b67ec9cdfc95a6cac6c13f0b86db17e6e618447c8ae438a7376539749d5238cb

Analysis

max time kernel
119s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/09/2024, 12:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b67ec9cdfc95a6cac6c13f0b86db17e6e618447c8ae438a7376539749d5238cbN.exe
Size

1.1MB
MD5

a13dddc4bb10999f4c58655bae0231a0
SHA1

7442277c055a1fe591417bbfdb4f9f3e2d99cc83
SHA256

b67ec9cdfc95a6cac6c13f0b86db17e6e618447c8ae438a7376539749d5238cb
SHA512

b26e033a73a6c157bf97c32b016e95b05310104165f7cbb61b54346165aea71b32af6372fbc2c5c357871872e12e4f46df1b92398e45155d3c2f63b7b92831cf
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qx:acallSllG4ZM7QzMC

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2068	svchcst.exe

Executes dropped EXE 19 IoCs

pid	Process
2068	svchcst.exe
2660	svchcst.exe
588	svchcst.exe
2368	svchcst.exe
1840	svchcst.exe
608	svchcst.exe
1600	svchcst.exe
2616	svchcst.exe
1680	svchcst.exe
688	svchcst.exe
1052	svchcst.exe
2932	svchcst.exe
960	svchcst.exe
1760	svchcst.exe
868	svchcst.exe
2000	svchcst.exe
2836	svchcst.exe
936	svchcst.exe
1940	svchcst.exe

Loads dropped DLL 30 IoCs

pid	Process
2720	WScript.exe
2720	WScript.exe
1816	WScript.exe
2268	WScript.exe
2432	WScript.exe
1136	WScript.exe
1136	WScript.exe
1136	WScript.exe
2276	WScript.exe
2276	WScript.exe
2668	WScript.exe
2668	WScript.exe
2104	WScript.exe
2104	WScript.exe
2888	WScript.exe
2888	WScript.exe
2232	WScript.exe
2232	WScript.exe
2232	WScript.exe
2232	WScript.exe
1844	WScript.exe
1844	WScript.exe
2700	WScript.exe
2700	WScript.exe
2308	WScript.exe
2308	WScript.exe
2908	WScript.exe
2908	WScript.exe
2804	WScript.exe
2804	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 40 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b67ec9cdfc95a6cac6c13f0b86db17e6e618447c8ae438a7376539749d5238cbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1448	b67ec9cdfc95a6cac6c13f0b86db17e6e618447c8ae438a7376539749d5238cbN.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1448	b67ec9cdfc95a6cac6c13f0b86db17e6e618447c8ae438a7376539749d5238cbN.exe

Suspicious use of SetWindowsHookEx 40 IoCs

pid	Process
1448	b67ec9cdfc95a6cac6c13f0b86db17e6e618447c8ae438a7376539749d5238cbN.exe
1448	b67ec9cdfc95a6cac6c13f0b86db17e6e618447c8ae438a7376539749d5238cbN.exe
2068	svchcst.exe
2068	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
588	svchcst.exe
588	svchcst.exe
2368	svchcst.exe
2368	svchcst.exe
1840	svchcst.exe
1840	svchcst.exe
608	svchcst.exe
608	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
688	svchcst.exe
688	svchcst.exe
1052	svchcst.exe
1052	svchcst.exe
2932	svchcst.exe
2932	svchcst.exe
960	svchcst.exe
960	svchcst.exe
1760	svchcst.exe
1760	svchcst.exe
868	svchcst.exe
868	svchcst.exe
2000	svchcst.exe
2000	svchcst.exe
2836	svchcst.exe
2836	svchcst.exe
936	svchcst.exe
936	svchcst.exe
1940	svchcst.exe
1940	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 2720	1448	b67ec9cdfc95a6cac6c13f0b86db17e6e618447c8ae438a7376539749d5238cbN.exe	30
PID 1448 wrote to memory of 2720	1448	b67ec9cdfc95a6cac6c13f0b86db17e6e618447c8ae438a7376539749d5238cbN.exe	30
PID 1448 wrote to memory of 2720	1448	b67ec9cdfc95a6cac6c13f0b86db17e6e618447c8ae438a7376539749d5238cbN.exe	30
PID 1448 wrote to memory of 2720	1448	b67ec9cdfc95a6cac6c13f0b86db17e6e618447c8ae438a7376539749d5238cbN.exe	30
PID 2720 wrote to memory of 2068	2720	WScript.exe	32
PID 2720 wrote to memory of 2068	2720	WScript.exe	32
PID 2720 wrote to memory of 2068	2720	WScript.exe	32
PID 2720 wrote to memory of 2068	2720	WScript.exe	32
PID 2068 wrote to memory of 1816	2068	svchcst.exe	33
PID 2068 wrote to memory of 1816	2068	svchcst.exe	33
PID 2068 wrote to memory of 1816	2068	svchcst.exe	33
PID 2068 wrote to memory of 1816	2068	svchcst.exe	33
PID 1816 wrote to memory of 2660	1816	WScript.exe	34
PID 1816 wrote to memory of 2660	1816	WScript.exe	34
PID 1816 wrote to memory of 2660	1816	WScript.exe	34
PID 1816 wrote to memory of 2660	1816	WScript.exe	34
PID 2660 wrote to memory of 2268	2660	svchcst.exe	35
PID 2660 wrote to memory of 2268	2660	svchcst.exe	35
PID 2660 wrote to memory of 2268	2660	svchcst.exe	35
PID 2660 wrote to memory of 2268	2660	svchcst.exe	35
PID 2268 wrote to memory of 588	2268	WScript.exe	36
PID 2268 wrote to memory of 588	2268	WScript.exe	36
PID 2268 wrote to memory of 588	2268	WScript.exe	36
PID 2268 wrote to memory of 588	2268	WScript.exe	36
PID 588 wrote to memory of 2432	588	svchcst.exe	37
PID 588 wrote to memory of 2432	588	svchcst.exe	37
PID 588 wrote to memory of 2432	588	svchcst.exe	37
PID 588 wrote to memory of 2432	588	svchcst.exe	37
PID 2432 wrote to memory of 2368	2432	WScript.exe	38
PID 2432 wrote to memory of 2368	2432	WScript.exe	38
PID 2432 wrote to memory of 2368	2432	WScript.exe	38
PID 2432 wrote to memory of 2368	2432	WScript.exe	38
PID 2368 wrote to memory of 1136	2368	svchcst.exe	39
PID 2368 wrote to memory of 1136	2368	svchcst.exe	39
PID 2368 wrote to memory of 1136	2368	svchcst.exe	39
PID 2368 wrote to memory of 1136	2368	svchcst.exe	39
PID 1136 wrote to memory of 1840	1136	WScript.exe	40
PID 1136 wrote to memory of 1840	1136	WScript.exe	40
PID 1136 wrote to memory of 1840	1136	WScript.exe	40
PID 1136 wrote to memory of 1840	1136	WScript.exe	40
PID 1840 wrote to memory of 1520	1840	svchcst.exe	41
PID 1840 wrote to memory of 1520	1840	svchcst.exe	41
PID 1840 wrote to memory of 1520	1840	svchcst.exe	41
PID 1840 wrote to memory of 1520	1840	svchcst.exe	41
PID 1136 wrote to memory of 608	1136	WScript.exe	42
PID 1136 wrote to memory of 608	1136	WScript.exe	42
PID 1136 wrote to memory of 608	1136	WScript.exe	42
PID 1136 wrote to memory of 608	1136	WScript.exe	42
PID 608 wrote to memory of 2276	608	svchcst.exe	43
PID 608 wrote to memory of 2276	608	svchcst.exe	43
PID 608 wrote to memory of 2276	608	svchcst.exe	43
PID 608 wrote to memory of 2276	608	svchcst.exe	43
PID 2276 wrote to memory of 1600	2276	WScript.exe	44
PID 2276 wrote to memory of 1600	2276	WScript.exe	44
PID 2276 wrote to memory of 1600	2276	WScript.exe	44
PID 2276 wrote to memory of 1600	2276	WScript.exe	44
PID 1600 wrote to memory of 2668	1600	svchcst.exe	45
PID 1600 wrote to memory of 2668	1600	svchcst.exe	45
PID 1600 wrote to memory of 2668	1600	svchcst.exe	45
PID 1600 wrote to memory of 2668	1600	svchcst.exe	45
PID 2668 wrote to memory of 2616	2668	WScript.exe	46
PID 2668 wrote to memory of 2616	2668	WScript.exe	46
PID 2668 wrote to memory of 2616	2668	WScript.exe	46
PID 2668 wrote to memory of 2616	2668	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\b67ec9cdfc95a6cac6c13f0b86db17e6e618447c8ae438a7376539749d5238cbN.exe
"C:\Users\Admin\AppData\Local\Temp\b67ec9cdfc95a6cac6c13f0b86db17e6e618447c8ae438a7376539749d5238cbN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2068
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1816
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2660
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:588
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1520
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:608
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2616
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2104
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1680
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:688
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1052
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2232
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2932
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:1180
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:960
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1844
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:868
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2000
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2836
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:936
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2804
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1940
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:544
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1760
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:1776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
754B

MD5
d6bb372fe7ab0e785b850c6f265ddd3e

SHA1
8ba08d5fb5e5f6bfceca4426bbd967c95be37de2

SHA256
846411449ff506475986fa5e7d4461cf2f96f7aebbb4f24ccb444b7cc5668e6a

SHA512
259342207a34fea83599070b2ae8b30801caae8e84e363ea999ea3c78d282de76a4e861708cb60e6071c707887f6c0658492967310795018a540b8d58786521b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5f762b3b2477d92959f29d768008d453

SHA1
ceaa2b37d64bcffd7f862a75e1d0fb06edbddb97

SHA256
5827d14409ed9f3361d81904d50e067223457590dda163a680ce4216e495a3d5

SHA512
fd1445d89a0fa5d185ce51442c402d9906fa8bf7c1458a862568ad0649dfa22c5f90ed243b98339ec9706541d244b0217f1cd05e715dc49067e059fe08d80420

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a6723d81dd75369a43431bd61814ac74

SHA1
c3d950a8d9f5738222594d01dcaae3fcb467d548

SHA256
add1a22f571c2dfbfda508d6ad632223ab81690c73a376500e56855afeb1752b

SHA512
d7a42037066b1b1d1dffbc792aef400ca374665b012f02de40a6ff118482acd14555edabd6750defb402a6cf4e273a132c1856103202e47aa090119546718727

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
03088ab16e4136b8d3a3366505b767ed

SHA1
e1d73c9dc7e6009659519b33b3dd80f3011adad8

SHA256
b31956814f1bc7c1e47a025622160df37664a3ee8e6d2016ce8919f1fba63a59

SHA512
0c841cc8236b405951c5bdf0ea7c620ef32ab930077442e5c1f2eca9fe474c113e1377829e8072afdbfd9a0f0b2797cf156b2f861395d14b851abc7b365ec11a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
9f87870aabac31b89e8f641cc4796a67

SHA1
0e7c4d9fa14eb4afe07e0ded564229685c3cbe4b

SHA256
c5ccc91ebc3838b354e5ae05c7b3efa01813e004b427f843ba23e78ff272e695

SHA512
28c7fe3049354286831a5c2b52ea96583bef30c4a294d07bfb10c11bb9e3469b944d8029d58f73611daa616a279e280d0c14fa037d390ab34a5daa2f5a25c4f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ebf405e49dade13da94f737cdc03dba1

SHA1
8a0c39e59beed0deb4e726566b235c42c70942bb

SHA256
d15af3885670c4fea9dd97da21025faa5fd2b42bddc310bad2893e23a3ed2bef

SHA512
bbdef781757a387898665650d8f951e7fc495770d34595d9badbe5a39d46ec49a06ec00cbe28ed5e2677e5eeea518241fb638580668baca8d7728c44f2069ea2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1cd04c63c025f0297f2ae60e978d92a1

SHA1
047246564f4b2ab71494a82cef25f5bcdeb63469

SHA256
c5d481502d8e9429512066a0eb058459e0d7d60fbfc4aed5169b3ea47966c9ed

SHA512
dede45f2ae3b7da526e64e82f5e550d9f29d7ad0409fe97a0067bcd8ad70859a8f05441dcad0f2364710f8d9bf58997ffea6874b4797948b61486570394325a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
4f1c3e04fe09c26eac61a6a5e73d41a6

SHA1
5d61ea8f22af3a41286cfd2e03bf0d5fe912527e

SHA256
fcea651549aa97e3646b2b5857daab87dfa90158918203ea713fbc3d8dc96d2b

SHA512
23a253717242040b3497cc5dd9736a2a19adac084ebdf17f578f11a3c07aa584c78a8155ece8de4317293c4b75fca53b4cc225d05785f69e01d18ef6582e01f5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c85adfb789ee03eba0d843b08042e4db

SHA1
263793011d11bd0dd1daf4b55215a8802f9bf6e2

SHA256
8cc7784dcb4efa452913063eacec257cd1b6577c80bb3540f7cfcc48320dbf59

SHA512
b52184fa3c8a36d8e9293921a40820991247bbd203aa991678dafcd5cc96af20bf2df3e0b876b77a0d6a91f5b43aa2768137f88fca28357f883410d3b9f77539

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
55765ba68da8820ee35d2d4d1dedeac0

SHA1
19f5f147056f3d837a11d6b08a7fc9544f9927f6

SHA256
1eb237d283717ac45bdfef217d3d09fb4ef73db3838859057c94e488b329c522

SHA512
61b6361b8dfef2067016c50e830db1fc768d0654a3f643cf4b4cb1193de722f74401e73f719d8cff5a443058adfa7e3cd0dfc502f25dd249cdc36a7056c81c18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
780c5b88f55c3463a252f361d53f98db

SHA1
244e739c7401ce41027d7786f4a48f4806a9939b

SHA256
d8b383df125f83a39c299a3134c88e981cf47755ddd6b44310f70231305c6bb0

SHA512
b12e3266edea4f9dff105ed8617c81a29f9873d646b6b326c5c29c0c590049dd85458b8ff7541957f9ab995896e7bfd08b171959e592ccc6edbedf998fdf1045

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d7e57302723e6adcd36bc753c7cb3d1b

SHA1
24f5af99f2988b5fa7383dae1f53347b597956a3

SHA256
abf7ef48d31eaabd0227b0a91a44e8b53e9fbadff16ef2d9c2b131776898977e

SHA512
0aee51cab495d2df1e1957f85cbfa1a8ca95fad5fa669d2f0918a0e4be4d090c868582935136684d872695bdd075523ad1386639690e9d7016201b6985a9c8a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d496f2ddd9c331e0afd7ce60bd69073d

SHA1
367ccb1afda2b797ccdb50ba58ee5c5e34584df8

SHA256
36ca26308e65134afb4ec12cde62cc1a8d8cad612fc3e42c321a26db44eb0424

SHA512
542772f3506f36461b1cf9daef68c985f50706ef2b983209a4e403861640d056d3748049c07da097678556d029f00a73d1c3a36fb9500bb9678dd839b040ead0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
8e713d25e5bd7de0a8b32ddd03fcf5dc

SHA1
27b92fff3a085e4dea48d22bc1e19a3edf1da082

SHA256
2a1646df5f873821a1b21b2b40fcdcaf4d33d93f7e064fa782132ee41dae6b39

SHA512
56b6383f3caf4b8996643b219580028b1a2d4aed7cfe15eee7002e9b9280510a91a831df938a972d573f48a34a46ed792bb68fb9b98580c167c230c11f48ae20

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
74da21f831079fb6021e5056ffdfac84

SHA1
cc666339fcfa7e7cd286c854fd47739aa9ad47a9

SHA256
0779ded87fe908c56f5d6cb386a3b2d0a64cb75f5721d5ed79938593d893d027

SHA512
975401f6698d7364d71a4c1fc480a30196dcc141bbaec7a103f439bdc68e433ba4e3d3c493bbe6d95af1bb949cce14ff5d3169ab1552c613bd81f3b6455c06e8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
fccbbe095b3a54198777fcae34dc9635

SHA1
16fca9091f58325d6fa19d4653f050f70e922910

SHA256
3fbd69ad647328639f4f4bc2c7a072b77f89ba0d3e7e4a97c4e759d943b701be

SHA512
4665747f989cc490cc56cb12db25c6b68c2e4c94467ab9a1b84023e52da421d8fed5df9127cf2c5f663681905266b014994f33213d2be37996d6f057574e8694

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ad71091efa315bdd2ce978771ac3a83e

SHA1
ec5c06d37a7d56e3537eebfe8394438e40833093

SHA256
412a2fa63863c1e892c01834e393cff6b6046723a43e7820b4b4db12eca76189

SHA512
5de3879d2bb56e096a8b7638cad62020b979c5351a128536e66db768130e91badb7b6f2220fb3856b3553d9b9283480ee7bc914780729ce838b8f7c9f641a240

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
3fda305b8d8e25a05efc65bec24bc3f6

SHA1
c3b50f29d8bdc625e77b2eb2d038de77d95934cf

SHA256
a0466d0c06e22f95e38ef301e91a0fd393460e6f7de020cfeac2cfe21ae354fb

SHA512
3c7c44d45a7cfc10bd308a89f2d65ca35ca25bdd921fd8d92c58670a53b742ea2f4cefd32640e970e393904d4fc9c718a7f3c16c5a6b76a6d978fdbb65bb1f88

Download Submit
memory/588-39-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/588-47-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/608-76-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/608-85-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/688-134-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/688-133-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/868-189-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/868-185-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/936-210-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/960-170-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/960-167-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1052-139-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1052-147-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1136-77-0x0000000004590000-0x00000000046EF000-memory.dmp

Filesize
1.4MB

Download
memory/1448-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1448-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1600-100-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1680-127-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1680-135-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1760-179-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1760-176-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1840-71-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1840-63-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1844-180-0x0000000005E10000-0x0000000005F6F000-memory.dmp

Filesize
1.4MB

Download
memory/1940-211-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1940-218-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2000-196-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2068-15-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2068-25-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2104-122-0x0000000005B70000-0x0000000005CCF000-memory.dmp

Filesize
1.4MB

Download
memory/2232-175-0x00000000045E0000-0x000000000473F000-memory.dmp

Filesize
1.4MB

Download
memory/2232-150-0x0000000005D50000-0x0000000005EAF000-memory.dmp

Filesize
1.4MB

Download
memory/2232-162-0x0000000005D50000-0x0000000005EAF000-memory.dmp

Filesize
1.4MB

Download
memory/2232-188-0x00000000045E0000-0x000000000473F000-memory.dmp

Filesize
1.4MB

Download
memory/2276-90-0x0000000005D60000-0x0000000005EBF000-memory.dmp

Filesize
1.4MB

Download
memory/2368-51-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2368-59-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2432-50-0x0000000004660000-0x00000000047BF000-memory.dmp

Filesize
1.4MB

Download
memory/2616-116-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2616-106-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2660-36-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2660-29-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2668-105-0x00000000041E0000-0x000000000433F000-memory.dmp

Filesize
1.4MB

Download
memory/2720-14-0x0000000005C20000-0x0000000005D7F000-memory.dmp

Filesize
1.4MB

Download
memory/2720-16-0x0000000005C20000-0x0000000005D7F000-memory.dmp

Filesize
1.4MB

Download
memory/2836-203-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2888-138-0x0000000005B00000-0x0000000005C5F000-memory.dmp

Filesize
1.4MB

Download
memory/2932-159-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download