22e06758adb89be0a930abd4904bfeda512ac904c3393c166f50ad02ec6030ad

Analysis

max time kernel
149s
max time network
126s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 21:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22e06758adb89be0a930abd4904bfeda512ac904c3393c166f50ad02ec6030ad.exe
Size

1.1MB
MD5

d6df933498bdf745aa38c9ff162d9cfe
SHA1

022a5575aba3bfd5f68a7af65cd9b454e7d0d1e2
SHA256

22e06758adb89be0a930abd4904bfeda512ac904c3393c166f50ad02ec6030ad
SHA512

35006b19da5d80a6d9238a4562b6098a2969e6d41afb1340743ea09aca90d42e2cebedca6f6f977f4002416d3cb77cc3489b070d6a1582e4e39a70a9f20916c0
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qd:CcaClSFlG4ZM7QzMW

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2644	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2644	svchcst.exe
2624	svchcst.exe
1372	svchcst.exe
2892	svchcst.exe
1620	svchcst.exe
1860	svchcst.exe
696	svchcst.exe
2552	svchcst.exe
1632	svchcst.exe
1700	svchcst.exe
1520	svchcst.exe
2320	svchcst.exe
1544	svchcst.exe
1976	svchcst.exe
2988	svchcst.exe
2556	svchcst.exe
2600	svchcst.exe
1684	svchcst.exe
1492	svchcst.exe
2700	svchcst.exe
1080	svchcst.exe
2144	svchcst.exe
3044	svchcst.exe

Loads dropped DLL 42 IoCs

pid	Process
1164	WScript.exe
1164	WScript.exe
776	WScript.exe
776	WScript.exe
1244	WScript.exe
1944	WScript.exe
2100	WScript.exe
2100	WScript.exe
1920	WScript.exe
1920	WScript.exe
2448	WScript.exe
1732	WScript.exe
2596	WScript.exe
2596	WScript.exe
2836	WScript.exe
2836	WScript.exe
1948	WScript.exe
1948	WScript.exe
1540	WScript.exe
1540	WScript.exe
1084	WScript.exe
1084	WScript.exe
2100	WScript.exe
2100	WScript.exe
844	WScript.exe
844	WScript.exe
2224	WScript.exe
2224	WScript.exe
2764	WScript.exe
2764	WScript.exe
264	WScript.exe
264	WScript.exe
1664	WScript.exe
1664	WScript.exe
1956	WScript.exe
1956	WScript.exe
2476	WScript.exe
2476	WScript.exe
1708	WScript.exe
1708	WScript.exe
1084	WScript.exe
1084	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	22e06758adb89be0a930abd4904bfeda512ac904c3393c166f50ad02ec6030ad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2104	22e06758adb89be0a930abd4904bfeda512ac904c3393c166f50ad02ec6030ad.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2104	22e06758adb89be0a930abd4904bfeda512ac904c3393c166f50ad02ec6030ad.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2104	22e06758adb89be0a930abd4904bfeda512ac904c3393c166f50ad02ec6030ad.exe
2104	22e06758adb89be0a930abd4904bfeda512ac904c3393c166f50ad02ec6030ad.exe
2644	svchcst.exe
2644	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
1372	svchcst.exe
1372	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
1620	svchcst.exe
1620	svchcst.exe
1860	svchcst.exe
1860	svchcst.exe
696	svchcst.exe
696	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
1632	svchcst.exe
1632	svchcst.exe
1700	svchcst.exe
1700	svchcst.exe
1520	svchcst.exe
1520	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
1544	svchcst.exe
1544	svchcst.exe
1976	svchcst.exe
1976	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2556	svchcst.exe
2556	svchcst.exe
2600	svchcst.exe
2600	svchcst.exe
1684	svchcst.exe
1684	svchcst.exe
1492	svchcst.exe
1492	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
1080	svchcst.exe
1080	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
3044	svchcst.exe
3044	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 1164	2104	22e06758adb89be0a930abd4904bfeda512ac904c3393c166f50ad02ec6030ad.exe	30
PID 2104 wrote to memory of 1164	2104	22e06758adb89be0a930abd4904bfeda512ac904c3393c166f50ad02ec6030ad.exe	30
PID 2104 wrote to memory of 1164	2104	22e06758adb89be0a930abd4904bfeda512ac904c3393c166f50ad02ec6030ad.exe	30
PID 2104 wrote to memory of 1164	2104	22e06758adb89be0a930abd4904bfeda512ac904c3393c166f50ad02ec6030ad.exe	30
PID 1164 wrote to memory of 2644	1164	WScript.exe	32
PID 1164 wrote to memory of 2644	1164	WScript.exe	32
PID 1164 wrote to memory of 2644	1164	WScript.exe	32
PID 1164 wrote to memory of 2644	1164	WScript.exe	32
PID 2644 wrote to memory of 776	2644	svchcst.exe	33
PID 2644 wrote to memory of 776	2644	svchcst.exe	33
PID 2644 wrote to memory of 776	2644	svchcst.exe	33
PID 2644 wrote to memory of 776	2644	svchcst.exe	33
PID 776 wrote to memory of 2624	776	WScript.exe	34
PID 776 wrote to memory of 2624	776	WScript.exe	34
PID 776 wrote to memory of 2624	776	WScript.exe	34
PID 776 wrote to memory of 2624	776	WScript.exe	34
PID 2624 wrote to memory of 1244	2624	svchcst.exe	35
PID 2624 wrote to memory of 1244	2624	svchcst.exe	35
PID 2624 wrote to memory of 1244	2624	svchcst.exe	35
PID 2624 wrote to memory of 1244	2624	svchcst.exe	35
PID 1244 wrote to memory of 1372	1244	WScript.exe	36
PID 1244 wrote to memory of 1372	1244	WScript.exe	36
PID 1244 wrote to memory of 1372	1244	WScript.exe	36
PID 1244 wrote to memory of 1372	1244	WScript.exe	36
PID 1372 wrote to memory of 1944	1372	svchcst.exe	37
PID 1372 wrote to memory of 1944	1372	svchcst.exe	37
PID 1372 wrote to memory of 1944	1372	svchcst.exe	37
PID 1372 wrote to memory of 1944	1372	svchcst.exe	37
PID 1944 wrote to memory of 2892	1944	WScript.exe	38
PID 1944 wrote to memory of 2892	1944	WScript.exe	38
PID 1944 wrote to memory of 2892	1944	WScript.exe	38
PID 1944 wrote to memory of 2892	1944	WScript.exe	38
PID 2892 wrote to memory of 2100	2892	svchcst.exe	39
PID 2892 wrote to memory of 2100	2892	svchcst.exe	39
PID 2892 wrote to memory of 2100	2892	svchcst.exe	39
PID 2892 wrote to memory of 2100	2892	svchcst.exe	39
PID 2100 wrote to memory of 1620	2100	WScript.exe	41
PID 2100 wrote to memory of 1620	2100	WScript.exe	41
PID 2100 wrote to memory of 1620	2100	WScript.exe	41
PID 2100 wrote to memory of 1620	2100	WScript.exe	41
PID 1620 wrote to memory of 1920	1620	svchcst.exe	42
PID 1620 wrote to memory of 1920	1620	svchcst.exe	42
PID 1620 wrote to memory of 1920	1620	svchcst.exe	42
PID 1620 wrote to memory of 1920	1620	svchcst.exe	42
PID 1920 wrote to memory of 1860	1920	WScript.exe	43
PID 1920 wrote to memory of 1860	1920	WScript.exe	43
PID 1920 wrote to memory of 1860	1920	WScript.exe	43
PID 1920 wrote to memory of 1860	1920	WScript.exe	43
PID 1860 wrote to memory of 2448	1860	svchcst.exe	44
PID 1860 wrote to memory of 2448	1860	svchcst.exe	44
PID 1860 wrote to memory of 2448	1860	svchcst.exe	44
PID 1860 wrote to memory of 2448	1860	svchcst.exe	44
PID 2448 wrote to memory of 696	2448	WScript.exe	45
PID 2448 wrote to memory of 696	2448	WScript.exe	45
PID 2448 wrote to memory of 696	2448	WScript.exe	45
PID 2448 wrote to memory of 696	2448	WScript.exe	45
PID 696 wrote to memory of 1732	696	svchcst.exe	46
PID 696 wrote to memory of 1732	696	svchcst.exe	46
PID 696 wrote to memory of 1732	696	svchcst.exe	46
PID 696 wrote to memory of 1732	696	svchcst.exe	46
PID 1732 wrote to memory of 2552	1732	WScript.exe	47
PID 1732 wrote to memory of 2552	1732	WScript.exe	47
PID 1732 wrote to memory of 2552	1732	WScript.exe	47
PID 1732 wrote to memory of 2552	1732	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\22e06758adb89be0a930abd4904bfeda512ac904c3393c166f50ad02ec6030ad.exe
"C:\Users\Admin\AppData\Local\Temp\22e06758adb89be0a930abd4904bfeda512ac904c3393c166f50ad02ec6030ad.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1164
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:776
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2624
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:696
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2552
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1632
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2836
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1700
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1520
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2320
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1084
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1544
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1976
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:844
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2988
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2224
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2556
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2600
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:264
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1684
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1492
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1956
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2700
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2476
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1080
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2144
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1084
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3044
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c4e7c6e63669b7ac19a2abc4d482e577

SHA1
0b715c1b8c52526a168c5972ce10621deb7454cb

SHA256
44ce88ac30afb018736ddeb48d6592af936aa52a424f3630ed07f9ff016b3a58

SHA512
f95b66230ceb77d9ce412c472376233324766a3b31adcfe85797f5628b933811c970a7c538ebb06e5c66418656766704206c178745f71bec63bbbabab46af747

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0deab118abcf8e078322ee46edd4cfd3

SHA1
b0f46f2ca33e8ea264812838f6c7a98d0c55a0bf

SHA256
344ce7e23c768177547510b0627c60667804530f220048e11f21e1cda521c502

SHA512
e7e4c041addbecf42ec91877dac6c89a207a3c1eb0247d56c6e4844852a3c7a3a716809d5040d01b03ab332bd155a4f4fb014abc896b9598ac52218c74a1f3c0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
6415bac95c4954609130d86c9aa492d0

SHA1
53dca1436edf9919605e0b79910919d78d4140a6

SHA256
cef99ea8c13300d2165f4ac86382efd3715be902a7508338af036d331d04330d

SHA512
40f5bc83f5c4fda72e19a12963bdb1ce0c87029cb8a4018ad77c5a692b7f5536f056ea23b2781d16e46c3ba703727de9f68fd9406055232da0dea593cfb30ea0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
03088ab16e4136b8d3a3366505b767ed

SHA1
e1d73c9dc7e6009659519b33b3dd80f3011adad8

SHA256
b31956814f1bc7c1e47a025622160df37664a3ee8e6d2016ce8919f1fba63a59

SHA512
0c841cc8236b405951c5bdf0ea7c620ef32ab930077442e5c1f2eca9fe474c113e1377829e8072afdbfd9a0f0b2797cf156b2f861395d14b851abc7b365ec11a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
321085c6e57a8455a3e915906a6c160b

SHA1
9cd284183cd00b8ed9766cf5ba4433bd041c381e

SHA256
0d5abb9f989e8b184b17b159987cacb4be04d476a85a3c684e797cdbded810cb

SHA512
030c762c6548c28805fb3f9d97ed98ff958a379fb5142b7ba6c4cb2a8dd7a59051135e649abd6c16320361b10c374e4a1003c802560fcc244849089255fb7722

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f68761d0622df41d256ee6fc39583d8a

SHA1
2dd40e574a86ff4b4be5e6aca6fda4d7fcc33d56

SHA256
b4bf1092c76497e935596e32fcb9119a44acab11e9b80b660ecea53867655245

SHA512
fd70e0b445bcd24117b449853c98a4996063d49f774a55bc5aca087b44cdb5381974551c4fcd2d3d1c82cd708fcb616009519f3914267ea5c37cdda4d31ea3a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
608aea68519434d685c413b31a12c6ce

SHA1
7a62e13cab985d0588a0faea63751fd0355da7fc

SHA256
5ed3aa382febd7a4e6c3a921a5add055f6e2bbea7558b21da46752f037d52b1a

SHA512
6ddca4b85fc1b6ecb6c1081b32067eb438ed5167b48565ea449e6babb1f27a01c75599c6b0f10b29ac9278e619891588d654466ce882d8080f4d2435f450d198

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
9d9867376c8284245aea97643987cadf

SHA1
fe6a7bd23577feb841e3cbeae6aebd38a742b0a5

SHA256
b31c91bdbe14673b004567163ddea094dd6bd903f62c5a57c3b3f79268021fb4

SHA512
2dc179cf9f71aae049072f62e06951537e38c6070d79d98aaaa94d2b1b53edd6550f6d1c61a2ffc117ed53791689b59c50826bb506cf22cb01235da522d623a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7a01dad1af2b3e0327e1d352436bbcd7

SHA1
10612930777b11e8edeb9bd33c74a6a2404c9d6b

SHA256
185fe22d4d1af7aee3fd8cf94dcfe20c5daf320764d2c96c2ad5f2cff4cd1655

SHA512
1fee128690213b1ffd6c1f95d9894f52c2b0374ca99b16795028fab6b364298c1d678c3f92775c410c0fe7a1a71a33d3db5635e5bb6c71449feb60c9f5316616

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
99190cc32e9995c46b8a5b9b268a5bbe

SHA1
4ad00bc8655bced61776b40f2cc5bf0180a175d4

SHA256
308f79dad8498e1020104d40c992a2a6b9d4841f2c9c705e4b4401c48764a096

SHA512
f6447cdd779f7e95f6e84469388e55d7c18249f434aadf7cb7d4ec18cded20161a1cd8bb8830186c55ce8a945ab7c7cff08f85787c2616d447a90cb6f4622571

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
06a252a9516053e44ec8e64f1ebf0533

SHA1
29ac97e0cdade946c4feb81ad3f78d70953a2277

SHA256
6b8a799c3d4b977adb7220f6790b2ac09080ca3ccde5a2c33c83b33ea905928c

SHA512
0775aabeef7c910e03efc40f96143025a2ee3544dd656c78d09ef63c85d040037752aabe72fdf3b636ee31422ae8de01b73c85e27247203d5efc1635eaf15b2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2af86d83545125b952334759f8554ae3

SHA1
ddfef7be6fbd8d8185c772a9a78eb18617a9637b

SHA256
7dd3660d7e87e64f451b4d1882d07c1733ce38d828770910453cc1b7f457d11d

SHA512
38d2854f941ff77a2fec871ba6513df9862fe4f86778b22053b4c3e25995b192f4ab943051a2c613cc3e78d275bc543b0dff09149cb4620e307809d20beae17b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f87426c21922acdb3012de5bc83aa566

SHA1
bfb950b5de196cf59171cbd44c6a6b68cef40f80

SHA256
0acc0b85260fcfce8df927f449d86d3e5b36e4de38980c590d720a11f8429232

SHA512
cb3e19fc36a2092ddbae32c4165ec5a802c1b1aedae0dd4fab79057ca8c63b8983946072ddb173587ded3355cf286fcac5463cb8a61bdb63db312c930c34369f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
008b338c1f283558ab9d21879e60ee69

SHA1
d3024e8964387278673cfd5d1f3ac4634803b291

SHA256
c79fcd720ec74343aa8e3f2b95f4522882fee568e762afe99cab575402ff4b2f

SHA512
e1b6a896f219934639dcaf468aa3e09269a0359f02980f0fd36289fdf24fb141b1c2cef2cb484efd5d8c8d99fca766e3100810063274a671e81d1b394f5d49a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
fd3a18ee056d841a56effe3ebccd58f9

SHA1
1ddb01be4364b66e279adff6fa0fe858f4df5c81

SHA256
bba2ee4773f66c1d8f744acf6b36c023637185d09b04ca24aedb4d9e54f0db61

SHA512
d287329092238434e7d53a6f449696c730311f2e24bb047c6ba228e0bbcc1ed4a894db1ac68661e88eb80c6002117773ae2e3542303346db63505116de6707bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1c6e0a9706da86eacec5a2779f1a3b5f

SHA1
730a118f7f4c783757be5aa7bba40de81aea28d4

SHA256
1b3d0fd3b361badceb7d681ba767d2f35ad42fecfd774e9a222fee83a3755e90

SHA512
d8340741e5bdcdbbcfa845fac3adadefc71bc6c6a6040f35c205b990fba319a0faf0219e9f9247e9676df2eb74fe2ec21de6f51611ea917e8aeb473ccb3bc872

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
51f64ffef096a064c1099d66c73dd8a1

SHA1
7d721e55e86dde789dffd7afb9b9ae130e6833be

SHA256
35b4bbb6c424377cba1b146e4ed1aa8cbcb396e8d02165469b4eb75c109f21f8

SHA512
3c25b6fdcd6ecfbc114434f1c9982e85a851a81dee64efd99555cd0c1e462dba9d1621f9b93bf2488e535e63ff9592984a0d99f00718e000228831952534eb80

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1c1ca6124fcfddeac97c663f98783f2e

SHA1
436bf0957fbc4de76271ba404ae410332f7740c0

SHA256
fcd4238c685f3514aa914cff8c33cbded39389620fa733857e7306487b244279

SHA512
80985c289b6bc1f93b46ab3d2e5c97aa6a9889ddc977267465662a9442c41561a5290d02dec9f10715046f90259c5620d6ee607d46da50892597fa0bb6ca1bdd

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e8f5a3548d2607278dd8af8495e6bac0

SHA1
1ceba344b0a4453c0a1b012f740296b592cd53c8

SHA256
5d97f50eaf63466b33ff2a67f08b5023c4c71d5f27de50343078b2bb76c029a8

SHA512
e9d460f93ed01ba109e8bf9bd3331053a5105a56d85d9f4138977d0b96973c8cf29628bc58560c11902ce9cae465b1282daf4d5179ae44b8a4d2805fdb62be0c

Download Submit
memory/2104-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download