496	WScript.exe
1496	WScript.exe
1316	WScript.exe
1316	WScript.exe
2892	WScript.exe
2892	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c65ced090c6edc09bd7761f940c292b626b0f3c346ad676a29fd94a8be00817d.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
944	c65ced090c6edc09bd7761f940c292b626b0f3c346ad676a29fd94a8be00817d.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
944	c65ced090c6edc09bd7761f940c292b626b0f3c346ad676a29fd94a8be00817d.exe

Suspicious use of SetWindowsHookEx 46 IoCs

pid	Process
944	c65ced090c6edc09bd7761f940c292b626b0f3c346ad676a29fd94a8be00817d.exe
944	c65ced090c6edc09bd7761f940c292b626b0f3c346ad676a29fd94a8be00817d.exe
2844	svchcst.exe
2844	svchcst.exe
1796	svchcst.exe
1796	svchcst.exe
1236	svchcst.exe
1236	svchcst.exe
956	svchcst.exe
956	svchcst.exe
828	svchcst.exe
828	svchcst.exe
1716	svchcst.exe
1716	svchcst.exe
1992	svchcst.exe
1992	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2384	svchcst.exe
2384	svchcst.exe
2124	svchcst.exe
2124	svchcst.exe
880	svchcst.exe
880	svchcst.exe
2368	svchcst.exe
2368	svchcst.exe
1488	svchcst.exe
1488	svchcst.exe
1912	svchcst.exe
1912	svchcst.exe
1768	svchcst.exe
1768	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2160	svchcst.exe
2160	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
1996	svchcst.exe
1996	svchcst.exe
2488	svchcst.exe
2488	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 944 wrote to memory of 2324	944	c65ced090c6edc09bd7761f940c292b626b0f3c346ad676a29fd94a8be00817d.exe	31
PID 944 wrote to memory of 2324	944	c65ced090c6edc09bd7761f940c292b626b0f3c346ad676a29fd94a8be00817d.exe	31
PID 944 wrote to memory of 2324	944	c65ced090c6edc09bd7761f940c292b626b0f3c346ad676a29fd94a8be00817d.exe	31
PID 944 wrote to memory of 2324	944	c65ced090c6edc09bd7761f940c292b626b0f3c346ad676a29fd94a8be00817d.exe	31
PID 2324 wrote to memory of 2844	2324	WScript.exe	33
PID 2324 wrote to memory of 2844	2324	WScript.exe	33
PID 2324 wrote to memory of 2844	2324	WScript.exe	33
PID 2324 wrote to memory of 2844	2324	WScript.exe	33
PID 2844 wrote to memory of 2584	2844	svchcst.exe	34
PID 2844 wrote to memory of 2584	2844	svchcst.exe	34
PID 2844 wrote to memory of 2584	2844	svchcst.exe	34
PID 2844 wrote to memory of 2584	2844	svchcst.exe	34
PID 2584 wrote to memory of 1796	2584	WScript.exe	35
PID 2584 wrote to memory of 1796	2584	WScript.exe	35
PID 2584 wrote to memory of 1796	2584	WScript.exe	35
PID 2584 wrote to memory of 1796	2584	WScript.exe	35
PID 1796 wrote to memory of 2304	1796	svchcst.exe	36
PID 1796 wrote to memory of 2304	1796	svchcst.exe	36
PID 1796 wrote to memory of 2304	1796	svchcst.exe	36
PID 1796 wrote to memory of 2304	1796	svchcst.exe	36
PID 2304 wrote to memory of 1236	2304	WScript.exe	37
PID 2304 wrote to memory of 1236	2304	WScript.exe	37
PID 2304 wrote to memory of 1236	2304	WScript.exe	37
PID 2304 wrote to memory of 1236	2304	WScript.exe	37
PID 1236 wrote to memory of 1596	1236	svchcst.exe	38
PID 1236 wrote to memory of 1596	1236	svchcst.exe	38
PID 1236 wrote to memory of 1596	1236	svchcst.exe	38
PID 1236 wrote to memory of 1596	1236	svchcst.exe	38
PID 1596 wrote to memory of 956	1596	WScript.exe	39
PID 1596 wrote to memory of 956	1596	WScript.exe	39
PID 1596 wrote to memory of 956	1596	WScript.exe	39
PID 1596 wrote to memory of 956	1596	WScript.exe	39
PID 956 wrote to memory of 1640	956	svchcst.exe	40
PID 956 wrote to memory of 1640	956	svchcst.exe	40
PID 956 wrote to memory of 1640	956	svchcst.exe	40
PID 956 wrote to memory of 1640	956	svchcst.exe	40
PID 1640 wrote to memory of 828	1640	WScript.exe	41
PID 1640 wrote to memory of 828	1640	WScript.exe	41
PID 1640 wrote to memory of 828	1640	WScript.exe	41
PID 1640 wrote to memory of 828	1640	WScript.exe	41
PID 828 wrote to memory of 2360	828	svchcst.exe	42
PID 828 wrote to memory of 2360	828	svchcst.exe	42
PID 828 wrote to memory of 2360	828	svchcst.exe	42
PID 828 wrote to memory of 2360	828	svchcst.exe	42
PID 2360 wrote to memory of 1716	2360	WScript.exe	43
PID 2360 wrote to memory of 1716	2360	WScript.exe	43
PID 2360 wrote to memory of 1716	2360	WScript.exe	43
PID 2360 wrote to memory of 1716	2360	WScript.exe	43
PID 1716 wrote to memory of 1664	1716	svchcst.exe	44
PID 1716 wrote to memory of 1664	1716	svchcst.exe	44
PID 1716 wrote to memory of 1664	1716	svchcst.exe	44
PID 1716 wrote to memory of 1664	1716	svchcst.exe	44
PID 1664 wrote to memory of 1992	1664	WScript.exe	45
PID 1664 wrote to memory of 1992	1664	WScript.exe	45
PID 1664 wrote to memory of 1992	1664	WScript.exe	45
PID 1664 wrote to memory of 1992	1664	WScript.exe	45
PID 1992 wrote to memory of 1576	1992	svchcst.exe	46
PID 1992 wrote to memory of 1576	1992	svchcst.exe	46
PID 1992 wrote to memory of 1576	1992	svchcst.exe	46
PID 1992 wrote to memory of 1576	1992	svchcst.exe	46
PID 1576 wrote to memory of 2164	1576	WScript.exe	47
PID 1576 wrote to memory of 2164	1576	WScript.exe	47
PID 1576 wrote to memory of 2164	1576	WScript.exe	47
PID 1576 wrote to memory of 2164	1576	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\c65ced090c6edc09bd7761f940c292b626b0f3c346ad676a29fd94a8be00817d.exe
"C:\Users\Admin\AppData\Local\Temp\c65ced090c6edc09bd7761f940c292b626b0f3c346ad676a29fd94a8be00817d.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:944
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1796
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1236
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:956
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:828
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2164
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2852
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2840
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2384
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1452
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2124
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:880
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1896
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2368
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1436
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2320
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1488
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:108
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1912
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1768
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:744
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2796
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2560
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2160
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1496
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2212
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1316
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1996
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2488
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2736
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
8141a03c496937f05814723c0c447b76

SHA1
355292b60c85e48437da5d8be5946f2a4cf7ebe6

SHA256
f46f82ff7ebee63ad839f84694cd304b8d2b829b22e49204a2e2c1b7021b72d4

SHA512
b3c440d9d91e947261d2db4910f9b4956a99df5d267b42cb603ddf2c8b5c6e46bae1e0323fd5d22ef4ea4ddbb5333947594ee815bca8f332ed54bd9ac259caf9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
49586bddf88b5db5b4106eee55d7e03b

SHA1
3001fb71136b5c8d307695de4f651ccd9b4dcebc

SHA256
bf9c7a65973ae0ee9e2da4bae47ba378234e45820598034a3672edfb233e002d

SHA512
6933b416d4af6997e31e7277ddbf5820f421f01763ee6560e50a0dfb8323e8c66312511b4093d16540c17521f338b239e79d67c70fcda4ff793363e1366d4011

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
951aaea1269f2a203f3dd7cd181c5d34

SHA1
3623d216764b24aa0b02cbc136287252bf5b412a

SHA256
228b66ed4c4a1270fe5a6655cdd849de937351e95974b96acafa59b8107b7dd4

SHA512
cd84967ad43a13c3cd57cc80f6533a9e9fd93a5eddf4807825b8d19883da4acda3e7b4ff963f23209c579050fedf834382d8e718386c852ceaf350b2b0f91816

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1931659cf1a0b565c26fde26192e60ea

SHA1
290204916cf2bd320dd6af5de4fea33f4b987a23

SHA256
8d4ff60de30d55f81dda162ccf8ad556e3a1c9a9e20260d8a767def90595191a

SHA512
9a90635a350ecaf5d4f9c5787f4079e90d6e2983b87e8dc6db38a2d0121e68422d2fc8c7e322c0b6556cd92870713380edf55950260e9369350e96d4603f390e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
81911744d71ed066085116eec2026095

SHA1
47cfe383cd90c80f367d20667fa26cd160507a8f

SHA256
3154f7fe0c77b8441733285f257a444605ca5badb1148288aa7275033f75d3f5

SHA512
e64925ee682737251c7d5f42a378a4f6c23a50a07a6811882547567725b59c172da356b235afc977d4c1e8209f5c1ba696b9dd54e7739f67a71c099c031d7396

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d6998fa6acf02bf81ca3b787bf2aac86

SHA1
c3c08503b40c243120c2815bec43823d1457c93f

SHA256
5f2a7d05a52819de3a4caa28c4b355ca484eea50de6ed9ce8078d244de25e365

SHA512
068536d1ae495d6610534c4536f6024b33bac2e935cb37f99668affefcb8d1fcd8c420e150b6e5807a58157eec83b24cc9017e7cb7b597a7523decdfbaf2a8e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2af86d83545125b952334759f8554ae3

SHA1
ddfef7be6fbd8d8185c772a9a78eb18617a9637b

SHA256
7dd3660d7e87e64f451b4d1882d07c1733ce38d828770910453cc1b7f457d11d

SHA512
38d2854f941ff77a2fec871ba6513df9862fe4f86778b22053b4c3e25995b192f4ab943051a2c613cc3e78d275bc543b0dff09149cb4620e307809d20beae17b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0e6005a9dcb5a78d6fdd54527602f926

SHA1
90adc62e99f3c94c643596af0e17b5853b91fe1f

SHA256
847552b1ad30bd72f24acfe4afa5c326d3e79d7c2f147c958d72e92daca716da

SHA512
b4acfd81c1e926fcd305690aa3780bbec50460bcf947d17c20d6445faca4e774294b9da3a144207ccb3855e3ea2008a2d82ef691f32a4db6c7c3eb8202c6b568

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b01deb2dadc8260c4bcb435df78599d9

SHA1
7ac78543d19aefbe54d4e7d12d045cff0e7934f0

SHA256
4f88b370f98b6357f72a7942c293827b72164112e87fbbb6c842d9b206ab53b0

SHA512
319c1925e74af3cace9d3c3fafb7ff3c28ae3240e1d67da7d05ed25b7ec523eec9a974f21ff9914e602334c192e5801a55695ad705dbaa2a32e3b08e7996bb4b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
03088ab16e4136b8d3a3366505b767ed

SHA1
e1d73c9dc7e6009659519b33b3dd80f3011adad8

SHA256
b31956814f1bc7c1e47a025622160df37664a3ee8e6d2016ce8919f1fba63a59

SHA512
0c841cc8236b405951c5bdf0ea7c620ef32ab930077442e5c1f2eca9fe474c113e1377829e8072afdbfd9a0f0b2797cf156b2f861395d14b851abc7b365ec11a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c91530bbaec9815f2db19bd6645b8729

SHA1
ea901a28f06bfbfc1dc9c3391910a87bfaf07020

SHA256
7924a95b4fb309a069dcb92b65632f01f9db2560b224d4812ebb84130994ab8d

SHA512
7ebce2d0627561189c27073f3e43e84e6164c3c4a63fe4172d2c1214fe799795393573038fb3dd75359327e7cca4eec17889749411e289480580f568b02e6588

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a94f175aa11ab39ad0cc8fca08fc4479

SHA1
1af2f139e7ad4d6a0e2e4ebc7958c6fb29ec7473

SHA256
81d1f66afc39e695f6ae9161e5cd8e4f1365a7522db1981275f3151325abbe13

SHA512
5b846ae804e8a0c922506db1fd55a995d88dd7569b8cb2e1aac86d6dbdfb79ee1491680d47ea4a0fb2c56d78df7d5bb5368dfa69ac1289083209940a0c6eff8c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1de0438a97b946fe0dba5dc86e05aad4

SHA1
b2a6c907a91f3ca7b5a6e8ea988415665cfaa8dd

SHA256
df12ed357f37298e708e923dfa7ee5c6932fb92e54e7b04a7bc8eea89d61fd8d

SHA512
2ced61a7abcf63cdf1c14adbbecbdf2dd4f8bae2f34a4cd942a2e612919278ea2eef5eb6c9f5b4edf48ebb9d580a1d8d56e9f7f3a0b04a0d374669aa6dd7a509

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a54de35a0299e0bfabdcf85ba1361f70

SHA1
f8435e4e54bb69ffc908c74105b5541a761efa35

SHA256
8a7500443a7ba2369e9dc0f15a931e840c0b9747a3f9f3a63ba8199b38e98f46

SHA512
8eeb06d2fc9663fa142bf1bd8c8f2055638bb06211ca0757712d2404ac470ce0798445b370534483eaded019fe715f075971c2410351fcfb464fb2becb9473bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7448fa1b7723a877078ab865adee5fc7

SHA1
3c1ee14b23f9d938cc0a832fd7c3a65d2fa80cf9

SHA256
f8c18bc63b5ec4c16713014259c22c86d32d81787e501e281f2b1503eb4b8afe

SHA512
853b9b0d96331715d71ee4852fa353f6ccf6300e1885df76093af7ff73336249ff7203d7d9ae55b6ab24f0f358539b3e185909444f4b00ff52700c6ae23d02d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
567a8c39cbc207b368a9c2009388fb7e

SHA1
fa6fbb03bca52577acb38c019ad94b87b65cfecf

SHA256
e75460d9d9dc90dc25cf476c3297ea8561c2ca8b532e8ca5391fcc379eb3192f

SHA512
ef41f14fe76fddd80b93f26f5ba3f0e01ee340ea8f47f394a0d31010cad780921d178fb0a9c0a8b153857486270e41686f3490291230fdbd60e25162c5173a73

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e36d4b3cb7fd42f2b21a7987f0179ca7

SHA1
9648e2aa4de081b70aa93183229054a5489fafca

SHA256
034d46f34a25582e504f74ea4a1b210b5f82de03a21963f3f0625bbb2b8e0f46

SHA512
e0dc3f17b6e40246f34870e48ab6b60ef8ba388ae1f1d814fe0d7b7ea4d36c7276f25bf179d834f9bbe9416f2ffbbead553e038b861e9a47b8cdf80f21faf2b7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f5006b2872a55cbe727e26dffb8c8505

SHA1
6da73da56d32312990abe053083a33f04ceff557

SHA256
067e7815e7be19471797f35f145c3739b805940d677f703e8d272bc2223567f5

SHA512
9eaf7a35e46339543babd5a4d9d0ed37c70dc09a72667fee0c49524abf1ac79e647188c9e9e2c2099f995c01aa1762c118c4744a5be8e6162f32e23411cf413f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
69eecc7ac883f85668803bdf90b6fdec

SHA1
70d1bbeb6f33eb45f6648744072f16a56196e68d

SHA256
0cf4eff97994d8b7517d32d37e94d954f4ca99a7e992f25d7b84af0b2b356afa

SHA512
ab69b7cd4554b55439b4be4d4e63f1368b7483a12c8551109942324533b69af8a986b96a6617ebbd244322364da5ba15d51a5583c7b0d8db1a7724a62804ce19

Download Submit
memory/944-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download