a97974a9207e20a5eb6848212afec2c9c27f5c83abca3a70e51eae6be1b1b56e

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
05-08-2024 19:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a97974a9207e20a5eb6848212afec2c9c27f5c83abca3a70e51eae6be1b1b56e.exe
Size

1.1MB
MD5

73d908cd0e8e8658fc4a0ce8d71c66bc
SHA1

3e9302fbde0d06776ed05d85f7043c9f704ea95e
SHA256

a97974a9207e20a5eb6848212afec2c9c27f5c83abca3a70e51eae6be1b1b56e
SHA512

c5a76ea7ecff74f3f389023ad41773b8cb2848da747054914ba11a20164102fb02e9136cc88a58b26d325df644945ebd32564e96d41b65a8f3aba1bcb21e06a7
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qk:CcaClSFlG4ZM7QzMD

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
476	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
476	svchcst.exe
2068	svchcst.exe
1804	svchcst.exe
2272	svchcst.exe
1524	svchcst.exe
2428	svchcst.exe
2396	svchcst.exe
2644	svchcst.exe
2676	svchcst.exe
2832	svchcst.exe
2280	svchcst.exe
840	svchcst.exe
2192	svchcst.exe
1164	svchcst.exe
556	svchcst.exe
320	svchcst.exe
2644	svchcst.exe
2828	svchcst.exe
2900	svchcst.exe
1328	svchcst.exe
1820	svchcst.exe
400	svchcst.exe
2392	svchcst.exe

Loads dropped DLL 46 IoCs

pid	Process
2976	WScript.exe
2976	WScript.exe
572	WScript.exe
572	WScript.exe
2792	WScript.exe
2792	WScript.exe
1856	WScript.exe
1856	WScript.exe
1940	WScript.exe
1940	WScript.exe
1560	WScript.exe
1560	WScript.exe
2404	WScript.exe
2404	WScript.exe
2788	WScript.exe
2788	WScript.exe
1688	WScript.exe
1688	WScript.exe
1868	WScript.exe
1868	WScript.exe
668	WScript.exe
668	WScript.exe
2196	WScript.exe
2196	WScript.exe
1616	WScript.exe
1616	WScript.exe
2352	WScript.exe
2352	WScript.exe
1036	WScript.exe
1036	WScript.exe
2772	WScript.exe
2772	WScript.exe
2084	WScript.exe
2084	WScript.exe
2060	WScript.exe
2060	WScript.exe
2840	WScript.exe
2840	WScript.exe
1868	WScript.exe
1868	WScript.exe
668	WScript.exe
668	WScript.exe
3036	WScript.exe
3036	WScript.exe
2024	WScript.exe
2024	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a97974a9207e20a5eb6848212afec2c9c27f5c83abca3a70e51eae6be1b1b56e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2896	a97974a9207e20a5eb6848212afec2c9c27f5c83abca3a70e51eae6be1b1b56e.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe
476	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2896	a97974a9207e20a5eb6848212afec2c9c27f5c83abca3a70e51eae6be1b1b56e.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2896	a97974a9207e20a5eb6848212afec2c9c27f5c83abca3a70e51eae6be1b1b56e.exe
2896	a97974a9207e20a5eb6848212afec2c9c27f5c83abca3a70e51eae6be1b1b56e.exe
476	svchcst.exe
476	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
1804	svchcst.exe
1804	svchcst.exe
2272	svchcst.exe
2272	svchcst.exe
1524	svchcst.exe
1524	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2396	svchcst.exe
2396	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
840	svchcst.exe
840	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
1164	svchcst.exe
1164	svchcst.exe
556	svchcst.exe
556	svchcst.exe
320	svchcst.exe
320	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2828	svchcst.exe
2828	svchcst.exe
2900	svchcst.exe
2900	svchcst.exe
1328	svchcst.exe
1328	svchcst.exe
1820	svchcst.exe
1820	svchcst.exe
400	svchcst.exe
400	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 2976	2896	a97974a9207e20a5eb6848212afec2c9c27f5c83abca3a70e51eae6be1b1b56e.exe	30
PID 2896 wrote to memory of 2976	2896	a97974a9207e20a5eb6848212afec2c9c27f5c83abca3a70e51eae6be1b1b56e.exe	30
PID 2896 wrote to memory of 2976	2896	a97974a9207e20a5eb6848212afec2c9c27f5c83abca3a70e51eae6be1b1b56e.exe	30
PID 2896 wrote to memory of 2976	2896	a97974a9207e20a5eb6848212afec2c9c27f5c83abca3a70e51eae6be1b1b56e.exe	30
PID 2976 wrote to memory of 476	2976	WScript.exe	32
PID 2976 wrote to memory of 476	2976	WScript.exe	32
PID 2976 wrote to memory of 476	2976	WScript.exe	32
PID 2976 wrote to memory of 476	2976	WScript.exe	32
PID 476 wrote to memory of 572	476	svchcst.exe	33
PID 476 wrote to memory of 572	476	svchcst.exe	33
PID 476 wrote to memory of 572	476	svchcst.exe	33
PID 476 wrote to memory of 572	476	svchcst.exe	33
PID 572 wrote to memory of 2068	572	WScript.exe	34
PID 572 wrote to memory of 2068	572	WScript.exe	34
PID 572 wrote to memory of 2068	572	WScript.exe	34
PID 572 wrote to memory of 2068	572	WScript.exe	34
PID 2068 wrote to memory of 2792	2068	svchcst.exe	35
PID 2068 wrote to memory of 2792	2068	svchcst.exe	35
PID 2068 wrote to memory of 2792	2068	svchcst.exe	35
PID 2068 wrote to memory of 2792	2068	svchcst.exe	35
PID 2792 wrote to memory of 1804	2792	WScript.exe	36
PID 2792 wrote to memory of 1804	2792	WScript.exe	36
PID 2792 wrote to memory of 1804	2792	WScript.exe	36
PID 2792 wrote to memory of 1804	2792	WScript.exe	36
PID 1804 wrote to memory of 1856	1804	svchcst.exe	37
PID 1804 wrote to memory of 1856	1804	svchcst.exe	37
PID 1804 wrote to memory of 1856	1804	svchcst.exe	37
PID 1804 wrote to memory of 1856	1804	svchcst.exe	37
PID 1856 wrote to memory of 2272	1856	WScript.exe	39
PID 1856 wrote to memory of 2272	1856	WScript.exe	39
PID 1856 wrote to memory of 2272	1856	WScript.exe	39
PID 1856 wrote to memory of 2272	1856	WScript.exe	39
PID 2272 wrote to memory of 1940	2272	svchcst.exe	40
PID 2272 wrote to memory of 1940	2272	svchcst.exe	40
PID 2272 wrote to memory of 1940	2272	svchcst.exe	40
PID 2272 wrote to memory of 1940	2272	svchcst.exe	40
PID 1940 wrote to memory of 1524	1940	WScript.exe	41
PID 1940 wrote to memory of 1524	1940	WScript.exe	41
PID 1940 wrote to memory of 1524	1940	WScript.exe	41
PID 1940 wrote to memory of 1524	1940	WScript.exe	41
PID 1524 wrote to memory of 1560	1524	svchcst.exe	42
PID 1524 wrote to memory of 1560	1524	svchcst.exe	42
PID 1524 wrote to memory of 1560	1524	svchcst.exe	42
PID 1524 wrote to memory of 1560	1524	svchcst.exe	42
PID 1524 wrote to memory of 1784	1524	svchcst.exe	43
PID 1524 wrote to memory of 1784	1524	svchcst.exe	43
PID 1524 wrote to memory of 1784	1524	svchcst.exe	43
PID 1524 wrote to memory of 1784	1524	svchcst.exe	43
PID 1560 wrote to memory of 2428	1560	WScript.exe	44
PID 1560 wrote to memory of 2428	1560	WScript.exe	44
PID 1560 wrote to memory of 2428	1560	WScript.exe	44
PID 1560 wrote to memory of 2428	1560	WScript.exe	44
PID 2428 wrote to memory of 2404	2428	svchcst.exe	45
PID 2428 wrote to memory of 2404	2428	svchcst.exe	45
PID 2428 wrote to memory of 2404	2428	svchcst.exe	45
PID 2428 wrote to memory of 2404	2428	svchcst.exe	45
PID 2404 wrote to memory of 2396	2404	WScript.exe	46
PID 2404 wrote to memory of 2396	2404	WScript.exe	46
PID 2404 wrote to memory of 2396	2404	WScript.exe	46
PID 2404 wrote to memory of 2396	2404	WScript.exe	46
PID 2396 wrote to memory of 2788	2396	svchcst.exe	47
PID 2396 wrote to memory of 2788	2396	svchcst.exe	47
PID 2396 wrote to memory of 2788	2396	svchcst.exe	47
PID 2396 wrote to memory of 2788	2396	svchcst.exe	47

C:\Users\Admin\AppData\Local\Temp\a97974a9207e20a5eb6848212afec2c9c27f5c83abca3a70e51eae6be1b1b56e.exe
"C:\Users\Admin\AppData\Local\Temp\a97974a9207e20a5eb6848212afec2c9c27f5c83abca3a70e51eae6be1b1b56e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:476
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:572
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2068
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2788
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2644
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2676
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1868
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2832
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:668
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2280
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:840
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2192
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1164
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1036
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:556
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:320
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2644
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2828
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2900
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1868
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1328
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:668
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1820
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:400
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2392
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
a1e767f02b7c635be938076d74bcc89c

SHA1
278f8b88a4fae9fb74430ca6c160496ea67cfd84

SHA256
99b83de5659f3e7aa290312f8a117d5564d54a6e216ad25903dff4988710260b

SHA512
2106cd8c92baf9369a80c7c7ce38b92d156200d15bd4c3d703d79edc54e56fb37873f9003d056b534cf40526c5da93bdfb709de9dddfd79575303d8961b32d4b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7e30bbf5f589f6ae6e5daf322f9f4c63

SHA1
4078c36ab68538c4d3aa3996b3a218fa786e5813

SHA256
9ed68f0cb63b2fca99956af2a550eb26ac99a883afef4ea6dc1236c14593266b

SHA512
63bb07bfbef6c96b50bbcb60d7f805930aaeefd6eadaa39dcb3e591c84636c670257a7f544bb0565174578a517d06de29a6c086812ef5cfb3039aea1917fb4b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
024be950e07002e527b8dd1efbb0e4b4

SHA1
1a56034c6366027442be28a75bce7cdea55a8a98

SHA256
51f47375c2a87dc9fe8cc958432adcc166d0faf75f7d1da1322e238fb5d72893

SHA512
96864be4661feeef155d1816192852146e5d2aa3266ce5b732ec203d43a6098a5fa456a7decb9ab1bd66bc959ed85b485de32c11cea6ee6d1a48d0bea2349b6f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1a9d2727f5157f704f57fb2f0e0a7939

SHA1
4085542ccb9a53b29208916307ee515880d6410f

SHA256
46c5d3b8a158fe319dfd325df66634b1bdef724bab79b7007f565e44beb34f31

SHA512
7ec52df630965769dae3e05a1b9fd489c7d5413ea77b28cbe2435e839f80d7eabdbbcc74af4cf544b9f0f57403a505501b08753ffeaec8cf6c32972fc3e72d68

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5ba8c208c5700f7f25c2e24e00d50ac8

SHA1
9838a0ab093ed94bc85a80b1feee14b68e4df8d1

SHA256
213371c33e19f6f9e28f089e3206fe50c39b190548b0500f7ba8aff869a68cd6

SHA512
065e45ebe4197cdf7e13b799928dfb29e17d4a1741e3e103000b147288b34f16300b72874ec85aefa2c04cc939df115a9fb383d5c95982c1371e75605d1a9b17

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e94e88174ec781f873054a1341dde3c1

SHA1
1bfcc1fd57262661e3e17db7f582004d481e95d9

SHA256
83a3606b4d4b48761b768ff2bd5668a599025f46b5d31b73bd0b014f6f95e225

SHA512
10dd4c89ea250920267a33317f693093471b805e33f18b38ffd7e3b9fb12624047f6bca7c82b0a2c83a3d6cead4d289f3da723b249a7ab6a9c40b339977fe7f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
18daeaff7fc134fc2edabbaea7e7e9f0

SHA1
a6a3002f7828141bac042e08241df957ef348bb4

SHA256
56a26505482cb65715785a972070bd6b72ad56c09ec26f7a97d7b0ac5bf52303

SHA512
6a91ececa4ca5ffbd12c7ca83888a63a7baf2be281610d9b0d83ee9dfcb8f6d04c1466de5ac1b53abe3daaf2998ec40b4b3a1a1d6fc271f35d25523358bd3df0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0746413c017663c2889cbadf684741eb

SHA1
6a61f92238e17b83adba719b52d2f3d9cd205b8a

SHA256
5e9eb3cc7e536ea1249b6bdb65b934565018fa760198e2b2c8f5537de84b86bd

SHA512
e222a18584aadd15f5c4706601acc6fa30d6a08325f2679724eba4b2952e56d4d7e1a97c42ae88aefacfa59b87723118d2dd28c1541204715dc1e11b4867b05c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
308b7da7ec377746fab239c88940c7ea

SHA1
62356f1d6078f5587c1e0fa2201b199ebfdd0372

SHA256
3c6e5a89529248f6074cab8ca705d7f399c2808e185a451f2520d767e7aecd77

SHA512
bfd886261d3c9ae90f40968acb30b229e8d6754768bee5430f246594b5f81952de101a572cedb84bd1ab9a39cb607ec981287e9e03ea45b829744c47ee9bc877

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
599cb0eb82f139b5e067f0316e590303

SHA1
770b01f9f77a9f434d805a2cad7e25ab111a9fc4

SHA256
791420e8e4d185f2660ca0d65b14b6c42bd972304c470e02b4e69a3735e34df7

SHA512
cae4e94c9e9f4afbd487028632472b97e1d2b9de6fcec7999f907be30b47892818b1263e348a9815403093c0a9e95306a8431f039d167ab5e54ab709c7fc0bf1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b7b12bffe6dac138ef6c6812cd65b916

SHA1
c931c61d72d67a6a52b19a7d478ded8bc7a26532

SHA256
b7c5c230ff8be50a3e0a3e301e6ba89fdcce4578e7fd949f98bd7b9fa5ae82a1

SHA512
f96444facef98d4a51eccb6bb693c5a2fb8008a3db2c3b4ca07dd46deeedfc2d3bbb2bc8ccc389cda3f4440cc4d5ff1c01ed880c3d7ba246f37d219b30907070

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c1cc00939a61432d2641e892f319af19

SHA1
29abbfa1088deda5db229eada8e1e611a850b155

SHA256
61c9d725fbdea9a6fd288d176660a75b86ff414d15316c66b10bf48f41d7011c

SHA512
865fd75d0bc006faa7ee39b67c3ee681020bb0bd2478682742216a627f82d56f92e9b80a02471f861054c5efef543d0abc0ddbc33fe0060c29bec512fee87754

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
34253a37ec6564e53dfa971f89119944

SHA1
7d20b091b6edae75ef06d22411226cc84d599f48

SHA256
a6d9d9ddaf0d6e5e5ed2896a617ee367f105c130e55902da3235680d813b05ed

SHA512
d1108c31405f645674591a0650c54c78a4ac95b7a08f0d35b91a2230fe66c825db2c0196fa0ba7f7262b340154f9b5598803d7651bcfc077ffbbf9537d2cb907

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b8854df58b365306f7f2e50cc8c530a3

SHA1
13015124111cb8de7f548c373226177c82ef6002

SHA256
5e377b3e3990ab1cfed7e8a971b984cb49730a60bd3e9c314e5933c458b47004

SHA512
4e8aac0bd1fa08928bd035cf3cdfed2b9c452731b71a01ee5c2f07d4b0823926c3cccc7717acaddeb7a78e714786082476121d2907e82e084da3faad1f220679

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
3f01aced3d7d1b7715083b2dcd621d6c

SHA1
16b3985ae7cb8ef9b5cb89661053dac703aae184

SHA256
4290889a0d80088188b02c0580044f248f4b726c4941cff1d45798ef083d41fa

SHA512
46fc994b60bfdcbb1de70edfedc06d12839980c83964a0b610ebe6ddaed5d1111daa98c3993412a1defd6afdbe2b93606e50c940762344da69ec3a13c15cad60

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
90709e90136203aa56e9e9dda9ee25f8

SHA1
d638fc9baa0c8fd51ee0e8d18596b1c004f7b680

SHA256
332cf635118330b87fc1d65af1713a398f63de769c0672851ddf6e8a89f4b6ac

SHA512
95f62af342fc61a600c1d767d5a4ed7bc1a01da68c35a7c852120a4cce544cbbf09a73a057a1ac338312267364317b718ef6f5ee89849dd693468c968ebc4cbc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
94954ba07412013eb58ef7b71276cee4

SHA1
d3e2dfc5d87ad988169cd9702f4832865024b5f6

SHA256
a5fd205b7b093ef25fefaf54f336d733a69f9e92131b5d6be805248cd1f6e9a5

SHA512
7f6f703cfd21ffd67e496d84674670cb10034e726d85ce712957fdcd87de0be17e467247e05b30c4ec5a0794eba73237db71b507678b2dbe7813835650bc84c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0a6df2b8d7c7de4deaea3e0cd46a5052

SHA1
f8fb5ad7b328718b99151ce7a4f886d0778ab098

SHA256
b3216c18001f9d6c36203649379fa87fd5f0d56c3514759c31a50ef9d4b1ff35

SHA512
f2f206c1ac752662e97864cce51dbe75c047c2bdcbc3c804b00aa29022563a98608f560fd07cebb6c0bdc38daf2ee0a4997c5bc0c54ef1e1dfe5ba4f94dcf6cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e2b8f94a723c7a00c682bb04da52062b

SHA1
3b32ca86c5d30a85fff7c46e6141713009e70e5e

SHA256
e140b2fd09312673d76d70d0429949f15b593bd648c84b5d206a2c480c39efde

SHA512
7ca24f719d0e6bc058143f60e0e01903fd9041772bbcb9c3c715c6a37ea2443ec1bd1481152967793a2f1e06222a91d85954605ff96c2b6ba43277cccdad8b07

Download Submit
memory/2896-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download