8b4c64ed4ca3b6d0a372dad31ab7a18993dac44df9bf6770ece28d5c3acf81a6

Analysis

max time kernel
89s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 21:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b4c64ed4ca3b6d0a372dad31ab7a18993dac44df9bf6770ece28d5c3acf81a6.exe
Size

1.1MB
MD5

e6951f7d29a0fed4b2f0cbeba2b98ed3
SHA1

4fa016bcc8b1df2f50ee195decc3977a2497c7c0
SHA256

8b4c64ed4ca3b6d0a372dad31ab7a18993dac44df9bf6770ece28d5c3acf81a6
SHA512

02b953fd3c47a30e11af9a82592fb488056979dde0a4d5875d871e600ef65b1e5cd0f5d44011ac0f20ad081635c2302e289e72a52e150d12de586bbb98d6dea9
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qr:CcaClSFlG4ZM7QzMc

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2848	svchcst.exe

Executes dropped EXE 16 IoCs

pid	Process
2848	svchcst.exe
1292	svchcst.exe
1820	svchcst.exe
1504	svchcst.exe
2056	svchcst.exe
2092	svchcst.exe
2568	svchcst.exe
2760	svchcst.exe
2504	svchcst.exe
2520	svchcst.exe
2620	svchcst.exe
1496	svchcst.exe
3016	svchcst.exe
308	svchcst.exe
756	svchcst.exe
2980	svchcst.exe

Loads dropped DLL 29 IoCs

pid	Process
2328	WScript.exe
2328	WScript.exe
2172	WScript.exe
2084	WScript.exe
2172	WScript.exe
2084	WScript.exe
1568	WScript.exe
2244	WScript.exe
2244	WScript.exe
2244	WScript.exe
2076	WScript.exe
2076	WScript.exe
948	WScript.exe
948	WScript.exe
2696	WScript.exe
2696	WScript.exe
2728	WScript.exe
2728	WScript.exe
2908	WScript.exe
2908	WScript.exe
1176	WScript.exe
1176	WScript.exe
2344	WScript.exe
2344	WScript.exe
112	WScript.exe
112	WScript.exe
2040	WScript.exe
2040	WScript.exe
2976	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 35 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8b4c64ed4ca3b6d0a372dad31ab7a18993dac44df9bf6770ece28d5c3acf81a6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3060	8b4c64ed4ca3b6d0a372dad31ab7a18993dac44df9bf6770ece28d5c3acf81a6.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3060	8b4c64ed4ca3b6d0a372dad31ab7a18993dac44df9bf6770ece28d5c3acf81a6.exe

Suspicious use of SetWindowsHookEx 34 IoCs

pid	Process
3060	8b4c64ed4ca3b6d0a372dad31ab7a18993dac44df9bf6770ece28d5c3acf81a6.exe
3060	8b4c64ed4ca3b6d0a372dad31ab7a18993dac44df9bf6770ece28d5c3acf81a6.exe
2848	svchcst.exe
2848	svchcst.exe
1292	svchcst.exe
1292	svchcst.exe
1820	svchcst.exe
1820	svchcst.exe
1504	svchcst.exe
1504	svchcst.exe
2056	svchcst.exe
2056	svchcst.exe
2092	svchcst.exe
2092	svchcst.exe
2568	svchcst.exe
2568	svchcst.exe
2760	svchcst.exe
2760	svchcst.exe
2504	svchcst.exe
2504	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2620	svchcst.exe
2620	svchcst.exe
1496	svchcst.exe
1496	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
308	svchcst.exe
308	svchcst.exe
756	svchcst.exe
756	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 2328	3060	8b4c64ed4ca3b6d0a372dad31ab7a18993dac44df9bf6770ece28d5c3acf81a6.exe	29
PID 3060 wrote to memory of 2328	3060	8b4c64ed4ca3b6d0a372dad31ab7a18993dac44df9bf6770ece28d5c3acf81a6.exe	29
PID 3060 wrote to memory of 2328	3060	8b4c64ed4ca3b6d0a372dad31ab7a18993dac44df9bf6770ece28d5c3acf81a6.exe	29
PID 3060 wrote to memory of 2328	3060	8b4c64ed4ca3b6d0a372dad31ab7a18993dac44df9bf6770ece28d5c3acf81a6.exe	29
PID 2328 wrote to memory of 2848	2328	WScript.exe	31
PID 2328 wrote to memory of 2848	2328	WScript.exe	31
PID 2328 wrote to memory of 2848	2328	WScript.exe	31
PID 2328 wrote to memory of 2848	2328	WScript.exe	31
PID 2848 wrote to memory of 2084	2848	svchcst.exe	32
PID 2848 wrote to memory of 2084	2848	svchcst.exe	32
PID 2848 wrote to memory of 2084	2848	svchcst.exe	32
PID 2848 wrote to memory of 2084	2848	svchcst.exe	32
PID 2848 wrote to memory of 2172	2848	svchcst.exe	33
PID 2848 wrote to memory of 2172	2848	svchcst.exe	33
PID 2848 wrote to memory of 2172	2848	svchcst.exe	33
PID 2848 wrote to memory of 2172	2848	svchcst.exe	33
PID 2172 wrote to memory of 1292	2172	WScript.exe	34
PID 2172 wrote to memory of 1292	2172	WScript.exe	34
PID 2172 wrote to memory of 1292	2172	WScript.exe	34
PID 2172 wrote to memory of 1292	2172	WScript.exe	34
PID 2084 wrote to memory of 1820	2084	WScript.exe	35
PID 2084 wrote to memory of 1820	2084	WScript.exe	35
PID 2084 wrote to memory of 1820	2084	WScript.exe	35
PID 2084 wrote to memory of 1820	2084	WScript.exe	35
PID 1820 wrote to memory of 1568	1820	svchcst.exe	36
PID 1820 wrote to memory of 1568	1820	svchcst.exe	36
PID 1820 wrote to memory of 1568	1820	svchcst.exe	36
PID 1820 wrote to memory of 1568	1820	svchcst.exe	36
PID 1568 wrote to memory of 1504	1568	WScript.exe	37
PID 1568 wrote to memory of 1504	1568	WScript.exe	37
PID 1568 wrote to memory of 1504	1568	WScript.exe	37
PID 1568 wrote to memory of 1504	1568	WScript.exe	37
PID 1504 wrote to memory of 2244	1504	svchcst.exe	38
PID 1504 wrote to memory of 2244	1504	svchcst.exe	38
PID 1504 wrote to memory of 2244	1504	svchcst.exe	38
PID 1504 wrote to memory of 2244	1504	svchcst.exe	38
PID 2244 wrote to memory of 2056	2244	WScript.exe	39
PID 2244 wrote to memory of 2056	2244	WScript.exe	39
PID 2244 wrote to memory of 2056	2244	WScript.exe	39
PID 2244 wrote to memory of 2056	2244	WScript.exe	39
PID 2056 wrote to memory of 524	2056	svchcst.exe	40
PID 2056 wrote to memory of 524	2056	svchcst.exe	40
PID 2056 wrote to memory of 524	2056	svchcst.exe	40
PID 2056 wrote to memory of 524	2056	svchcst.exe	40
PID 2244 wrote to memory of 2092	2244	WScript.exe	41
PID 2244 wrote to memory of 2092	2244	WScript.exe	41
PID 2244 wrote to memory of 2092	2244	WScript.exe	41
PID 2244 wrote to memory of 2092	2244	WScript.exe	41
PID 2092 wrote to memory of 2076	2092	svchcst.exe	42
PID 2092 wrote to memory of 2076	2092	svchcst.exe	42
PID 2092 wrote to memory of 2076	2092	svchcst.exe	42
PID 2092 wrote to memory of 2076	2092	svchcst.exe	42
PID 2076 wrote to memory of 2568	2076	WScript.exe	43
PID 2076 wrote to memory of 2568	2076	WScript.exe	43
PID 2076 wrote to memory of 2568	2076	WScript.exe	43
PID 2076 wrote to memory of 2568	2076	WScript.exe	43
PID 2568 wrote to memory of 948	2568	svchcst.exe	44
PID 2568 wrote to memory of 948	2568	svchcst.exe	44
PID 2568 wrote to memory of 948	2568	svchcst.exe	44
PID 2568 wrote to memory of 948	2568	svchcst.exe	44
PID 2568 wrote to memory of 1608	2568	svchcst.exe	45
PID 2568 wrote to memory of 1608	2568	svchcst.exe	45
PID 2568 wrote to memory of 1608	2568	svchcst.exe	45
PID 2568 wrote to memory of 1608	2568	svchcst.exe	45

C:\Users\Admin\AppData\Local\Temp\8b4c64ed4ca3b6d0a372dad31ab7a18993dac44df9bf6770ece28d5c3acf81a6.exe
"C:\Users\Admin\AppData\Local\Temp\8b4c64ed4ca3b6d0a372dad31ab7a18993dac44df9bf6770ece28d5c3acf81a6.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2084
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1820
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:524
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:948
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2760
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2504
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2520
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2620
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1176
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1496
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3016
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:112
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:308
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2980
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2040
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:756
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1608
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2172
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
9fce8afa2e87faea1b2225587cfc5307

SHA1
c5ffe9bd63a3dc07c3ffe8095c9291d942861494

SHA256
d37475305a40655b789b822235b6e605a8539e9ac2a95ce41957575568dc32fe

SHA512
27a3f7987eb5d4cf0b495154a84e1c7450bb4b5df09bee7db579e0ebc8f48c48f3e1dfa748e39c23fa34a6901a6aba82da4ae7e3a2880fed266293aa9dfa62d4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
910e8b4a682865877d5b4c6b32ac2db3

SHA1
7df0ffdcff6b2f1d51878af2ca989990c399c005

SHA256
0eaa114fec2febec98337efcccfbb2863979005935decd44f9cd7db110b33b9f

SHA512
eb3e30e57f8ae59dc62d7c7f6c20296c7105a3fead464229b7b037924a20127266c0f09a6090cdeae4bea0f728f6213b2da67b44c3cd85a662c6b0cdf34c24bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
297aff64991480fd92a4ce9fb4d40807

SHA1
c586f7003f854f442db26448516e59826dfe41e9

SHA256
5137a62e031c71093a7d6c2684519614bb5eed80fd8daa92912f085a6ab82b8a

SHA512
f7a2fae80f26e6fb846ec9675c5a03932c8bd842d75f68cdb05c2f18e9397ed32774ce0a1f495e5618a5ce1b37e088c8991a69fb999559d1e2b0dd360cc96b4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1106df09ec5fdde059876fabb3b189f8

SHA1
ff325b628bb07f43bc277ad1b343ca9b797324f1

SHA256
646d2e16d16c0dc4f95a42ab11dd666e4ecb28752154e1586316faa059fa0829

SHA512
0503a6256c3b327ee4f56644baa5d4237e00877e3502e044d3d698626d32e05f0ec2a71187ce371cf7d68f888e8ceb43a0212b8cce3e74d8f5607c21e574db86

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
632419f9e97777f0bcd1af67443cadae

SHA1
52edb2e30a2b1156ff9f77c0fe7435bc1a616ac8

SHA256
50e39163065b39c8cac4f381ff35c00972adde6c6fcd6d9cf555d1b0b8b68554

SHA512
b9b188d33cab5023dd410c0d6c01b5b200c003b432d44fe47da9b6ca1d4a5fa6fd3e869baeac6c8f5d7fae063e6128ee9c96b9258e10e550093e199cccaca2b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f8db619ebe2f315356d8a3c1cb7ce863

SHA1
6a7be253323ec01b077ec2632a10159e39c17b2b

SHA256
99940aede45164365f56d6948655491bf5e5eaf8cc50400fe99620b5d3cd29c8

SHA512
6abc38a731254105c4f336ef9954159d7711889c704002838872473450f9077a940b4817cf36ae7fa04f08439a2acb53c9ab37c85e21c2981eab353379bf431a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5771c014296ebb077452c34a3ea54708

SHA1
6e6ff6d4e62db0f7295883fcdf1b10a4f69b2b58

SHA256
8abb3ec990928dfb09f067bb1f8b7e99a9487f039c9a5f80ab5306006c746859

SHA512
642db2534af82e398285770d5b6564603b457e1e4e0853cb46322aa24f7a880223a839875e7022d5c21f5eb01730df4e4dffdb426ef6e6c81defeb5f5f774ac5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f02b234115a56496bcd6642d1de04e5d

SHA1
d383b9d3c82fe145f25a9a6e7e4333151fd4ecc6

SHA256
9eca0120263ab4947d38369d9a4986744e61189382c1d313eb464ad449ea2651

SHA512
c446eccd822729a81d49321c88ecc0fba4e4f7b6f6277d2660c7f3a18a67614915ae24a96353bf93b039eb441f0c260c1961a1363f16524dbeaf2554626c1b4e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c94fda6716d92036e02a0e70b433735f

SHA1
eb4e57b1461e03a201dbfd20dd308ca88694e55d

SHA256
ca8d32856a5ad76e2bf41249ee83a498c238f51d9d3addbd5ca456ee6a6108ba

SHA512
bf4b3613a4d6d2854f7750a73f84579a3022c2aaae770c392c3d4b273cbb2b493028f8109856ba66ee4636bcfac53b61b7f9b689002858a040b62b47d097d24f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3f88ed4a802ff96db44e34ad53ac06c2

SHA1
446fe4e265af02ea012b5a8d5d0e7a0c9867f1ed

SHA256
04a5abb92c689fa7b9d768a067b1d9bd16c0a5d856c67c7f7881d62662ae0911

SHA512
f1afaf53ee96969d58902836b841ca7feed9769c81d9b2d63b72db5d7cf04d6a659b50869f8dba0d650aa6833d892261c0c3dd918e8bfbed13237e6333c47fdf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f3159db8bd483868144429c5909d280a

SHA1
a3698b1ebb0e43a564357bb77c3462539a114f87

SHA256
f31b8921a342ba1eecff8852bd1904a17e94e544a1975106b9b5533155ed044c

SHA512
328e166bbd706c7e6848c246909d96779ee2efcdf7bdb0ff47eed24e0267dcca005bb41651b60393ffafbb7b7467d94b22454e8c4be57108ffeb6238e88db916

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f2d2f31794455ef80ea8a41b0b218045

SHA1
926c4e45922f43c6afc2cb31d96b5b35d4db3cae

SHA256
698e3bc7681704e68728030dcceb12377aae02f71e91a5fd15c12b686ba00141

SHA512
36cc2c9bd29c6bd97c2bd7eef7b9bffc512ebabf43d089a2866a66efc4f4f3f7d92b2d0719ae61ad07c38b89b1c0a4b59df57f84beef76c88bd376125048d714

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2283f8a69abac384114fd1d31e9b4553

SHA1
3fe88dfe3c161fc94106a032245b51542bf2854a

SHA256
53d1c242420a4fe385fe846a176f08efae4b993a3db3ecf21fdf880b3c53cf06

SHA512
39da59e1aaa169eb98e1c919e1b8ded1266e174b0e97c4eb79f3a90d07baa016fa648c566c906de0ed971fd12278b3c56646500d490611aa0b0a9f4331ba71b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e0b2faf136e0d7122a20d8afd22d0aed

SHA1
866ec36087d67377998a1a082f51925b2bc68674

SHA256
82f62b9ef58e49072e3b4036a8e252d318d9cc3e4a2782a305d570e9ef129ed2

SHA512
89f1792bdf241d05246968bd4106983555b5890100fec7008dbfca293e6b078ee95e9851cd1b3aa70d7a41aa9a9e4d336ff98c5af280bd365853cd9d991d8b2c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
cbceb53dfa65eef6f2350ab95c676490

SHA1
2b8714ba2f18ca9935899e227a68d65860c27d29

SHA256
4bcef6210362c2aa8d6257e114afc683180a8fbc1f28ad32e03b95f9db3743c1

SHA512
45ace701d576fb49d8426490f9b18cd78808cdad6a15d896a1e526a90d97fb11a6f2bb1e92a4c5f98475ffe6486a8f29eb05be2fa2d74a1f375cb29d926a74d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c6f393e7c3840a9a33af83bcd952f544

SHA1
71a09315618ccf9483c4c5d31932cdb5a8518bcb

SHA256
ca82ffa1e2946d1a0009980537d89b4561414a65a761c251ed80c97199f715a4

SHA512
5b2ef652c61afc7ac97e871f8310cf50f8173fce4d1028b232640512765dcd08e269c4f7a7a49fc7da4a16137408c53a9f61a2bb5bc3fdbd1ed1bc88f0abaebf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b3c67d987e4fdf14f6ab83da7508d11f

SHA1
4ef499108d128633ecbe725d4ed5cd41cba85292

SHA256
82a9226fa024e2639ed799611e5a9862958c338e2149a3b2d0f1249370bafcbb

SHA512
354c506ad6fd92aef736b09da20a76cf37d1e461ffa3bbf9a9f881363b51e5841a7ded8ca3575d72be9df70eba070f288d3d17981c2dc3b41f8d2fdf7b48c28a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7bc29b123102f0a2544d4cc979c609de

SHA1
e66eb27125734643bbc92425c1c28083439863fb

SHA256
24af8334a96b5dc96c6a1feb084cfad7cff521733cae2f784f943292c5eaad5a

SHA512
c34064dd082bdd663f29f0ee7645a01ba003d76a5252f082559f5ae91dbe8426c74e1885e8238319d21d4dddba2faa7ef3eb41ade99dcb239bd933003cbec8b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
65b2bda01afecda9bce3561e4bac2820

SHA1
036f9254233c2233dae0012cd02693239089b1bb

SHA256
12c4d252e46f674ce6a3ec820e6d31eb8da1908bc7a1781fc165324a4fb38177

SHA512
bb9fef3812cdf466634758353286e650d327497d69cf272ccba7df71cc3833868d82b7ce6c9ca3b8ec3fb557c5a9e71d39c0a2d3d90b0e75df7e16167570384a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
44d1e437f5bb0651552e9e1d9ce14bd0

SHA1
47ee42077501b4fd427b90455a0a5f7d08665a03

SHA256
8b84970806359144c6f5d809d9bd25f97918aa62ab3c0c41e3a3d6d355e3fe3f

SHA512
766a85b9899bee4487f2d31778bde3ead94d6559a40f6930255a2ab87f7b445a45b5327192e41a0d8cccb5bc965c891a26da19df23971f53403123b01bab5ecd

Download Submit
memory/3060-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download