cbd26675f49831167062dd7003c8e4483538ea4bb4846ac8c1780c79f53fbf86

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 15:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cbd26675f49831167062dd7003c8e4483538ea4bb4846ac8c1780c79f53fbf86.exe
Size

1.1MB
MD5

3969f55837678df5c34cb6a775cdd503
SHA1

cd79203fa490a1a4c7bfda0e6a119128369f100f
SHA256

cbd26675f49831167062dd7003c8e4483538ea4bb4846ac8c1780c79f53fbf86
SHA512

91b9f5dd4116521b0bb5751c2b798f48c1789ae4ed01931bd59d3a30986e4064f829bfd08c1716d4e9acc48ebe28c09bf81714738d25cf89e7e02f0cb81ca5e5
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qa:CcaClSFlG4ZM7QzM5

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3004	svchcst.exe

Executes dropped EXE 24 IoCs

pid	Process
3004	svchcst.exe
1036	svchcst.exe
2920	svchcst.exe
336	svchcst.exe
1052	svchcst.exe
936	svchcst.exe
904	svchcst.exe
2468	svchcst.exe
2876	svchcst.exe
1640	svchcst.exe
1084	svchcst.exe
628	svchcst.exe
2120	svchcst.exe
2304	svchcst.exe
1692	svchcst.exe
1668	svchcst.exe
2624	svchcst.exe
2444	svchcst.exe
2724	svchcst.exe
2868	svchcst.exe
2400	svchcst.exe
844	svchcst.exe
3044	svchcst.exe
880	svchcst.exe

Loads dropped DLL 43 IoCs

pid	Process
1444	WScript.exe
1444	WScript.exe
2620	WScript.exe
2620	WScript.exe
1196	WScript.exe
2000	WScript.exe
2000	WScript.exe
2000	WScript.exe
2368	WScript.exe
2368	WScript.exe
2532	WScript.exe
2532	WScript.exe
2532	WScript.exe
2880	WScript.exe
2880	WScript.exe
1492	WScript.exe
1492	WScript.exe
2952	WScript.exe
2952	WScript.exe
2920	WScript.exe
2920	WScript.exe
316	WScript.exe
316	WScript.exe
1648	WScript.exe
1648	WScript.exe
2440	WScript.exe
2440	WScript.exe
2872	WScript.exe
2872	WScript.exe
2132	WScript.exe
2132	WScript.exe
2792	WScript.exe
2792	WScript.exe
780	WScript.exe
780	WScript.exe
1036	WScript.exe
1036	WScript.exe
2080	WScript.exe
2080	WScript.exe
1168	WScript.exe
1168	WScript.exe
1148	WScript.exe
1148	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 50 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cbd26675f49831167062dd7003c8e4483538ea4bb4846ac8c1780c79f53fbf86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1248	cbd26675f49831167062dd7003c8e4483538ea4bb4846ac8c1780c79f53fbf86.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1248	cbd26675f49831167062dd7003c8e4483538ea4bb4846ac8c1780c79f53fbf86.exe

Suspicious use of SetWindowsHookEx 50 IoCs

pid	Process
1248	cbd26675f49831167062dd7003c8e4483538ea4bb4846ac8c1780c79f53fbf86.exe
1248	cbd26675f49831167062dd7003c8e4483538ea4bb4846ac8c1780c79f53fbf86.exe
3004	svchcst.exe
3004	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe
2920	svchcst.exe
2920	svchcst.exe
336	svchcst.exe
336	svchcst.exe
1052	svchcst.exe
1052	svchcst.exe
936	svchcst.exe
936	svchcst.exe
904	svchcst.exe
904	svchcst.exe
2468	svchcst.exe
2468	svchcst.exe
2876	svchcst.exe
2876	svchcst.exe
1640	svchcst.exe
1640	svchcst.exe
1084	svchcst.exe
1084	svchcst.exe
628	svchcst.exe
628	svchcst.exe
2120	svchcst.exe
2120	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
1692	svchcst.exe
1692	svchcst.exe
1668	svchcst.exe
1668	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2444	svchcst.exe
2444	svchcst.exe
2724	svchcst.exe
2724	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2400	svchcst.exe
2400	svchcst.exe
844	svchcst.exe
844	svchcst.exe
3044	svchcst.exe
3044	svchcst.exe
880	svchcst.exe
880	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1248 wrote to memory of 1444	1248	cbd26675f49831167062dd7003c8e4483538ea4bb4846ac8c1780c79f53fbf86.exe	30
PID 1248 wrote to memory of 1444	1248	cbd26675f49831167062dd7003c8e4483538ea4bb4846ac8c1780c79f53fbf86.exe	30
PID 1248 wrote to memory of 1444	1248	cbd26675f49831167062dd7003c8e4483538ea4bb4846ac8c1780c79f53fbf86.exe	30
PID 1248 wrote to memory of 1444	1248	cbd26675f49831167062dd7003c8e4483538ea4bb4846ac8c1780c79f53fbf86.exe	30
PID 1444 wrote to memory of 3004	1444	WScript.exe	33
PID 1444 wrote to memory of 3004	1444	WScript.exe	33
PID 1444 wrote to memory of 3004	1444	WScript.exe	33
PID 1444 wrote to memory of 3004	1444	WScript.exe	33
PID 3004 wrote to memory of 2620	3004	svchcst.exe	34
PID 3004 wrote to memory of 2620	3004	svchcst.exe	34
PID 3004 wrote to memory of 2620	3004	svchcst.exe	34
PID 3004 wrote to memory of 2620	3004	svchcst.exe	34
PID 2620 wrote to memory of 1036	2620	WScript.exe	35
PID 2620 wrote to memory of 1036	2620	WScript.exe	35
PID 2620 wrote to memory of 1036	2620	WScript.exe	35
PID 2620 wrote to memory of 1036	2620	WScript.exe	35
PID 1036 wrote to memory of 1196	1036	svchcst.exe	36
PID 1036 wrote to memory of 1196	1036	svchcst.exe	36
PID 1036 wrote to memory of 1196	1036	svchcst.exe	36
PID 1036 wrote to memory of 1196	1036	svchcst.exe	36
PID 1196 wrote to memory of 2920	1196	WScript.exe	37
PID 1196 wrote to memory of 2920	1196	WScript.exe	37
PID 1196 wrote to memory of 2920	1196	WScript.exe	37
PID 1196 wrote to memory of 2920	1196	WScript.exe	37
PID 2920 wrote to memory of 2000	2920	svchcst.exe	38
PID 2920 wrote to memory of 2000	2920	svchcst.exe	38
PID 2920 wrote to memory of 2000	2920	svchcst.exe	38
PID 2920 wrote to memory of 2000	2920	svchcst.exe	38
PID 2000 wrote to memory of 336	2000	WScript.exe	39
PID 2000 wrote to memory of 336	2000	WScript.exe	39
PID 2000 wrote to memory of 336	2000	WScript.exe	39
PID 2000 wrote to memory of 336	2000	WScript.exe	39
PID 336 wrote to memory of 2368	336	svchcst.exe	40
PID 336 wrote to memory of 2368	336	svchcst.exe	40
PID 336 wrote to memory of 2368	336	svchcst.exe	40
PID 336 wrote to memory of 2368	336	svchcst.exe	40
PID 2000 wrote to memory of 1052	2000	WScript.exe	41
PID 2000 wrote to memory of 1052	2000	WScript.exe	41
PID 2000 wrote to memory of 1052	2000	WScript.exe	41
PID 2000 wrote to memory of 1052	2000	WScript.exe	41
PID 2368 wrote to memory of 936	2368	WScript.exe	42
PID 2368 wrote to memory of 936	2368	WScript.exe	42
PID 2368 wrote to memory of 936	2368	WScript.exe	42
PID 2368 wrote to memory of 936	2368	WScript.exe	42
PID 1052 wrote to memory of 1760	1052	svchcst.exe	43
PID 1052 wrote to memory of 1760	1052	svchcst.exe	43
PID 1052 wrote to memory of 1760	1052	svchcst.exe	43
PID 1052 wrote to memory of 1760	1052	svchcst.exe	43
PID 2368 wrote to memory of 904	2368	WScript.exe	44
PID 2368 wrote to memory of 904	2368	WScript.exe	44
PID 2368 wrote to memory of 904	2368	WScript.exe	44
PID 2368 wrote to memory of 904	2368	WScript.exe	44
PID 904 wrote to memory of 2532	904	svchcst.exe	45
PID 904 wrote to memory of 2532	904	svchcst.exe	45
PID 904 wrote to memory of 2532	904	svchcst.exe	45
PID 904 wrote to memory of 2532	904	svchcst.exe	45
PID 2532 wrote to memory of 2468	2532	WScript.exe	46
PID 2532 wrote to memory of 2468	2532	WScript.exe	46
PID 2532 wrote to memory of 2468	2532	WScript.exe	46
PID 2532 wrote to memory of 2468	2532	WScript.exe	46
PID 2468 wrote to memory of 2288	2468	svchcst.exe	47
PID 2468 wrote to memory of 2288	2468	svchcst.exe	47
PID 2468 wrote to memory of 2288	2468	svchcst.exe	47
PID 2468 wrote to memory of 2288	2468	svchcst.exe	47

C:\Users\Admin\AppData\Local\Temp\cbd26675f49831167062dd7003c8e4483538ea4bb4846ac8c1780c79f53fbf86.exe
"C:\Users\Admin\AppData\Local\Temp\cbd26675f49831167062dd7003c8e4483538ea4bb4846ac8c1780c79f53fbf86.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1444
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2620
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1036
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:336
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:936
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:904
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2876
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1640
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1492
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1084
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:628
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2120
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:316
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2304
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1692
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2440
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1668
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2624
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2724
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:780
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2868
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1036
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2400
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2080
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:844
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1168
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3044
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1148
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:880
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2444
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:2852
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f9749c13b20bc60748c3f72c2cf20740

SHA1
227698fcf7919e5c66d91e4e0fd51a5d54ffcd6e

SHA256
2ea51d4fb5a6022d3cf66550189fa271c025d8fabd55cc24025d12e600b70594

SHA512
541c5d5e8187257adb03505430c87bd364bec53487b373ecf4f91aee21dcecc746a4855ca0ee72fbfddcf34e52fe2453770ae66183b308d6b45a0f37342e44d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
be844a9a8337f7fbfbf14859a023a378

SHA1
657b78d139aaa5ae7979510eda70f508d79185b6

SHA256
db7892101814d29075cae8a82d352d6a68f7b762cde750dfc3af2cab710da26d

SHA512
afeb05560d06696a806136cb0c9d4a3f90b5e05a449f96f8ac1e67a35b11247eb2f940cf881e4aa39ef4601c0b31e3fb3ad13b31ee2bae5997287a57a35a2912

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
297aff64991480fd92a4ce9fb4d40807

SHA1
c586f7003f854f442db26448516e59826dfe41e9

SHA256
5137a62e031c71093a7d6c2684519614bb5eed80fd8daa92912f085a6ab82b8a

SHA512
f7a2fae80f26e6fb846ec9675c5a03932c8bd842d75f68cdb05c2f18e9397ed32774ce0a1f495e5618a5ce1b37e088c8991a69fb999559d1e2b0dd360cc96b4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d44632a3e4cce7689f6de0096ea7b712

SHA1
62726ae2641d71b6a218793f1ca8c00c81443eda

SHA256
013ba01f27689a865f4497bdab298b8914e8c235beac2311020fa928649a7603

SHA512
ed9934194e0211fca3d30bb16802ae080086a71d4b8b065afecea339f06f4d5dc43f51786059d6ccaf7718a54dde8b050268068ed6a416dacfa6c79a8ba0881a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5200291c61f8a54498d5ea3882597c4f

SHA1
7faf4fa36d25b6e6a25fa637cd4d565bacfc98c9

SHA256
370d3f0009b4f5179e917aaf335aa8267dd7e03688f0fff18f72d7d7af43d55f

SHA512
7fab6730403115fe4a56ca1d5d9056a0796ca40f75c0499cb0a1d7cb77ad696163f960414f3248c7893a1cc99dadcdb73251603bca50a54668b45b79bc62b06e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3f88ed4a802ff96db44e34ad53ac06c2

SHA1
446fe4e265af02ea012b5a8d5d0e7a0c9867f1ed

SHA256
04a5abb92c689fa7b9d768a067b1d9bd16c0a5d856c67c7f7881d62662ae0911

SHA512
f1afaf53ee96969d58902836b841ca7feed9769c81d9b2d63b72db5d7cf04d6a659b50869f8dba0d650aa6833d892261c0c3dd918e8bfbed13237e6333c47fdf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b9f42b67196579be4b48ef3493e40a6d

SHA1
f0a798a4aa9401ce637b3016829d6bc178b46b36

SHA256
5af7cfef4fc0b02f32178caf67f947bc09a9631a5ec201ffa67b2f4f470bbed2

SHA512
875207383356da783c8f932da091d7c1316a0859406a388a6a4b0e641cc15326ac5134a5dc3e5299cccd6c245456483db86f5f9652fec2fa049996259d166284

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5c256ba320c7487a2c3cdb62bea97bb5

SHA1
2a28e5d7bd4483a40fb6035f1ec6fcf1d66cb2fc

SHA256
854aeaf6ba44537fc01088f8c336552a1aab4c6df84938d241c8616b6f0802e4

SHA512
bb55f293471dda9b074664d4cf2dad094f8f0c2479c1fd754dd85199d1d1b1012cfa3b050711ac0b59368d6bf1756cfcadcaff1e47d4f103a093a0b77782fdc0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8364c7b31d7cc2ff033d43e692633d35

SHA1
8c51dd902e1739104aff48093aecb669522fea1f

SHA256
7ac0c74de647ef78ef6fffba49310f3c9c1b7d9ad19121d3502ec03c6e412a42

SHA512
0615c03be93f2b8cadfa7f0fca0ec6a790728d61980a9cd5edc372c99d3d73c5bdd1e6abfc055d4bd7ff2a2aa67f6fd5221c0d0479e33ac6736522fdc0572571

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0b07dbb471d7fe60f6b7446050131aa9

SHA1
4e1f1ada445a0bd2f1df1b5fe3ac6fff22c577a1

SHA256
483f571197412d4524e63cd78ae3ccd6a0c934a2178119e6aea3331a7bae6929

SHA512
6ddb5ad7ea76630d076b3e6ff03cf3087f65b035e7de9a4b30c6243641efc9a1c2f2975f05662039e95558aa81e78ecc1694114b22877f1029cb0d551df59ec1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
22ee4efbc67fc70b9f9d483cf169e846

SHA1
5e0a01490f92c7a77457c1df61c009cdc5c641dd

SHA256
abd4fb5ee308e65770cced9ea111c1dcfc48e0571cfcb79284f4fbbab293e161

SHA512
7638f6551734a6256e6d7666a9811368ee2894afeb442f65c6da0680fe8134059c52f552e36b2539774c4e3e5fc0cc1ae027e3ef872b5bb5d4b8e0f6687ce238

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6cefcde7a292edfc29b3882cdeb23dba

SHA1
3588db649319258acc78049555e0c587aae5dcf1

SHA256
4fc01d17db5185ecf506bb8ad2665dc04fbc85d9b55282b364687c5c82689251

SHA512
14f7f31813f271f8ab4c58ad06504769900ae075915db76882bce80dfaa82bb76bc6c40fa76f6eae4f3c65d2311a702d5581510ea5ade452ea8b6f957da1684c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
fa55b1b2710543deab39739def7938b9

SHA1
1ec56ef1c12df2785476e9376dfe4d26fd48445b

SHA256
a8ef5376ebe1ae0f2369950d8ca02511be3f42c13869f2028534ffef0e283c76

SHA512
095a16a629e9f00fa9052de95d5d1183eaa701ec3a474d4c94e5ab116a58eed1d82e14db17e7b8fa811a5752ce5188dd05eb402f7971fb684b8574ebce82361d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
743042529b1f188a70be46089e79b034

SHA1
febb160817f2d865b1a222094c5bf50d9084e75d

SHA256
c39ab9cf460a311ab1305e8f882b6b2b323c4c5f82440a1a9da8230088b04ec8

SHA512
80152fb996b8a376e0c4b066c53faac5f72d6ffa84e41827b47b014ad10d54a289ff1b77be39d7e65d7790bdad9c1ff0f79f1569f9bde7f713366db498661d58

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
86d559c3936e685bc7f600a36110bb4a

SHA1
41032259ecef045c45077c144060bda9a0cb8c82

SHA256
adc0b4a8a61030e7e11b161aca270777e8ef2dd70b71ba4c48166827c46cea75

SHA512
2f2c2f6da0a31ed2e7cf7ea19dadd797e3ec3203e48ee1106aa054689192b5ea8c25fdd10a7bd61ca91de0fb31233e0af24661c8a7949f8d6636f0cfebf7e472

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
031ebae8ae1b72d65a468e265f1432db

SHA1
a60d815b05cda35b85d3c06ea2349a808bb9fe47

SHA256
7cd1b74f95514e5f4b6445bfa0cecf8c3246992b792f2f6c051a2eb8211b89eb

SHA512
8fbbe9aef1fa971f23404f84fb6aa80060381b37eb4ec033127449c19ff69ee7891f5329beac4738e072e9941d72a3760863be383bce1075fa94d52c7518e5d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
40a1c7cc20482e8599d1bd8ff2ed7450

SHA1
b019e69ed03c60dcd5c66679aaa43b9e14771786

SHA256
de852c44389c218adf7a0fec7e4672f1ddf3f31b37befcb6d66f37da5364339b

SHA512
7d75793d2b63003a0855b53ce43d4323b25072a72bca51dacb1a84135ae54fcff314072c26d39258a555b998509b40578bc9d9764d002a46ce1086e13cfe4677

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
39761b63308a59b7ea72256b79fcb72c

SHA1
02b1599c293474d809422e7a2eb01f3aa9bdb5ff

SHA256
3a1027794a41a3741c14ea17e42d4c6c3ef848e908c497ede86cc8fd2797cab8

SHA512
82a91c4231f43da7e23e4b2741a00e97e2372eb31bcf3665703b6cf4c7dc6f657619354ac82ca0b6d40ac23b6d6f648f6029c41bf2f65bb17860f78a20c4fbfd

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2bb97c379de30ee0109590467bc43a39

SHA1
e11b8617bd2715911007f5b278efdebbdee5ad75

SHA256
60db29e534724a87cde298fe387c14b61a74ef69ae751b24b6e9d215e71a839d

SHA512
da7355e2ba7336145420232bfa38415130c908e069593243b687a64e3717d4452cf72475ae4f88a41e88a44cc3ebaecb7f78d4ff2452eb36e03b9fb83a1ec979

Download Submit
memory/1248-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download