9cde58b27a90750fa26ef58f67ae8a080d6aae034966c41d281e3361175e3173

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11/08/2024, 23:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9cde58b27a90750fa26ef58f67ae8a080d6aae034966c41d281e3361175e3173.exe
Size

1.1MB
MD5

d56f072d5a4276c300cefcd41af074ca
SHA1

1db46ff58058bcde4f92a023aaba9b6dcd96bf21
SHA256

9cde58b27a90750fa26ef58f67ae8a080d6aae034966c41d281e3361175e3173
SHA512

cc673ecd9d8f4668d81acfab2ed5616d9725c1a98ae5765f51da3b33e87cc4418ffe2746904ddd500a9029d2f825d74a914a68fa968f53e67c70d2366d31014e
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Q8:CcaClSFlG4ZM7QzM7

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2612	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2612	svchcst.exe
2560	svchcst.exe
2136	svchcst.exe
1512	svchcst.exe
1632	svchcst.exe
1780	svchcst.exe
1056	svchcst.exe
2068	svchcst.exe
2792	svchcst.exe
1776	svchcst.exe
1136	svchcst.exe
2708	svchcst.exe
2960	svchcst.exe
2952	svchcst.exe
3008	svchcst.exe
2364	svchcst.exe
2388	svchcst.exe
3020	svchcst.exe
1984	svchcst.exe
1476	svchcst.exe
2484	svchcst.exe
2588	svchcst.exe
1620	svchcst.exe

Loads dropped DLL 44 IoCs

pid	Process
2140	WScript.exe
2140	WScript.exe
3064	WScript.exe
3064	WScript.exe
592	WScript.exe
856	WScript.exe
856	WScript.exe
856	WScript.exe
2900	WScript.exe
2900	WScript.exe
2428	WScript.exe
2428	WScript.exe
1936	WScript.exe
1936	WScript.exe
2896	WScript.exe
2896	WScript.exe
600	WScript.exe
600	WScript.exe
2348	WScript.exe
2348	WScript.exe
2892	WScript.exe
2892	WScript.exe
1500	WScript.exe
1500	WScript.exe
1708	WScript.exe
1708	WScript.exe
916	WScript.exe
916	WScript.exe
1588	WScript.exe
1588	WScript.exe
2868	WScript.exe
2868	WScript.exe
2912	WScript.exe
2912	WScript.exe
864	WScript.exe
864	WScript.exe
2836	WScript.exe
2836	WScript.exe
2232	WScript.exe
2232	WScript.exe
1096	WScript.exe
1096	WScript.exe
1100	WScript.exe
1100	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9cde58b27a90750fa26ef58f67ae8a080d6aae034966c41d281e3361175e3173.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2572	9cde58b27a90750fa26ef58f67ae8a080d6aae034966c41d281e3361175e3173.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2572	9cde58b27a90750fa26ef58f67ae8a080d6aae034966c41d281e3361175e3173.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2572	9cde58b27a90750fa26ef58f67ae8a080d6aae034966c41d281e3361175e3173.exe
2572	9cde58b27a90750fa26ef58f67ae8a080d6aae034966c41d281e3361175e3173.exe
2612	svchcst.exe
2612	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2136	svchcst.exe
2136	svchcst.exe
1512	svchcst.exe
1512	svchcst.exe
1632	svchcst.exe
1632	svchcst.exe
1780	svchcst.exe
1780	svchcst.exe
1056	svchcst.exe
1056	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
1776	svchcst.exe
1776	svchcst.exe
1136	svchcst.exe
1136	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2960	svchcst.exe
2960	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
3008	svchcst.exe
3008	svchcst.exe
2364	svchcst.exe
2364	svchcst.exe
2388	svchcst.exe
2388	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
1984	svchcst.exe
1984	svchcst.exe
1476	svchcst.exe
1476	svchcst.exe
2484	svchcst.exe
2484	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
1620	svchcst.exe
1620	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 2140	2572	9cde58b27a90750fa26ef58f67ae8a080d6aae034966c41d281e3361175e3173.exe	30
PID 2572 wrote to memory of 2140	2572	9cde58b27a90750fa26ef58f67ae8a080d6aae034966c41d281e3361175e3173.exe	30
PID 2572 wrote to memory of 2140	2572	9cde58b27a90750fa26ef58f67ae8a080d6aae034966c41d281e3361175e3173.exe	30
PID 2572 wrote to memory of 2140	2572	9cde58b27a90750fa26ef58f67ae8a080d6aae034966c41d281e3361175e3173.exe	30
PID 2140 wrote to memory of 2612	2140	WScript.exe	32
PID 2140 wrote to memory of 2612	2140	WScript.exe	32
PID 2140 wrote to memory of 2612	2140	WScript.exe	32
PID 2140 wrote to memory of 2612	2140	WScript.exe	32
PID 2612 wrote to memory of 3064	2612	svchcst.exe	33
PID 2612 wrote to memory of 3064	2612	svchcst.exe	33
PID 2612 wrote to memory of 3064	2612	svchcst.exe	33
PID 2612 wrote to memory of 3064	2612	svchcst.exe	33
PID 3064 wrote to memory of 2560	3064	WScript.exe	35
PID 3064 wrote to memory of 2560	3064	WScript.exe	35
PID 3064 wrote to memory of 2560	3064	WScript.exe	35
PID 3064 wrote to memory of 2560	3064	WScript.exe	35
PID 2560 wrote to memory of 592	2560	svchcst.exe	36
PID 2560 wrote to memory of 592	2560	svchcst.exe	36
PID 2560 wrote to memory of 592	2560	svchcst.exe	36
PID 2560 wrote to memory of 592	2560	svchcst.exe	36
PID 592 wrote to memory of 2136	592	WScript.exe	37
PID 592 wrote to memory of 2136	592	WScript.exe	37
PID 592 wrote to memory of 2136	592	WScript.exe	37
PID 592 wrote to memory of 2136	592	WScript.exe	37
PID 2136 wrote to memory of 856	2136	svchcst.exe	38
PID 2136 wrote to memory of 856	2136	svchcst.exe	38
PID 2136 wrote to memory of 856	2136	svchcst.exe	38
PID 2136 wrote to memory of 856	2136	svchcst.exe	38
PID 856 wrote to memory of 1512	856	WScript.exe	39
PID 856 wrote to memory of 1512	856	WScript.exe	39
PID 856 wrote to memory of 1512	856	WScript.exe	39
PID 856 wrote to memory of 1512	856	WScript.exe	39
PID 1512 wrote to memory of 2220	1512	svchcst.exe	40
PID 1512 wrote to memory of 2220	1512	svchcst.exe	40
PID 1512 wrote to memory of 2220	1512	svchcst.exe	40
PID 1512 wrote to memory of 2220	1512	svchcst.exe	40
PID 856 wrote to memory of 1632	856	WScript.exe	41
PID 856 wrote to memory of 1632	856	WScript.exe	41
PID 856 wrote to memory of 1632	856	WScript.exe	41
PID 856 wrote to memory of 1632	856	WScript.exe	41
PID 1632 wrote to memory of 2900	1632	svchcst.exe	42
PID 1632 wrote to memory of 2900	1632	svchcst.exe	42
PID 1632 wrote to memory of 2900	1632	svchcst.exe	42
PID 1632 wrote to memory of 2900	1632	svchcst.exe	42
PID 2900 wrote to memory of 1780	2900	WScript.exe	43
PID 2900 wrote to memory of 1780	2900	WScript.exe	43
PID 2900 wrote to memory of 1780	2900	WScript.exe	43
PID 2900 wrote to memory of 1780	2900	WScript.exe	43
PID 1780 wrote to memory of 2428	1780	svchcst.exe	44
PID 1780 wrote to memory of 2428	1780	svchcst.exe	44
PID 1780 wrote to memory of 2428	1780	svchcst.exe	44
PID 1780 wrote to memory of 2428	1780	svchcst.exe	44
PID 1780 wrote to memory of 2224	1780	svchcst.exe	45
PID 1780 wrote to memory of 2224	1780	svchcst.exe	45
PID 1780 wrote to memory of 2224	1780	svchcst.exe	45
PID 1780 wrote to memory of 2224	1780	svchcst.exe	45
PID 2428 wrote to memory of 1056	2428	WScript.exe	46
PID 2428 wrote to memory of 1056	2428	WScript.exe	46
PID 2428 wrote to memory of 1056	2428	WScript.exe	46
PID 2428 wrote to memory of 1056	2428	WScript.exe	46
PID 1056 wrote to memory of 1936	1056	svchcst.exe	47
PID 1056 wrote to memory of 1936	1056	svchcst.exe	47
PID 1056 wrote to memory of 1936	1056	svchcst.exe	47
PID 1056 wrote to memory of 1936	1056	svchcst.exe	47

C:\Users\Admin\AppData\Local\Temp\9cde58b27a90750fa26ef58f67ae8a080d6aae034966c41d281e3361175e3173.exe
"C:\Users\Admin\AppData\Local\Temp\9cde58b27a90750fa26ef58f67ae8a080d6aae034966c41d281e3361175e3173.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3064
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2560
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:592
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2220
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1936
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2068
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2792
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:600
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1776
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1136
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2708
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1500
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2960
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2952
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:916
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3008
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1588
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2364
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2388
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2912
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3020
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:864
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1984
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2836
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1476
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2232
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2484
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1096
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2588
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1100
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1620
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
778b3bb6505c58072e7eac26bd5fa320

SHA1
d8445f4e0bb185158885e1628561d0cd01dac038

SHA256
58d728eff84b4abae19397020633c6da6fab08b8423d48fb33db1a0840494a72

SHA512
f6d6827c2f732ae8c8a8cb91d28eb22b6138d289fae0fdb2506d94e16f9cd90adbd31bc4c078b4de82e8a1621f3ba389039b94ae239e89c0d53743f140e2b447

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ad7007ed9542468662553e405df66821

SHA1
757c5ee287a113d689f2d370176fcf9c9e1223a3

SHA256
12967e637928b853b708430671e1b72f6ca847a2af2680f8f15da98efb31161e

SHA512
812220b05239ebb0e14f3cd738e58274deb60624eacc360d2b3be6c5010dc418f2587f5f6736a1d80a3a5f52ae9887a492e8934e64af66c89b45a9b47d3069c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d9ab21af2046aedc3484d569036c3ef7

SHA1
ade5e9eb5b1180a77a2164e61f74beb411cdfb56

SHA256
90b8f17e573879b63c512e7c0dd6ff9454d177163e2d95d0090b2ef22ae5ec79

SHA512
cb8c202cd3d66ee897982e42257320dfef0a23eb96b9a3189869e9a0ce030d4baaa8c0a6fc5e197d2d19d742b0d7b3f34adb12933192dd6e4b1388433755d1ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
308b7da7ec377746fab239c88940c7ea

SHA1
62356f1d6078f5587c1e0fa2201b199ebfdd0372

SHA256
3c6e5a89529248f6074cab8ca705d7f399c2808e185a451f2520d767e7aecd77

SHA512
bfd886261d3c9ae90f40968acb30b229e8d6754768bee5430f246594b5f81952de101a572cedb84bd1ab9a39cb607ec981287e9e03ea45b829744c47ee9bc877

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
251a70f0c55d02e74e34c409c5795274

SHA1
b0eb587b5e8d597ef801848722b790692d804be2

SHA256
f5397f02a6c8c59bc9869c0e5c726c096a69c84ad7f0934608fdbd8bc7e5b9f3

SHA512
023cca65a97265961790183f43605fb3dd47426049f2152e5ed90d2daed98607d1e215cb8cabf54d7d2068f7a86d3b01b1d101823e8ed1acfb09076e69b67c71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
910e8b4a682865877d5b4c6b32ac2db3

SHA1
7df0ffdcff6b2f1d51878af2ca989990c399c005

SHA256
0eaa114fec2febec98337efcccfbb2863979005935decd44f9cd7db110b33b9f

SHA512
eb3e30e57f8ae59dc62d7c7f6c20296c7105a3fead464229b7b037924a20127266c0f09a6090cdeae4bea0f728f6213b2da67b44c3cd85a662c6b0cdf34c24bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5f2a40f410e1db471d583c90bb1bf208

SHA1
1e49ed23e02976dede24633c367ab8c92fb4fd9b

SHA256
03c04fafe55862423025fe6e16bbeda1dbded8150a0c0dd363164733051fe1e4

SHA512
98a4ba3960f66728d4a286c8cff2223742d701467a647b6d4a2f118a6e2c53c9a4f6c329a36c099b151d42279ba0823ff07a8df49c87d02a7470f595052f725c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
93bffb400f506fbd69421b6075802c65

SHA1
b9d8c4ea6a8fd739f6cf167e1f58412525f15784

SHA256
2e455d4d9ba6db3056e273b33c3cc67d60d76c4a750b98b2d4d0e2bcc6aa57b1

SHA512
e00a5d4ad19c488dc18e50150fcd50505133666e333f12f9e0cb3a894162951e4195886798de3531561ff99b4a3fbca6fb351f1ff0bcd0e1ac20cd685962ec23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
024be950e07002e527b8dd1efbb0e4b4

SHA1
1a56034c6366027442be28a75bce7cdea55a8a98

SHA256
51f47375c2a87dc9fe8cc958432adcc166d0faf75f7d1da1322e238fb5d72893

SHA512
96864be4661feeef155d1816192852146e5d2aa3266ce5b732ec203d43a6098a5fa456a7decb9ab1bd66bc959ed85b485de32c11cea6ee6d1a48d0bea2349b6f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2af86d83545125b952334759f8554ae3

SHA1
ddfef7be6fbd8d8185c772a9a78eb18617a9637b

SHA256
7dd3660d7e87e64f451b4d1882d07c1733ce38d828770910453cc1b7f457d11d

SHA512
38d2854f941ff77a2fec871ba6513df9862fe4f86778b22053b4c3e25995b192f4ab943051a2c613cc3e78d275bc543b0dff09149cb4620e307809d20beae17b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
cd34ba54e0dd84bc94990092afc183a9

SHA1
938feedabe63e3e7c6cbb6a405512e21a7ebe449

SHA256
44358f1aedf540acf9e56069e4cc6d4e6a2445ccba362dad9ec4e2f59e0178ab

SHA512
1c261ac13591d4d1cd3692dae12de7fb393134b014dbc766b2946b6ea983e74cef7984bb7003241d5221dea9df78e5f5fe31a839ad7d8453a79db887c8d09958

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
91e57e3a520cf3e19bf30d99faa362d3

SHA1
8c99c3104dc6152e59e3732f5a05ef6cabf0b32a

SHA256
9cdebc973a72d8e0b135aba25ae400afb407b8d50c30024b1a272bd3f5292cfa

SHA512
8d9761c7bf5c550011fdec082356a96d7cf16254968072d156a44dfd986b9fe47ae784513bb72298a50afac6713cf9aa727608e018136102dba778996604f59f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
19d4924a3fa9a4bd028ec31916651f38

SHA1
bbf999c0270167c5b0e8385167847345b77584c3

SHA256
18dc77ed0e89ce81159f59d96a91aa1ceef242797c3067d3df47fdb408c9694e

SHA512
f0fc7faeda19ee29bca05cdf1a528027852f1448150ea3144536756e6960fcab73b2504258850f79dca79819e95d2492379af47c6586e5fdc2a633adb3e26425

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
8a9bd0d9d2bbf8939e2e118cff5c425c

SHA1
154deeb3aaa21ebf49cd6fe6881bc754e7fd38b8

SHA256
372d47bbed94db8ef0e421e578164ac841599bd8d86ce5254fe11dd51259f6e2

SHA512
40464f83a41c49b69faf70adfa0a3442a2931651219320c99f997724405a317b8c94ec31db89a3e91c8710f78316ef0e555fae9506ade112616110872e29ab44

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
51dc888f80cccfbe54f94ce68502de94

SHA1
50745a101db43b609e00f8ab0522ea8331100375

SHA256
8b879740005da04f15e253559896c9da9f471389fcac2297d79dfdd40a186475

SHA512
54c2889a701d2b6d4e2086e37062c3610f826cf5043332dd30a87988cc13c15dd4fe982aed6f912c2a4097bb0bfa2808ee288f326090469b4d3cca39b32dff07

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
5735d5dae986ccdc5bfd1c98023fc890

SHA1
766c1cbc723f41702b144532a3f0bd8a11207f47

SHA256
a813e51907b4a1c4c98dd386a1b400467f56635e2c02b8f67636139a000549cf

SHA512
b313b3b2ae5e3da4f582e2ef8e27e5bd3e8a0d80533dd923bd8ed5ba14316b688dde3336103a80b058015e27aeb74a982925f7edbee0dfcb80aa156d9e5744a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
967e8c2924a4845e78d42f0a792be0af

SHA1
956b5f6e83530d64cca2d5971722341adb68cea7

SHA256
cecd17e2514a15bb5c8c81abec56fa817ee76685d827117c7e252f966ee526a1

SHA512
ba0fbe508e8c74658de1aba76540a3896b202b219c0ecabffdc78603fdf03becb21fab623d85ca4fb6b802e435f8f2704d0766c921de94074c044555b1c2ce80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
8ddd8554313deffb0e36b216d9323f26

SHA1
6b777fff615ef103e312c40dd050f6909632d1fb

SHA256
00fd6bbe107b2fbb88c36b5fb40b7f1780b73231a7b49a4d52444414d8218afa

SHA512
832c35933b7a39e86af62b0e458217309469cc0aa1b251a771afbd7695dbf962ba54980ed440ec8ea9b045b4f2dca18f5eb8495f5abb25203ba1ee65d0e8f102

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
805f5942ddd569bb5157c5a643e80b9e

SHA1
94f38462742f7280837c4e549f22f3bb78ab9d02

SHA256
a7c8dc5372eafdf3846cba75cb0555d2ac92782e92c423641edddcf661361e1b

SHA512
f4e46c6c4875b6680bd9695dff930bc99750e6732bf2296bc8058fa6b8f9a277d9c7c5fe4ed65d0aadf7aac6e5058e2814882121219c118c3e2744adb1064606

Download Submit
memory/2572-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download