ed0bc768086498bf2e0d67541f0f19967429890c5545c639b12ca74f72c0bc89

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 21:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed0bc768086498bf2e0d67541f0f19967429890c5545c639b12ca74f72c0bc89.exe
Size

1.1MB
MD5

59f05f287f55e139ddb2a7a8151e4a0b
SHA1

b38a2960aa10e904a67e61b4a09b6caa3a3684aa
SHA256

ed0bc768086498bf2e0d67541f0f19967429890c5545c639b12ca74f72c0bc89
SHA512

4a25805287e9e2941dee0a48e440b2d8e6e85e6836bac5fedfc93e0f5a34dc3a53e263f6abd309c8fe008fec276f22578f2da87d4ddad96d8aef34c0fa45daea
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QX:CcaClSFlG4ZM7QzMQ

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2728	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2728	svchcst.exe
3064	svchcst.exe
532	svchcst.exe
1496	svchcst.exe
1896	svchcst.exe
1748	svchcst.exe
556	svchcst.exe
1592	svchcst.exe
1960	svchcst.exe
844	svchcst.exe
1848	svchcst.exe
2704	svchcst.exe
1704	svchcst.exe
2784	svchcst.exe
2172	svchcst.exe
976	svchcst.exe
1196	svchcst.exe
2736	svchcst.exe
2188	svchcst.exe
832	svchcst.exe
2908	svchcst.exe
2336	svchcst.exe
2208	svchcst.exe

Loads dropped DLL 42 IoCs

pid	Process
772	WScript.exe
772	WScript.exe
2772	WScript.exe
524	WScript.exe
524	WScript.exe
2112	WScript.exe
2112	WScript.exe
2112	WScript.exe
1660	WScript.exe
1660	WScript.exe
2348	WScript.exe
2348	WScript.exe
2988	WScript.exe
2988	WScript.exe
2656	WScript.exe
2656	WScript.exe
2096	WScript.exe
2096	WScript.exe
1268	WScript.exe
1268	WScript.exe
2872	WScript.exe
2872	WScript.exe
2264	WScript.exe
2264	WScript.exe
1080	WScript.exe
1080	WScript.exe
2532	WScript.exe
2532	WScript.exe
2744	WScript.exe
2744	WScript.exe
2580	WScript.exe
2580	WScript.exe
680	WScript.exe
680	WScript.exe
3016	WScript.exe
3016	WScript.exe
1168	WScript.exe
1168	WScript.exe
1812	WScript.exe
1812	WScript.exe
940	WScript.exe
940	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed0bc768086498bf2e0d67541f0f19967429890c5545c639b12ca74f72c0bc89.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2056	ed0bc768086498bf2e0d67541f0f19967429890c5545c639b12ca74f72c0bc89.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2056	ed0bc768086498bf2e0d67541f0f19967429890c5545c639b12ca74f72c0bc89.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2056	ed0bc768086498bf2e0d67541f0f19967429890c5545c639b12ca74f72c0bc89.exe
2056	ed0bc768086498bf2e0d67541f0f19967429890c5545c639b12ca74f72c0bc89.exe
2728	svchcst.exe
2728	svchcst.exe
3064	svchcst.exe
3064	svchcst.exe
532	svchcst.exe
532	svchcst.exe
1496	svchcst.exe
1496	svchcst.exe
1896	svchcst.exe
1896	svchcst.exe
1748	svchcst.exe
1748	svchcst.exe
556	svchcst.exe
556	svchcst.exe
1592	svchcst.exe
1592	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
844	svchcst.exe
844	svchcst.exe
1848	svchcst.exe
1848	svchcst.exe
2704	svchcst.exe
2704	svchcst.exe
1704	svchcst.exe
1704	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2172	svchcst.exe
2172	svchcst.exe
976	svchcst.exe
976	svchcst.exe
1196	svchcst.exe
1196	svchcst.exe
2736	svchcst.exe
2736	svchcst.exe
2188	svchcst.exe
2188	svchcst.exe
832	svchcst.exe
832	svchcst.exe
2908	svchcst.exe
2908	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
2208	svchcst.exe
2208	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 772	2056	ed0bc768086498bf2e0d67541f0f19967429890c5545c639b12ca74f72c0bc89.exe	30
PID 2056 wrote to memory of 772	2056	ed0bc768086498bf2e0d67541f0f19967429890c5545c639b12ca74f72c0bc89.exe	30
PID 2056 wrote to memory of 772	2056	ed0bc768086498bf2e0d67541f0f19967429890c5545c639b12ca74f72c0bc89.exe	30
PID 2056 wrote to memory of 772	2056	ed0bc768086498bf2e0d67541f0f19967429890c5545c639b12ca74f72c0bc89.exe	30
PID 772 wrote to memory of 2728	772	WScript.exe	32
PID 772 wrote to memory of 2728	772	WScript.exe	32
PID 772 wrote to memory of 2728	772	WScript.exe	32
PID 772 wrote to memory of 2728	772	WScript.exe	32
PID 2728 wrote to memory of 2772	2728	svchcst.exe	33
PID 2728 wrote to memory of 2772	2728	svchcst.exe	33
PID 2728 wrote to memory of 2772	2728	svchcst.exe	33
PID 2728 wrote to memory of 2772	2728	svchcst.exe	33
PID 2772 wrote to memory of 3064	2772	WScript.exe	35
PID 2772 wrote to memory of 3064	2772	WScript.exe	35
PID 2772 wrote to memory of 3064	2772	WScript.exe	35
PID 2772 wrote to memory of 3064	2772	WScript.exe	35
PID 3064 wrote to memory of 524	3064	svchcst.exe	36
PID 3064 wrote to memory of 524	3064	svchcst.exe	36
PID 3064 wrote to memory of 524	3064	svchcst.exe	36
PID 3064 wrote to memory of 524	3064	svchcst.exe	36
PID 524 wrote to memory of 532	524	WScript.exe	37
PID 524 wrote to memory of 532	524	WScript.exe	37
PID 524 wrote to memory of 532	524	WScript.exe	37
PID 524 wrote to memory of 532	524	WScript.exe	37
PID 532 wrote to memory of 2592	532	svchcst.exe	38
PID 532 wrote to memory of 2592	532	svchcst.exe	38
PID 532 wrote to memory of 2592	532	svchcst.exe	38
PID 532 wrote to memory of 2592	532	svchcst.exe	38
PID 524 wrote to memory of 1496	524	WScript.exe	39
PID 524 wrote to memory of 1496	524	WScript.exe	39
PID 524 wrote to memory of 1496	524	WScript.exe	39
PID 524 wrote to memory of 1496	524	WScript.exe	39
PID 1496 wrote to memory of 2112	1496	svchcst.exe	40
PID 1496 wrote to memory of 2112	1496	svchcst.exe	40
PID 1496 wrote to memory of 2112	1496	svchcst.exe	40
PID 1496 wrote to memory of 2112	1496	svchcst.exe	40
PID 2112 wrote to memory of 1896	2112	WScript.exe	41
PID 2112 wrote to memory of 1896	2112	WScript.exe	41
PID 2112 wrote to memory of 1896	2112	WScript.exe	41
PID 2112 wrote to memory of 1896	2112	WScript.exe	41
PID 1896 wrote to memory of 1628	1896	svchcst.exe	42
PID 1896 wrote to memory of 1628	1896	svchcst.exe	42
PID 1896 wrote to memory of 1628	1896	svchcst.exe	42
PID 1896 wrote to memory of 1628	1896	svchcst.exe	42
PID 2112 wrote to memory of 1748	2112	WScript.exe	43
PID 2112 wrote to memory of 1748	2112	WScript.exe	43
PID 2112 wrote to memory of 1748	2112	WScript.exe	43
PID 2112 wrote to memory of 1748	2112	WScript.exe	43
PID 1748 wrote to memory of 1660	1748	svchcst.exe	44
PID 1748 wrote to memory of 1660	1748	svchcst.exe	44
PID 1748 wrote to memory of 1660	1748	svchcst.exe	44
PID 1748 wrote to memory of 1660	1748	svchcst.exe	44
PID 1660 wrote to memory of 556	1660	WScript.exe	45
PID 1660 wrote to memory of 556	1660	WScript.exe	45
PID 1660 wrote to memory of 556	1660	WScript.exe	45
PID 1660 wrote to memory of 556	1660	WScript.exe	45
PID 556 wrote to memory of 2348	556	svchcst.exe	46
PID 556 wrote to memory of 2348	556	svchcst.exe	46
PID 556 wrote to memory of 2348	556	svchcst.exe	46
PID 556 wrote to memory of 2348	556	svchcst.exe	46
PID 2348 wrote to memory of 1592	2348	WScript.exe	47
PID 2348 wrote to memory of 1592	2348	WScript.exe	47
PID 2348 wrote to memory of 1592	2348	WScript.exe	47
PID 2348 wrote to memory of 1592	2348	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\ed0bc768086498bf2e0d67541f0f19967429890c5545c639b12ca74f72c0bc89.exe
"C:\Users\Admin\AppData\Local\Temp\ed0bc768086498bf2e0d67541f0f19967429890c5545c639b12ca74f72c0bc89.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:772
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2772
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3064
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:524
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1592
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2988
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1960
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:844
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1848
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1268
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2704
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1704
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2784
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1080
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2172
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2532
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:976
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1196
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2736
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:680
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2188
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3016
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:832
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1168
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2908
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1812
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2336
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:940
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2208
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:1864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2551ae733b39ac9061a9d5ebd2f29d98

SHA1
08247d27dd5bf959db0b29d3e5b0551dc47c9d02

SHA256
c69ee4a632cc1c351d5fa930d42546923a4125e7d9cbccb2ad9f9e3318be2b77

SHA512
a1c669cb87194c2b496a7131f7f2920b6c31156f88d6c1140e79f3b83fbca3785cd57fea2d47cb951ed576e69a1240e81746a5bc5444e65fd05fa5234125731c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
148b4d75bd4a40a3b08ecae13e68bfdc

SHA1
8f74795935078f0f1765b5bf95bde05a39a3ae21

SHA256
a3c0b231a98c9f73a480f44e64ea1017b94990610bd4a5f93ce6f2139381e332

SHA512
f848ac7bd857549fa827b713a94e3a6ed0e239311f27e5ed69c3d1cafd915cc46f9585bad3111d5c2685b0dba37fc86db55fe9c3fde7c67de9a9a8e4158a7666

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
4433cc23fc280ad8dcff9966bac19fe4

SHA1
62cc2abfe6e2ee0fd6b5cbce20daff4ba787bff0

SHA256
ca7cfd972b03d0b30404c8233125adda1dacc81a2e43e919d70bf1c2700af55b

SHA512
6a5e7454dde98251a987bedc21e628550c469480cbe41f3b3644789da38e782c8b94660d4a076697cc7abf3fcc767650d00ac3639b11cfeba96ece8110920b4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
fb757130836576e5f952cb011021776c

SHA1
68f6351ef6dd363f67e76b91e7d8150050948698

SHA256
2d8143967be00cc4d6f3a1b8671885498b80e57ec52a84e19eaf136e64980e5b

SHA512
6f7311c6964be509733152377344d37f311021a6638946d275d282aa1b0212d8d790175b8c4e61fba6f5f4299c0e5da3307b69b03f619273462edd5c3cfce0d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d44632a3e4cce7689f6de0096ea7b712

SHA1
62726ae2641d71b6a218793f1ca8c00c81443eda

SHA256
013ba01f27689a865f4497bdab298b8914e8c235beac2311020fa928649a7603

SHA512
ed9934194e0211fca3d30bb16802ae080086a71d4b8b065afecea339f06f4d5dc43f51786059d6ccaf7718a54dde8b050268068ed6a416dacfa6c79a8ba0881a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7a01dad1af2b3e0327e1d352436bbcd7

SHA1
10612930777b11e8edeb9bd33c74a6a2404c9d6b

SHA256
185fe22d4d1af7aee3fd8cf94dcfe20c5daf320764d2c96c2ad5f2cff4cd1655

SHA512
1fee128690213b1ffd6c1f95d9894f52c2b0374ca99b16795028fab6b364298c1d678c3f92775c410c0fe7a1a71a33d3db5635e5bb6c71449feb60c9f5316616

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
619955d43a58558c766025119a5a66cb

SHA1
cfb43d2b9cb68699667ca8d4929e71b25ed115ab

SHA256
a129bff17a859b7b2d6681f519c985c661797dd508ac249d30f02a0a78858cee

SHA512
20f9499cddf2fb824365830736255a1dce689da0e94fa8e999ee4e28883e65637410710ea01204b5f3d48213f697461288da2b7a535511da87f848b1e6e83bc6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
44c38fa25d3a9963483b583388b6f47b

SHA1
e9b37eb8bcbe2ddda96178ee7502616660cfce57

SHA256
004b640ccc72e36c16e85661847b12fff228d63de834042accadde333aa33e36

SHA512
c39bd240b263314169cef9af85a8e8a89146e96400026936b68a69a7c732d301c16561971dbeaee752e2618f2a592bff5a6a91ee75893522e77f574176887905

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ab52ce62f84a24d48d9cebec5331b1c6

SHA1
6fcb810a46e83020e55af419752f5583f9dcb9ba

SHA256
908bec6021a78b90a02c6123db4ac62b590ea738e97fa35aac7c4dce624f3244

SHA512
8823f3f60863692a8fd2be8610670b06077ea7c948b7c46f9a1ab712276b27e48c19d0a394e7f51c0fbdf753f989af4cac5dab078e4f04ee5ee6a50427368cd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
41bdc303960afcda8ebae4f3e29f0b52

SHA1
4cbf649fb04c836614138308a06ecd48dcb2882d

SHA256
da674cdbd4dd762cc32ce0bd2ec36929a626e0e87f7ab7a4a1b1e1ce0123d999

SHA512
800b5b01cc41e7633f203579e7f6ec0a9f6408f7af79dcfa74596be9264dbb8baade6b1439dedb5194496aa27b8b0e2680ce65ad91032138ea0ac2c8a0872cf1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f262d0722b88145e786399f42047785d

SHA1
9f4426b6ac52bb0456945b0619fcd355d118a0b7

SHA256
f20592c5d5216a153e7d9fc67c87e2d3346f3781014162462e824a5dbc4c7aef

SHA512
da8aa8fd4f84c224f7c6f3fe483b030e2307f3313c003f17f6b9c943f9ea9d052d9d9297f93fdf49428eedd235ef6d7efe0199e1620e55cb052f2ca3cb492eb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
71ae2c5480b1005fa39e1e0e0562bbb4

SHA1
98c8dc7324526acd23347fd8bd11c6b90688d007

SHA256
01069babbee078fd029498be14b831f1bce7912806ffb84ac1aaae2c324d407d

SHA512
0010b909410f62235373c52816b85699a357367577e4dc4f3a262f40fafee51967776f84c905a4c5c33a0b020bee01eaf874c35ea01eb7573f6385905e499183

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b756f8b2ab8796d031ff2a58655ae7ac

SHA1
5c1bafc710ef4af296d9b8b06f00749029dc8c8b

SHA256
b9a188543f2ab11b697ae5777f8d988cab876fb45efe50f4d4b1babd96f86424

SHA512
a6fc41d06b2994b584400c60e60d8a3396d52044683a8bfe5e657f76cd151fb712e0c720a4c0a1d3bb679bad47038cd300b8fa3dd267b8243b81e9dd6ddd15a0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
19ef692f2615270f929c8d5547d5fccc

SHA1
8886e4053a665ee239aa83ac2f54e68332359f50

SHA256
9fc3d181c85d2771217b83af28a190a1e91693f58d9f3bee184e3db30814c9e5

SHA512
1ac42cdfe52dc75fad1ed96d0959c877237771add9dff14cda1fe3a0fc02dc0d8b9ab9d4963927b93fb989b395558fbce742a866b542b3cf0f9d8555274659d9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0b2f82e8d69e07862c725c2ddacc8c55

SHA1
373735da2e38f2894d616e88ef26880bc761529a

SHA256
4f720eb0ef8ee2e35697c8fa2230ae6ae6d070786bac58907c73526947cb2482

SHA512
541efdadb338d30ec6b6c35d39e37b451112f4d849f79d4561774dc60df02cb644058933a2c3b48b24cc25a3940b7e1948d400dc4c8bdcad4aeeaaccffedf94f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
167ad31cf469811a296fa97ed3618a1d

SHA1
aba9e96836f4e5fe9d744a1bc5070f2973988ca0

SHA256
b1598191edb9abb60e78fa583805f1f0b90a1467cbd875dc1444ca9a6d05fdd8

SHA512
c0ef5383160c533cb9d8a753fe00fd8674359b2f676777e10baba3d85ceee50be0c79d685388790fb64cbef7849dac389b242da03e4923725996d76c9052504b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
47089f926c7607f7b53c6d5a7b610b5a

SHA1
87742261254280c6d460d12de0e2ba1a57823da4

SHA256
c957f838b7a06551af9674df884ea0068222905a4e823e7c9add70e9c135a56d

SHA512
c5fe5827a54887deee6f804a6f7da7ccac307d3165ab6c802833c2e7626a80e389a8104f08abaf427501d347bd09e661f1c8502556171224699cc5aed492832e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c3500b569983eefaab4a32e90e19da03

SHA1
43c40e2a4f08c2804bb4c5d959f5d40aa61851cc

SHA256
7760e9ece361b850d135d6cda259f9a4a636e8448066d4e6ce99f7c9b95e75b6

SHA512
0f92dcf7ef5bed4ebc525616533a30b57fbd204565b3a91eb7c4525fc106350fb2e8a7f4031b4b39c5a52bdfc1e53c5d4ab246b6635e0bc1c65e89905ef4a118

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
efc546b4b7a61b9ddc8be0fa404f0ad5

SHA1
9ebaaef46199eda0441ffe1e3db971dc28f042e8

SHA256
95320ee915218d1d6da6430da9690f4677ab9ed4e22ff881969d99f54b032046

SHA512
a7b9062e33e91dc50d4b73065f4128dd5dfd94650eb0628248d18115b00476dea34428058ec328de0d71bfb17e460ba7e308cf6aee737aa2c50ff239257b0119

Download Submit
memory/2056-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download