c45980476739c8fd55dfe7209ff6cf1fa996ccb8ebe41020697a5ee5bb8cf0c5

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/09/2024, 00:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c45980476739c8fd55dfe7209ff6cf1fa996ccb8ebe41020697a5ee5bb8cf0c5.exe
Size

1.1MB
MD5

4bd509afa47f54243f46c1a5afb6e23b
SHA1

1538bf16440612bdcd12936569676018585a416d
SHA256

c45980476739c8fd55dfe7209ff6cf1fa996ccb8ebe41020697a5ee5bb8cf0c5
SHA512

08a33a43c581401aed4ad3731773d4423bcb82b387c177788a5f72199a0d1df4403a2cee3be401e3058c111ec422262401ebbd618c2700a2d5266ee4f3a17015
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QC:CcaClSFlG4ZM7QzMh

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2904	svchcst.exe

Executes dropped EXE 24 IoCs

pid	Process
2904	svchcst.exe
1200	svchcst.exe
1732	svchcst.exe
856	svchcst.exe
448	svchcst.exe
1624	svchcst.exe
2468	svchcst.exe
924	svchcst.exe
2168	svchcst.exe
2856	svchcst.exe
2652	svchcst.exe
2668	svchcst.exe
1636	svchcst.exe
2180	svchcst.exe
900	svchcst.exe
956	svchcst.exe
1784	svchcst.exe
2752	svchcst.exe
1948	svchcst.exe
2368	svchcst.exe
2832	svchcst.exe
316	svchcst.exe
1616	svchcst.exe
344	svchcst.exe

Loads dropped DLL 40 IoCs

pid	Process
1660	WScript.exe
1660	WScript.exe
2632	WScript.exe
112	WScript.exe
112	WScript.exe
2480	WScript.exe
956	WScript.exe
956	WScript.exe
956	WScript.exe
956	WScript.exe
1644	WScript.exe
2236	WScript.exe
3068	WScript.exe
3068	WScript.exe
3068	WScript.exe
1452	WScript.exe
1832	WScript.exe
1832	WScript.exe
1436	WScript.exe
1436	WScript.exe
1400	WScript.exe
1400	WScript.exe
2564	WScript.exe
2564	WScript.exe
1508	WScript.exe
1508	WScript.exe
804	WScript.exe
804	WScript.exe
2776	WScript.exe
2776	WScript.exe
680	WScript.exe
680	WScript.exe
2864	WScript.exe
2864	WScript.exe
112	WScript.exe
112	WScript.exe
2876	WScript.exe
2876	WScript.exe
1468	WScript.exe
1468	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 50 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c45980476739c8fd55dfe7209ff6cf1fa996ccb8ebe41020697a5ee5bb8cf0c5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2552	c45980476739c8fd55dfe7209ff6cf1fa996ccb8ebe41020697a5ee5bb8cf0c5.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2552	c45980476739c8fd55dfe7209ff6cf1fa996ccb8ebe41020697a5ee5bb8cf0c5.exe

Suspicious use of SetWindowsHookEx 50 IoCs

pid	Process
2552	c45980476739c8fd55dfe7209ff6cf1fa996ccb8ebe41020697a5ee5bb8cf0c5.exe
2552	c45980476739c8fd55dfe7209ff6cf1fa996ccb8ebe41020697a5ee5bb8cf0c5.exe
2904	svchcst.exe
2904	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
1732	svchcst.exe
1732	svchcst.exe
856	svchcst.exe
856	svchcst.exe
448	svchcst.exe
448	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
2468	svchcst.exe
2468	svchcst.exe
924	svchcst.exe
924	svchcst.exe
2168	svchcst.exe
2168	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2668	svchcst.exe
2668	svchcst.exe
1636	svchcst.exe
1636	svchcst.exe
2180	svchcst.exe
2180	svchcst.exe
900	svchcst.exe
900	svchcst.exe
956	svchcst.exe
956	svchcst.exe
1784	svchcst.exe
1784	svchcst.exe
2752	svchcst.exe
2752	svchcst.exe
1948	svchcst.exe
1948	svchcst.exe
2368	svchcst.exe
2368	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
316	svchcst.exe
316	svchcst.exe
1616	svchcst.exe
1616	svchcst.exe
344	svchcst.exe
344	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 1660	2552	c45980476739c8fd55dfe7209ff6cf1fa996ccb8ebe41020697a5ee5bb8cf0c5.exe	30
PID 2552 wrote to memory of 1660	2552	c45980476739c8fd55dfe7209ff6cf1fa996ccb8ebe41020697a5ee5bb8cf0c5.exe	30
PID 2552 wrote to memory of 1660	2552	c45980476739c8fd55dfe7209ff6cf1fa996ccb8ebe41020697a5ee5bb8cf0c5.exe	30
PID 2552 wrote to memory of 1660	2552	c45980476739c8fd55dfe7209ff6cf1fa996ccb8ebe41020697a5ee5bb8cf0c5.exe	30
PID 1660 wrote to memory of 2904	1660	WScript.exe	33
PID 1660 wrote to memory of 2904	1660	WScript.exe	33
PID 1660 wrote to memory of 2904	1660	WScript.exe	33
PID 1660 wrote to memory of 2904	1660	WScript.exe	33
PID 2904 wrote to memory of 2632	2904	svchcst.exe	34
PID 2904 wrote to memory of 2632	2904	svchcst.exe	34
PID 2904 wrote to memory of 2632	2904	svchcst.exe	34
PID 2904 wrote to memory of 2632	2904	svchcst.exe	34
PID 2632 wrote to memory of 1200	2632	WScript.exe	35
PID 2632 wrote to memory of 1200	2632	WScript.exe	35
PID 2632 wrote to memory of 1200	2632	WScript.exe	35
PID 2632 wrote to memory of 1200	2632	WScript.exe	35
PID 1200 wrote to memory of 112	1200	svchcst.exe	36
PID 1200 wrote to memory of 112	1200	svchcst.exe	36
PID 1200 wrote to memory of 112	1200	svchcst.exe	36
PID 1200 wrote to memory of 112	1200	svchcst.exe	36
PID 112 wrote to memory of 1732	112	WScript.exe	37
PID 112 wrote to memory of 1732	112	WScript.exe	37
PID 112 wrote to memory of 1732	112	WScript.exe	37
PID 112 wrote to memory of 1732	112	WScript.exe	37
PID 1732 wrote to memory of 1932	1732	svchcst.exe	38
PID 1732 wrote to memory of 1932	1732	svchcst.exe	38
PID 1732 wrote to memory of 1932	1732	svchcst.exe	38
PID 1732 wrote to memory of 1932	1732	svchcst.exe	38
PID 112 wrote to memory of 856	112	WScript.exe	39
PID 112 wrote to memory of 856	112	WScript.exe	39
PID 112 wrote to memory of 856	112	WScript.exe	39
PID 112 wrote to memory of 856	112	WScript.exe	39
PID 856 wrote to memory of 2480	856	svchcst.exe	40
PID 856 wrote to memory of 2480	856	svchcst.exe	40
PID 856 wrote to memory of 2480	856	svchcst.exe	40
PID 856 wrote to memory of 2480	856	svchcst.exe	40
PID 2480 wrote to memory of 448	2480	WScript.exe	41
PID 2480 wrote to memory of 448	2480	WScript.exe	41
PID 2480 wrote to memory of 448	2480	WScript.exe	41
PID 2480 wrote to memory of 448	2480	WScript.exe	41
PID 448 wrote to memory of 956	448	svchcst.exe	42
PID 448 wrote to memory of 956	448	svchcst.exe	42
PID 448 wrote to memory of 956	448	svchcst.exe	42
PID 448 wrote to memory of 956	448	svchcst.exe	42
PID 956 wrote to memory of 1624	956	WScript.exe	43
PID 956 wrote to memory of 1624	956	WScript.exe	43
PID 956 wrote to memory of 1624	956	WScript.exe	43
PID 956 wrote to memory of 1624	956	WScript.exe	43
PID 1624 wrote to memory of 1644	1624	svchcst.exe	44
PID 1624 wrote to memory of 1644	1624	svchcst.exe	44
PID 1624 wrote to memory of 1644	1624	svchcst.exe	44
PID 1624 wrote to memory of 1644	1624	svchcst.exe	44
PID 956 wrote to memory of 2468	956	WScript.exe	45
PID 956 wrote to memory of 2468	956	WScript.exe	45
PID 956 wrote to memory of 2468	956	WScript.exe	45
PID 956 wrote to memory of 2468	956	WScript.exe	45
PID 1644 wrote to memory of 924	1644	WScript.exe	46
PID 1644 wrote to memory of 924	1644	WScript.exe	46
PID 1644 wrote to memory of 924	1644	WScript.exe	46
PID 1644 wrote to memory of 924	1644	WScript.exe	46
PID 2468 wrote to memory of 2236	2468	svchcst.exe	47
PID 2468 wrote to memory of 2236	2468	svchcst.exe	47
PID 2468 wrote to memory of 2236	2468	svchcst.exe	47
PID 2468 wrote to memory of 2236	2468	svchcst.exe	47

C:\Users\Admin\AppData\Local\Temp\c45980476739c8fd55dfe7209ff6cf1fa996ccb8ebe41020697a5ee5bb8cf0c5.exe
"C:\Users\Admin\AppData\Local\Temp\c45980476739c8fd55dfe7209ff6cf1fa996ccb8ebe41020697a5ee5bb8cf0c5.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1200
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:112
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:956
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:924
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2168
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3068
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2856
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2652
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1452
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2668
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1832
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1636
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1436
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2180
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1400
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:900
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2564
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:956
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1784
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:804
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2752
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1948
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:680
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2368
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2832
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:112
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:316
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1616
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1468
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:344
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:628
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:1232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
152cdcb10a0dcbdcaeb00bd4b08b2f94

SHA1
d957bd7eff64e6b13d3a088c0ae764eaeedf0ad2

SHA256
5525126f60e1b6cf4d353d30db46873836712e3964020d1dbca2694b6dc3d599

SHA512
c2e61516af9e5c14978792ec3b5e20aa84d5f6d9607322575d2f0448a67b6a10911ebf350f51e24e19f40840897251c891cda2c651c0881fccc9e0006d1a2f99

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
67b7037c4f6019390ec23b38b7e45472

SHA1
4fb8827be5e90a2c2e264318573913a5a75810c7

SHA256
19222bf620c09a06687320128c77d5bef05140e8539a1cb1d9c2228b25ae1110

SHA512
79ff8e9cad4c6020700181390b735e7c4947c57e482ce2eebffcca0a99c9db14fe6fb7c57154e97b532b881ac438fd262e0762281b7a8b546c7f34638d8a73ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
81911744d71ed066085116eec2026095

SHA1
47cfe383cd90c80f367d20667fa26cd160507a8f

SHA256
3154f7fe0c77b8441733285f257a444605ca5badb1148288aa7275033f75d3f5

SHA512
e64925ee682737251c7d5f42a378a4f6c23a50a07a6811882547567725b59c172da356b235afc977d4c1e8209f5c1ba696b9dd54e7739f67a71c099c031d7396

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
024be950e07002e527b8dd1efbb0e4b4

SHA1
1a56034c6366027442be28a75bce7cdea55a8a98

SHA256
51f47375c2a87dc9fe8cc958432adcc166d0faf75f7d1da1322e238fb5d72893

SHA512
96864be4661feeef155d1816192852146e5d2aa3266ce5b732ec203d43a6098a5fa456a7decb9ab1bd66bc959ed85b485de32c11cea6ee6d1a48d0bea2349b6f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
bf8c66bc238068346f8bc94f6763b894

SHA1
43019b1b9d3d7e90719747856103a1af12d024ef

SHA256
de7fa3ae16d70f789b4d0aa427b017215cdb51f141038688ca5ba2cbb4060b5d

SHA512
a5d2d1662be29ceebb5d9441b537804722646c7ee3974d89d87bb37d1563bdbcac709f29e3251cf9d45845bdedd518bca99e203102b5c7f0e3657eca406277c6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f02b234115a56496bcd6642d1de04e5d

SHA1
d383b9d3c82fe145f25a9a6e7e4333151fd4ecc6

SHA256
9eca0120263ab4947d38369d9a4986744e61189382c1d313eb464ad449ea2651

SHA512
c446eccd822729a81d49321c88ecc0fba4e4f7b6f6277d2660c7f3a18a67614915ae24a96353bf93b039eb441f0c260c1961a1363f16524dbeaf2554626c1b4e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1931659cf1a0b565c26fde26192e60ea

SHA1
290204916cf2bd320dd6af5de4fea33f4b987a23

SHA256
8d4ff60de30d55f81dda162ccf8ad556e3a1c9a9e20260d8a767def90595191a

SHA512
9a90635a350ecaf5d4f9c5787f4079e90d6e2983b87e8dc6db38a2d0121e68422d2fc8c7e322c0b6556cd92870713380edf55950260e9369350e96d4603f390e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
4e9605159361f93230fef3cc5ad4301c

SHA1
64e6d5673487e049cc4e96650b507641062ca1bf

SHA256
2abd0c0ae088f6c911f23add50e985c447f1c62c8a45f848698b08d6e6dd20e7

SHA512
5cf02982826cc6e08ea33c4ce5d186ad4277493480cf08c2df56a7deea87e58a6df3a95097c96409a89317528933e0999d4ccddc2403024bd04b6e1c312f42fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f2d2f31794455ef80ea8a41b0b218045

SHA1
926c4e45922f43c6afc2cb31d96b5b35d4db3cae

SHA256
698e3bc7681704e68728030dcceb12377aae02f71e91a5fd15c12b686ba00141

SHA512
36cc2c9bd29c6bd97c2bd7eef7b9bffc512ebabf43d089a2866a66efc4f4f3f7d92b2d0719ae61ad07c38b89b1c0a4b59df57f84beef76c88bd376125048d714

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ddd204c2596c95e0b37f2faf17345158

SHA1
fb5c9a676eb0b0e08ed0498a5696bbd7d443b1a2

SHA256
6ba8498e50d16dedd7a4479998981b504b684f524c08329269fd4eb6e3fe52a2

SHA512
17f8ff158d74cb8b37954cd5d458440cbf7e41dd03d08d5101b55f7ca259fdd1e36967e5231a31362c68456d0e91bdbac1c83cc19876ab7ec1c97bde0ec03244

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f8db619ebe2f315356d8a3c1cb7ce863

SHA1
6a7be253323ec01b077ec2632a10159e39c17b2b

SHA256
99940aede45164365f56d6948655491bf5e5eaf8cc50400fe99620b5d3cd29c8

SHA512
6abc38a731254105c4f336ef9954159d7711889c704002838872473450f9077a940b4817cf36ae7fa04f08439a2acb53c9ab37c85e21c2981eab353379bf431a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
99c6d3daae7cb362152020047cb956dc

SHA1
4d70b60a43d37fbfea1be333aad269606ae3d3a7

SHA256
b35a71753d085b170fca9949910d93671a298e1fcc05cf0cdff308dba4d12324

SHA512
37098e0594a21439720df6adc851063d275020c7a337326cf0f83c8fce79ac210bd42c5458e49e560c4641b569be88b34ee5ee99dccba5c2655fee127c21e110

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
66dec81d7f7dc4e36f9d8151fe38056a

SHA1
fc169994b2239eb407778d28d35025f7c9a1658e

SHA256
a09a3c722b494400011829c5645415020d39c8e6ec90f466fc3109a1ba49db2a

SHA512
3e8af1d301ba9228d5afcfaa1e1d3e6f931c5f0ba5e19c74f73b88ddf7c4baa7b24f13533679096f6c94871985de9e47d0f91362ec2ee9132b1e1b772d56fbcc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
da30c8dfaa9c2c9694328db7d1fc3757

SHA1
a3384b1c3858d3bdea170b30a30ac0c8263226db

SHA256
f92a6a9ecc85b55ee46d7b86e10c34349bbc26e307434cb613642ca401f555ab

SHA512
f73a0ba8e4580938469bad4de0c95895c2085e7cd1ed0608cb47a427ff41a4428ad7747c75bc46fc4f72d1c4c9c473ee960d11a1c9b9ab256b337d739485c1a3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ad4579025b4c61f3cfa6b57582e91509

SHA1
9f9f8d31938101f7c406b8b31dbe7ded0ba35d69

SHA256
ab31caf73db875db813ccf25ce1b35ca7c6ce8295ae89730cb0167176fb0907e

SHA512
09513cd2f5cbfabc2f9b56d22f234701c2d1468bbbc0f237cef8b9cfe5b2449a120fd101a695c071693f52eebd05b99d6dbbea12c6f7634379d7679fff681b4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
abe14a5af8fb1b3be4e72760ffc40cdb

SHA1
b138de86f52b47afcb6676add1428835ff4e04cf

SHA256
b6e77a60a866c8e40c494c9f1cff357bbe7b4dcd385ba405f2aa095b8b22817d

SHA512
f5626550d249dd8c3dd9bc06c30c4fa4e60c25f11dcfd1cee93eff2af2524f3fd30023a605e9e1503e893863b42ad3466b250dd1da2be97a86845ac5d5368688

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ea29f033f1d4e555d562814b452113aa

SHA1
75c739bb8e385586422034a91a8b9a33cddc5f6f

SHA256
0c7cf609d43817622371a8e7c5c4ada3430b63396bd15d1749f4f9344febba8a

SHA512
c5b1b3a9c8aea4363b3f333917e2decc0296af9866ca1f33be1750b564924d867ae94394d8d82418b25bacef3c44d1c13c172bf2a03f353baac3926826e30466

Download Submit
memory/2552-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download