b7905c8d2e0bddb9a0a1e2abbc9899e0e7bbafffadcbf9c1766244789c69098d

Analysis

max time kernel
135s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-09-2024 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7905c8d2e0bddb9a0a1e2abbc9899e0e7bbafffadcbf9c1766244789c69098d.exe
Size

1.1MB
MD5

65d70712a640e33fab38931fdb08d0e8
SHA1

db8af98f6e849623735f498c30dce768a567ae3d
SHA256

b7905c8d2e0bddb9a0a1e2abbc9899e0e7bbafffadcbf9c1766244789c69098d
SHA512

9bef56dcde77fa760810ca593c0d834b6ebb10a617c42c0a82ae5c12cdfac1fa06c6fd04cab772eb48a01c12f986ee0cdd42a88cf5bec92e2ebdcb335187671c
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qc:acallSllG4ZM7QzMb

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3052	svchcst.exe

Executes dropped EXE 21 IoCs

pid	Process
3052	svchcst.exe
2776	svchcst.exe
2752	svchcst.exe
2212	svchcst.exe
1536	svchcst.exe
1528	svchcst.exe
876	svchcst.exe
2860	svchcst.exe
2236	svchcst.exe
2544	svchcst.exe
1968	svchcst.exe
2040	svchcst.exe
3024	svchcst.exe
2912	svchcst.exe
2684	svchcst.exe
628	svchcst.exe
2496	svchcst.exe
536	svchcst.exe
2188	svchcst.exe
2980	svchcst.exe
448	svchcst.exe

Loads dropped DLL 36 IoCs

pid	Process
2716	WScript.exe
2716	WScript.exe
348	WScript.exe
1200	WScript.exe
2980	WScript.exe
2980	WScript.exe
1820	WScript.exe
1532	WScript.exe
1532	WScript.exe
1532	WScript.exe
2836	WScript.exe
2836	WScript.exe
2884	WScript.exe
2884	WScript.exe
2764	WScript.exe
2660	WScript.exe
2660	WScript.exe
2452	WScript.exe
2028	WScript.exe
2028	WScript.exe
2488	WScript.exe
2488	WScript.exe
876	WScript.exe
876	WScript.exe
3052	WScript.exe
3052	WScript.exe
2436	WScript.exe
2436	WScript.exe
2744	WScript.exe
2744	WScript.exe
2952	WScript.exe
2952	WScript.exe
2112	WScript.exe
2124	WScript.exe
2112	WScript.exe
2124	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 44 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b7905c8d2e0bddb9a0a1e2abbc9899e0e7bbafffadcbf9c1766244789c69098d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2688	b7905c8d2e0bddb9a0a1e2abbc9899e0e7bbafffadcbf9c1766244789c69098d.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2688	b7905c8d2e0bddb9a0a1e2abbc9899e0e7bbafffadcbf9c1766244789c69098d.exe

Suspicious use of SetWindowsHookEx 44 IoCs

pid	Process
2688	b7905c8d2e0bddb9a0a1e2abbc9899e0e7bbafffadcbf9c1766244789c69098d.exe
2688	b7905c8d2e0bddb9a0a1e2abbc9899e0e7bbafffadcbf9c1766244789c69098d.exe
3052	svchcst.exe
3052	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2752	svchcst.exe
2752	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
1536	svchcst.exe
1536	svchcst.exe
1528	svchcst.exe
1528	svchcst.exe
876	svchcst.exe
876	svchcst.exe
2860	svchcst.exe
2860	svchcst.exe
2236	svchcst.exe
2236	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
2040	svchcst.exe
2040	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
628	svchcst.exe
628	svchcst.exe
2496	svchcst.exe
2496	svchcst.exe
536	svchcst.exe
536	svchcst.exe
2188	svchcst.exe
2188	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
448	svchcst.exe
448	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 2716	2688	b7905c8d2e0bddb9a0a1e2abbc9899e0e7bbafffadcbf9c1766244789c69098d.exe	31
PID 2688 wrote to memory of 2716	2688	b7905c8d2e0bddb9a0a1e2abbc9899e0e7bbafffadcbf9c1766244789c69098d.exe	31
PID 2688 wrote to memory of 2716	2688	b7905c8d2e0bddb9a0a1e2abbc9899e0e7bbafffadcbf9c1766244789c69098d.exe	31
PID 2688 wrote to memory of 2716	2688	b7905c8d2e0bddb9a0a1e2abbc9899e0e7bbafffadcbf9c1766244789c69098d.exe	31
PID 2716 wrote to memory of 3052	2716	WScript.exe	33
PID 2716 wrote to memory of 3052	2716	WScript.exe	33
PID 2716 wrote to memory of 3052	2716	WScript.exe	33
PID 2716 wrote to memory of 3052	2716	WScript.exe	33
PID 3052 wrote to memory of 348	3052	svchcst.exe	34
PID 3052 wrote to memory of 348	3052	svchcst.exe	34
PID 3052 wrote to memory of 348	3052	svchcst.exe	34
PID 3052 wrote to memory of 348	3052	svchcst.exe	34
PID 348 wrote to memory of 2776	348	WScript.exe	35
PID 348 wrote to memory of 2776	348	WScript.exe	35
PID 348 wrote to memory of 2776	348	WScript.exe	35
PID 348 wrote to memory of 2776	348	WScript.exe	35
PID 2776 wrote to memory of 1200	2776	svchcst.exe	36
PID 2776 wrote to memory of 1200	2776	svchcst.exe	36
PID 2776 wrote to memory of 1200	2776	svchcst.exe	36
PID 2776 wrote to memory of 1200	2776	svchcst.exe	36
PID 1200 wrote to memory of 2752	1200	WScript.exe	37
PID 1200 wrote to memory of 2752	1200	WScript.exe	37
PID 1200 wrote to memory of 2752	1200	WScript.exe	37
PID 1200 wrote to memory of 2752	1200	WScript.exe	37
PID 2752 wrote to memory of 2980	2752	svchcst.exe	38
PID 2752 wrote to memory of 2980	2752	svchcst.exe	38
PID 2752 wrote to memory of 2980	2752	svchcst.exe	38
PID 2752 wrote to memory of 2980	2752	svchcst.exe	38
PID 2980 wrote to memory of 2212	2980	WScript.exe	39
PID 2980 wrote to memory of 2212	2980	WScript.exe	39
PID 2980 wrote to memory of 2212	2980	WScript.exe	39
PID 2980 wrote to memory of 2212	2980	WScript.exe	39
PID 2212 wrote to memory of 1820	2212	svchcst.exe	40
PID 2212 wrote to memory of 1820	2212	svchcst.exe	40
PID 2212 wrote to memory of 1820	2212	svchcst.exe	40
PID 2212 wrote to memory of 1820	2212	svchcst.exe	40
PID 1820 wrote to memory of 1536	1820	WScript.exe	41
PID 1820 wrote to memory of 1536	1820	WScript.exe	41
PID 1820 wrote to memory of 1536	1820	WScript.exe	41
PID 1820 wrote to memory of 1536	1820	WScript.exe	41
PID 1536 wrote to memory of 1532	1536	svchcst.exe	42
PID 1536 wrote to memory of 1532	1536	svchcst.exe	42
PID 1536 wrote to memory of 1532	1536	svchcst.exe	42
PID 1536 wrote to memory of 1532	1536	svchcst.exe	42
PID 1532 wrote to memory of 1528	1532	WScript.exe	43
PID 1532 wrote to memory of 1528	1532	WScript.exe	43
PID 1532 wrote to memory of 1528	1532	WScript.exe	43
PID 1532 wrote to memory of 1528	1532	WScript.exe	43
PID 1528 wrote to memory of 1952	1528	svchcst.exe	44
PID 1528 wrote to memory of 1952	1528	svchcst.exe	44
PID 1528 wrote to memory of 1952	1528	svchcst.exe	44
PID 1528 wrote to memory of 1952	1528	svchcst.exe	44
PID 1532 wrote to memory of 876	1532	WScript.exe	45
PID 1532 wrote to memory of 876	1532	WScript.exe	45
PID 1532 wrote to memory of 876	1532	WScript.exe	45
PID 1532 wrote to memory of 876	1532	WScript.exe	45
PID 876 wrote to memory of 2836	876	svchcst.exe	46
PID 876 wrote to memory of 2836	876	svchcst.exe	46
PID 876 wrote to memory of 2836	876	svchcst.exe	46
PID 876 wrote to memory of 2836	876	svchcst.exe	46
PID 2836 wrote to memory of 2860	2836	WScript.exe	47
PID 2836 wrote to memory of 2860	2836	WScript.exe	47
PID 2836 wrote to memory of 2860	2836	WScript.exe	47
PID 2836 wrote to memory of 2860	2836	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\b7905c8d2e0bddb9a0a1e2abbc9899e0e7bbafffadcbf9c1766244789c69098d.exe
"C:\Users\Admin\AppData\Local\Temp\b7905c8d2e0bddb9a0a1e2abbc9899e0e7bbafffadcbf9c1766244789c69098d.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3052
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:348
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2776
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1200
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2860
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2236
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2544
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1968
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2040
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3024
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2912
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:876
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2684
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:628
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2436
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2496
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:536
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2188
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:448
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2980
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
3231fac921df7c239444bcb3bf3c5efa

SHA1
263e81e93494fd491f99b95024ea15ff297455e6

SHA256
04807e4a06f0e52894633d75197aa3abd7ac3d8af95d4f94e45e808567f6b221

SHA512
67222135ec767f13091c7e4388ec46b8b4a076b9d3b3b5e5e15b73cdf4321622c75cc322c620c56e4279a174a7c8d2d62ee02208c080cf1fb8d51abeb1ce3aec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
66dec81d7f7dc4e36f9d8151fe38056a

SHA1
fc169994b2239eb407778d28d35025f7c9a1658e

SHA256
a09a3c722b494400011829c5645415020d39c8e6ec90f466fc3109a1ba49db2a

SHA512
3e8af1d301ba9228d5afcfaa1e1d3e6f931c5f0ba5e19c74f73b88ddf7c4baa7b24f13533679096f6c94871985de9e47d0f91362ec2ee9132b1e1b772d56fbcc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
02bec440e11bdc76b5de3232abd91f03

SHA1
2118a1f2249848ea084c7d98709f7ba7906e43a3

SHA256
4382e8d6fd98aeb7c574b195019c1687ac6628e8f97485614ad743ae5a0616b0

SHA512
f86e900e6bd38151fad12b160c0489823bd18d15609346172ca1f815593e69f9269cb28a0eaea6a588a29d41343f3b9d4c6489cc3c50e2b24a31720de26e0411

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5ba8c208c5700f7f25c2e24e00d50ac8

SHA1
9838a0ab093ed94bc85a80b1feee14b68e4df8d1

SHA256
213371c33e19f6f9e28f089e3206fe50c39b190548b0500f7ba8aff869a68cd6

SHA512
065e45ebe4197cdf7e13b799928dfb29e17d4a1741e3e103000b147288b34f16300b72874ec85aefa2c04cc939df115a9fb383d5c95982c1371e75605d1a9b17

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a6723d81dd75369a43431bd61814ac74

SHA1
c3d950a8d9f5738222594d01dcaae3fcb467d548

SHA256
add1a22f571c2dfbfda508d6ad632223ab81690c73a376500e56855afeb1752b

SHA512
d7a42037066b1b1d1dffbc792aef400ca374665b012f02de40a6ff118482acd14555edabd6750defb402a6cf4e273a132c1856103202e47aa090119546718727

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
632419f9e97777f0bcd1af67443cadae

SHA1
52edb2e30a2b1156ff9f77c0fe7435bc1a616ac8

SHA256
50e39163065b39c8cac4f381ff35c00972adde6c6fcd6d9cf555d1b0b8b68554

SHA512
b9b188d33cab5023dd410c0d6c01b5b200c003b432d44fe47da9b6ca1d4a5fa6fd3e869baeac6c8f5d7fae063e6128ee9c96b9258e10e550093e199cccaca2b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8cb32754e88999ece2a392d94875313e

SHA1
da0ef4e297872b82db206ebdc4cafefeed2a4e3d

SHA256
3dc5ae697f3f5a3ffe053412e05a646883c49be29b179039ceadf5f71a595f9d

SHA512
a331a2472d0ef04f4d6a9b41a147020a688c96977feec8d61878f31382af8c27b8e990dc404137475d48f0155d600cc0d6ebe0a5d1cbb60b1fecf364301ebaa7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d32955f30e8aad52247ece470e41d5ad

SHA1
ac6775ee1d2cccafe3baeb722ca57bf16953f173

SHA256
bbd8749995b7f218975a3955fac72a16d1f5a3fd3826f7bb98d0b4fe537d6697

SHA512
1a00595cdfca51c9c95101a1d04a15089aded3fc687de721d882c6ef57697a943c0a99d917167e76d55040c5d8607e01fe5a206054112635a642f6364d3fdcaf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5465e98b54b47d65941e5d12deb27c9d

SHA1
50e5e6ced6e5e332b303de4fa146482fbdf782d5

SHA256
38f339c2f4c0d7ea1ba1500460c63bc626a2465b3ca48c4d63ee2b0f3eafb82a

SHA512
50c6bc8c7da8c036c909672ade71b08aea49bc58474c40e660d7dc23c3a9869cfad82b4dc96335057ecd5bd1011f3db712f667b4085555e3dc6fb90de56b1c3a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5ef4272f4d6f345fc8cc1b2f059c81b4

SHA1
78bcb559f775d70e10396e1d6d7b95c28d2645d1

SHA256
19f8d5209b4a5789cdfd5b67cb0b9f6c3546c62912bcb1ef1c69a15602beb652

SHA512
002693255c600456d965b5a7e36f780deec4d80cd9fe56f7f974b8762e2b140002a1dabf4b059d6163c9cc00a0e1e9da71899e13347fb4bb2985bbc7058469cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
80ebf5d44551af5680e6faa0b57e8c8b

SHA1
2e17219fbf9ac0ffaf25efb6a11dfe6e9e404798

SHA256
ca82157de4bf3edea1ce728fea480f64259153ea391b2be7b5f59864c0ae7a53

SHA512
a96c9d64087a4b9eccb235e9e1b19da6adfa1adc40ea11eca5cca69cc7b57eb4c3a299eb2103768398d99aee534c3eced7e76099917c52d1499ea9af07ba2ca8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
450bd24def6703680d83fc8586fe6d87

SHA1
ff6e5c82c43fcff168e65ed414f8ee8de6aa6615

SHA256
bf7ce604380c664a0f01ff7c9e0a5952d6d4eb53577e01b08d28859749fb17e5

SHA512
83fd9e9d365cc4f19a8e88297515f71584a134b2b52c73d475530dbdb021b8e8673cd18287b1c867915501ba4f68186f9f1abd3e86acc9870ab86534bdabfe4e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
01491f5df4f8234770ce3306a0e533c0

SHA1
c772fd8e2a3577b3b6f091cbe1850d44015add5c

SHA256
98ce45860187d2415b143b35935d3d46caa162c4fd20eb474d51bc39002757c3

SHA512
c6c0d7727b106caa4b02234bd7518d411be66fc76e5321da9415c13ecd379667e589a8f61665cc605a4184e56d8819f7704ca93666ae1c86cfea7cf2afa6cf13

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
6c41fee708c41786e0f5dfbcc6ef742b

SHA1
4d529587b00f2d38091357fa8a1def365678cd57

SHA256
8789114aedacbcbaff3f5f2dc6282dbcc2dbebd9df913474c7f2dc38c2978397

SHA512
a86364d1afc1d81766c2757e8f7450bc4df96af6621a5adf09ba08235673da35368680f3f5b7a7c6a4062562fe4f5c69f69e6905f6160d6813aa13b8631268a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9e81ec28bc404481e0f7c6033bfc153f

SHA1
eed5e8c237dda2a63c2d52950c8441133b1dcb03

SHA256
412d8793b7c81421a22b403a1ba420ec0fab22077e09adc77a923f769963ca35

SHA512
b052b3be188c814e589aade1f351d316e3b45f93847274866b372122a5d0f4a6fa0b40dcf90e4c157de31aec5b1ce71d62be870d9dfbca2ec624c1766ef7efe0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
205756a7ee8837cb8f2c218e8404e95d

SHA1
d3f6932f007b0ecdab7803a85bb770d6eb97a815

SHA256
9aed0f0c61b2bfa1341c62f9782c43f720ee25c018d5a7dee0ba92f3ff33c76b

SHA512
0d7bb822f692a1e43d93b870f5fd2bc65c172e4390b81d30eed07fe6b7d7cfe6152a221f7d31ddfce3aa15d1be176e1d578bc4e1b2c2ce04be65a97aada2d5df

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7ef0066d78e47062cfc2f617c0c1f345

SHA1
5e813f78f3d99ae52579b80e989d2ca028be7bb5

SHA256
fec826de7b9bb84d3e1770683ba58ce48136a286d7e24a11d808688dc99a6271

SHA512
3c0d18a332b80f0f73022256918245cf134f9a113087588b53137b2235d377724e5091eb88970a37ced77e09d496d32c1fb1e59b2da93321bad5766baddb8066

Download Submit
memory/348-29-0x0000000005BF0000-0x0000000005D4F000-memory.dmp

Filesize
1.4MB

Download
memory/448-219-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/536-207-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/536-200-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/628-192-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/876-96-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1528-84-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1536-65-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1536-72-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1820-64-0x0000000005F20000-0x000000000607F000-memory.dmp

Filesize
1.4MB

Download
memory/1968-149-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1968-153-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2028-163-0x0000000005710000-0x000000000586F000-memory.dmp

Filesize
1.4MB

Download
memory/2040-162-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2040-154-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2112-220-0x00000000044C0000-0x000000000461F000-memory.dmp

Filesize
1.4MB

Download
memory/2112-217-0x00000000044C0000-0x000000000461F000-memory.dmp

Filesize
1.4MB

Download
memory/2188-216-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2188-209-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2212-61-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2212-53-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2236-119-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2236-128-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2496-199-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2544-140-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2660-161-0x0000000005C40000-0x0000000005D9F000-memory.dmp

Filesize
1.4MB

Download
memory/2684-185-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2688-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2688-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2716-14-0x0000000004660000-0x00000000047BF000-memory.dmp

Filesize
1.4MB

Download
memory/2716-13-0x0000000004660000-0x00000000047BF000-memory.dmp

Filesize
1.4MB

Download
memory/2752-40-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2752-48-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2776-37-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2776-30-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2836-101-0x0000000005930000-0x0000000005A8F000-memory.dmp

Filesize
1.4MB

Download
memory/2860-102-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2860-112-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2884-117-0x0000000005D70000-0x0000000005ECF000-memory.dmp

Filesize
1.4MB

Download
memory/2884-118-0x0000000005D70000-0x0000000005ECF000-memory.dmp

Filesize
1.4MB

Download
memory/2912-178-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2952-208-0x0000000004690000-0x00000000047EF000-memory.dmp

Filesize
1.4MB

Download
memory/2980-218-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3024-171-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3024-164-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3052-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3052-26-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download