4045c71af1ffd22e559057d759f13f79ddacae3954827c74b47d9de7a74d693b

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 20:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4045c71af1ffd22e559057d759f13f79ddacae3954827c74b47d9de7a74d693b.exe
Size

1.1MB
MD5

0602d75549ad33a5b55b88d47651d97b
SHA1

56dcf21343094bb0a6c7b1df085f24af9308d733
SHA256

4045c71af1ffd22e559057d759f13f79ddacae3954827c74b47d9de7a74d693b
SHA512

80c830a443aaf951e2f623addb1259580ae8e8eb9f3fe120465b3be0db4175d4e78e943a1558a4556f926160cbeff097ed326265a7ca9200aaab0ccfaa32fe92
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QR:CcaClSFlG4ZM7QzMy

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2132	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2132	svchcst.exe
2168	svchcst.exe
1316	svchcst.exe
2936	svchcst.exe
1000	svchcst.exe
1708	svchcst.exe
1512	svchcst.exe
2332	svchcst.exe
2128	svchcst.exe
3008	svchcst.exe
2172	svchcst.exe
1952	svchcst.exe
848	svchcst.exe
1292	svchcst.exe
1040	svchcst.exe
1288	svchcst.exe
1796	svchcst.exe
2460	svchcst.exe
3012	svchcst.exe
3008	svchcst.exe
2420	svchcst.exe
1940	svchcst.exe
1100	svchcst.exe

Loads dropped DLL 46 IoCs

pid	Process
2920	WScript.exe
2920	WScript.exe
1492	WScript.exe
1492	WScript.exe
1260	WScript.exe
1260	WScript.exe
352	WScript.exe
352	WScript.exe
2324	WScript.exe
2324	WScript.exe
1540	WScript.exe
1540	WScript.exe
1288	WScript.exe
1288	WScript.exe
2120	WScript.exe
2120	WScript.exe
2840	WScript.exe
2840	WScript.exe
1384	WScript.exe
1384	WScript.exe
2880	WScript.exe
2880	WScript.exe
2480	WScript.exe
2480	WScript.exe
1976	WScript.exe
1976	WScript.exe
1208	WScript.exe
1208	WScript.exe
2508	WScript.exe
2508	WScript.exe
2116	WScript.exe
2116	WScript.exe
2404	WScript.exe
2404	WScript.exe
2644	WScript.exe
2644	WScript.exe
1016	WScript.exe
1016	WScript.exe
2088	WScript.exe
2088	WScript.exe
3060	WScript.exe
3060	WScript.exe
1808	WScript.exe
1808	WScript.exe
1876	WScript.exe
1876	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4045c71af1ffd22e559057d759f13f79ddacae3954827c74b47d9de7a74d693b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2764	4045c71af1ffd22e559057d759f13f79ddacae3954827c74b47d9de7a74d693b.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe
2132	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2764	4045c71af1ffd22e559057d759f13f79ddacae3954827c74b47d9de7a74d693b.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2764	4045c71af1ffd22e559057d759f13f79ddacae3954827c74b47d9de7a74d693b.exe
2764	4045c71af1ffd22e559057d759f13f79ddacae3954827c74b47d9de7a74d693b.exe
2132	svchcst.exe
2132	svchcst.exe
2168	svchcst.exe
2168	svchcst.exe
1316	svchcst.exe
1316	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
1000	svchcst.exe
1000	svchcst.exe
1708	svchcst.exe
1708	svchcst.exe
1512	svchcst.exe
1512	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
2128	svchcst.exe
2128	svchcst.exe
3008	svchcst.exe
3008	svchcst.exe
2172	svchcst.exe
2172	svchcst.exe
1952	svchcst.exe
1952	svchcst.exe
848	svchcst.exe
848	svchcst.exe
1292	svchcst.exe
1292	svchcst.exe
1040	svchcst.exe
1040	svchcst.exe
1288	svchcst.exe
1288	svchcst.exe
1796	svchcst.exe
1796	svchcst.exe
2460	svchcst.exe
2460	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
3008	svchcst.exe
3008	svchcst.exe
2420	svchcst.exe
2420	svchcst.exe
1940	svchcst.exe
1940	svchcst.exe
1100	svchcst.exe
1100	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 2920	2764	4045c71af1ffd22e559057d759f13f79ddacae3954827c74b47d9de7a74d693b.exe	30
PID 2764 wrote to memory of 2920	2764	4045c71af1ffd22e559057d759f13f79ddacae3954827c74b47d9de7a74d693b.exe	30
PID 2764 wrote to memory of 2920	2764	4045c71af1ffd22e559057d759f13f79ddacae3954827c74b47d9de7a74d693b.exe	30
PID 2764 wrote to memory of 2920	2764	4045c71af1ffd22e559057d759f13f79ddacae3954827c74b47d9de7a74d693b.exe	30
PID 2920 wrote to memory of 2132	2920	WScript.exe	32
PID 2920 wrote to memory of 2132	2920	WScript.exe	32
PID 2920 wrote to memory of 2132	2920	WScript.exe	32
PID 2920 wrote to memory of 2132	2920	WScript.exe	32
PID 2132 wrote to memory of 1492	2132	svchcst.exe	33
PID 2132 wrote to memory of 1492	2132	svchcst.exe	33
PID 2132 wrote to memory of 1492	2132	svchcst.exe	33
PID 2132 wrote to memory of 1492	2132	svchcst.exe	33
PID 1492 wrote to memory of 2168	1492	WScript.exe	34
PID 1492 wrote to memory of 2168	1492	WScript.exe	34
PID 1492 wrote to memory of 2168	1492	WScript.exe	34
PID 1492 wrote to memory of 2168	1492	WScript.exe	34
PID 2168 wrote to memory of 1260	2168	svchcst.exe	35
PID 2168 wrote to memory of 1260	2168	svchcst.exe	35
PID 2168 wrote to memory of 1260	2168	svchcst.exe	35
PID 2168 wrote to memory of 1260	2168	svchcst.exe	35
PID 1260 wrote to memory of 1316	1260	WScript.exe	36
PID 1260 wrote to memory of 1316	1260	WScript.exe	36
PID 1260 wrote to memory of 1316	1260	WScript.exe	36
PID 1260 wrote to memory of 1316	1260	WScript.exe	36
PID 1316 wrote to memory of 352	1316	svchcst.exe	37
PID 1316 wrote to memory of 352	1316	svchcst.exe	37
PID 1316 wrote to memory of 352	1316	svchcst.exe	37
PID 1316 wrote to memory of 352	1316	svchcst.exe	37
PID 352 wrote to memory of 2936	352	WScript.exe	38
PID 352 wrote to memory of 2936	352	WScript.exe	38
PID 352 wrote to memory of 2936	352	WScript.exe	38
PID 352 wrote to memory of 2936	352	WScript.exe	38
PID 2936 wrote to memory of 2324	2936	svchcst.exe	39
PID 2936 wrote to memory of 2324	2936	svchcst.exe	39
PID 2936 wrote to memory of 2324	2936	svchcst.exe	39
PID 2936 wrote to memory of 2324	2936	svchcst.exe	39
PID 2324 wrote to memory of 1000	2324	WScript.exe	41
PID 2324 wrote to memory of 1000	2324	WScript.exe	41
PID 2324 wrote to memory of 1000	2324	WScript.exe	41
PID 2324 wrote to memory of 1000	2324	WScript.exe	41
PID 1000 wrote to memory of 1540	1000	svchcst.exe	42
PID 1000 wrote to memory of 1540	1000	svchcst.exe	42
PID 1000 wrote to memory of 1540	1000	svchcst.exe	42
PID 1000 wrote to memory of 1540	1000	svchcst.exe	42
PID 1540 wrote to memory of 1708	1540	WScript.exe	43
PID 1540 wrote to memory of 1708	1540	WScript.exe	43
PID 1540 wrote to memory of 1708	1540	WScript.exe	43
PID 1540 wrote to memory of 1708	1540	WScript.exe	43
PID 1708 wrote to memory of 1288	1708	svchcst.exe	44
PID 1708 wrote to memory of 1288	1708	svchcst.exe	44
PID 1708 wrote to memory of 1288	1708	svchcst.exe	44
PID 1708 wrote to memory of 1288	1708	svchcst.exe	44
PID 1288 wrote to memory of 1512	1288	WScript.exe	45
PID 1288 wrote to memory of 1512	1288	WScript.exe	45
PID 1288 wrote to memory of 1512	1288	WScript.exe	45
PID 1288 wrote to memory of 1512	1288	WScript.exe	45
PID 1512 wrote to memory of 2120	1512	svchcst.exe	46
PID 1512 wrote to memory of 2120	1512	svchcst.exe	46
PID 1512 wrote to memory of 2120	1512	svchcst.exe	46
PID 1512 wrote to memory of 2120	1512	svchcst.exe	46
PID 2120 wrote to memory of 2332	2120	WScript.exe	47
PID 2120 wrote to memory of 2332	2120	WScript.exe	47
PID 2120 wrote to memory of 2332	2120	WScript.exe	47
PID 2120 wrote to memory of 2332	2120	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\4045c71af1ffd22e559057d759f13f79ddacae3954827c74b47d9de7a74d693b.exe
"C:\Users\Admin\AppData\Local\Temp\4045c71af1ffd22e559057d759f13f79ddacae3954827c74b47d9de7a74d693b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2132
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1492
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2168
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:352
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2332
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2128
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1384
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3008
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2172
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2480
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1952
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:848
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1208
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1292
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2508
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1040
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1288
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1796
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2460
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1016
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3012
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2088
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3008
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2420
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1808
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1940
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1876
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1100
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:1048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
608aea68519434d685c413b31a12c6ce

SHA1
7a62e13cab985d0588a0faea63751fd0355da7fc

SHA256
5ed3aa382febd7a4e6c3a921a5add055f6e2bbea7558b21da46752f037d52b1a

SHA512
6ddca4b85fc1b6ecb6c1081b32067eb438ed5167b48565ea449e6babb1f27a01c75599c6b0f10b29ac9278e619891588d654466ce882d8080f4d2435f450d198

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
e419f82946fb94b466519c8144d0b50a

SHA1
cb6647f1f3057fa1b0ddec12facebca44452149f

SHA256
38ff4904b5e415dec7dc018aecfc0423f00f2d2c52a60fff26c11ccff0ca8345

SHA512
2b2e990815021409987a49ad95e7af80a7fb26482e500a98ac940d3cbe745a40caa5fe0db656bdbf628ce06da800737df8aa2bb2f4318167cb851551d8d6a8db

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6cc9dd78b42e2ca0e1deb237988b6ae2

SHA1
6ec16a7e43a4c558a19f125758d56ed9a180e6ee

SHA256
11367ac6f6a1b237ca69aeeb571a435181256f8836d6910f036beb90e160f7b2

SHA512
331f0ae896c0fb9906dd2fc2e3d58860073af97deb31cdb2184cc4bd104e2e066bfec6bdef0e16a8eda3d5605875fe7c03480b1e2d68bc9d7e3a2b237a3020a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
faa8ef2e758448ccba58a486794e0699

SHA1
85bd05023b75335ca0ff084efcd02e7e9e447e88

SHA256
f4c0222febb3104b66ec8578be36697e28bc8956d3606e711c39b3ad7fcf6b8b

SHA512
8a1074670bbf7942ba1cef24d474aa26b9a66c378cc790a5577bc3d487f7174dad7890d2fdd43eccad42c4da28e282e5909a8f9de120a3ba81ee2847b44a328e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
024be950e07002e527b8dd1efbb0e4b4

SHA1
1a56034c6366027442be28a75bce7cdea55a8a98

SHA256
51f47375c2a87dc9fe8cc958432adcc166d0faf75f7d1da1322e238fb5d72893

SHA512
96864be4661feeef155d1816192852146e5d2aa3266ce5b732ec203d43a6098a5fa456a7decb9ab1bd66bc959ed85b485de32c11cea6ee6d1a48d0bea2349b6f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
bd0cc8385e2c94da465451e7bd8d4303

SHA1
6866d3d8d4bc37bbd976b44b74d4cef9b018da66

SHA256
099ad392a60ee09509cf2982deb126acb373115124e33c1c9d18931fa32af630

SHA512
5212403107457416b6b8e3c033c9521f744845edbf0c9bba5c962bea5946c2a24e1081cf472e907b3e16fb593b98c119802e3162e5260b30574f2c086af3d6b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5771c014296ebb077452c34a3ea54708

SHA1
6e6ff6d4e62db0f7295883fcdf1b10a4f69b2b58

SHA256
8abb3ec990928dfb09f067bb1f8b7e99a9487f039c9a5f80ab5306006c746859

SHA512
642db2534af82e398285770d5b6564603b457e1e4e0853cb46322aa24f7a880223a839875e7022d5c21f5eb01730df4e4dffdb426ef6e6c81defeb5f5f774ac5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
fb757130836576e5f952cb011021776c

SHA1
68f6351ef6dd363f67e76b91e7d8150050948698

SHA256
2d8143967be00cc4d6f3a1b8671885498b80e57ec52a84e19eaf136e64980e5b

SHA512
6f7311c6964be509733152377344d37f311021a6638946d275d282aa1b0212d8d790175b8c4e61fba6f5f4299c0e5da3307b69b03f619273462edd5c3cfce0d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5ba8c208c5700f7f25c2e24e00d50ac8

SHA1
9838a0ab093ed94bc85a80b1feee14b68e4df8d1

SHA256
213371c33e19f6f9e28f089e3206fe50c39b190548b0500f7ba8aff869a68cd6

SHA512
065e45ebe4197cdf7e13b799928dfb29e17d4a1741e3e103000b147288b34f16300b72874ec85aefa2c04cc939df115a9fb383d5c95982c1371e75605d1a9b17

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1666f4ac9d5885e48b977b9d3d519170

SHA1
344a5864b538f3776c7011f0d0533540264f3f8d

SHA256
e6096a0131380d932a545f655637b9bd62e1b58e5f1b6b84d80dccd95be5bbce

SHA512
096ada12bcc70127d546a542e300aeb03d5795890323c0164b5a3ed2fe699e5e0e845b8d6f723d588205fe219a924a5fe70250127cb92cc0658f177d68815ae6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c82c311d558c3564f10ed3ccc831b8fd

SHA1
7600ebb142343df8a64c85e71299ba4cb87a351a

SHA256
587ad443f8065664eeafbe474f21e287befac6aef3922b7b54be9b6986caeab3

SHA512
4896a9c280e90b24f14d70db228a09bf3b5866df2b9d5e23926a0119caced2e8a500f8d290e0115781297822d7c21a4a10aeccd6e17a2535926320641aaeb683

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
18a01508ecb0beb4047fbd5cac881550

SHA1
42a9d952ee2f58d7616056d12ceeffadc530b691

SHA256
c221b890344daa769f5a08b1077c7aac37d0e1fcc1b4ea0ba886ea20d03a8d76

SHA512
bd0dfffbbf380c911d8fb2ab750f0ca98d8a0f2c4bc3ab27ddc5e4db95b561c984c057965e46dcff51b781f580ada499ba95dcdba3858ba2660865b6f17f92ba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
62e9375702bfaede23745cdc5f079a47

SHA1
9dea15b238cebf808f9e962aa613ee6849d11000

SHA256
caabf88b54e8347d4d68204153226cf563bdafb63a7f93a9dad5fff2bd09dae4

SHA512
582c644672a4e7c08ba7537827826a67ab156e0e3a7f1a2ce45647c4c81ce667053515c965578dff6cb68a8608dd70a0526f3f4f41b46d281e9f29340c2c7f87

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2555777d0d83e66a514ffd6a0bad1f07

SHA1
f61105599aeb11c0fb56483fc5ef9faabb537c7a

SHA256
071aa4c67421cbdedcb47121ceff38ee5130f329dc6687419024ccce322772d6

SHA512
22358060e23bc61232ad9197f2e1d10b85badaaf46de455dc284a1b41fba3702f88ce36485f28123e2f0bcf184d45ca4083c2b2b645b5fb82165bc2641000397

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b5ac225f55d2f0c2a587e17f1fbc2207

SHA1
032d5832e6f7086e3c990011661a37c0a359d63e

SHA256
2590e3732eb44d99935194188463c327e0646fe2bf6c8a85617ca1aa2620b14f

SHA512
e25b9b66152c604a5e6e721ac223f0cb32de7e288584934e91b9b8d3a6a9c97f4ae3fe408373bf4e786b6e7cc5e08d86761cf8483fc43dffe8cc3249cd5e1808

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
56e7df103a99803400d36457537e87bf

SHA1
ffa2561d4bd9b46cc522b65dc5b653089f681e34

SHA256
d06a81d115d7733560d9b668759e546ca522cabe76b29220a242e40be8afbcae

SHA512
320246e3bedc2efcf961f0e6d82d64c33f593b70874292ca209d6148892a89a564623efc6428f31809fbf4aa996e208a053f5e2c9219327ababb0c47e2711e00

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b74b00e3957298d67fb5c5f77ce3c12f

SHA1
e2acfb4e7ab2018171ebf7ba3aec13d8dfd8b5a5

SHA256
a099cfcbe30110dd8d6c3180b3b09cb4f427425eca2e8c9f8b2858c00529d1a3

SHA512
aa799a584600280d6167c1f6b6f00a5a7390d4b66eaf370cb477f5aa50b4ec1921749bfa88e3e987b6c4b33455c72bc9d64e9b7e8b7fd3a99466f9a921c7ea8b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
41eb3ea4e529c003a41f4899d63ad9b7

SHA1
3a05bcd8941f1f3ea381ab4511a86d9315ae1ede

SHA256
de15c5334619049ec4eb4202ed6c2400dd9ece8e31cac8d6c68b2105f62e71be

SHA512
0b91559141f9546e62d3322c46686490791c2ef3ecf695bff467e0fda9896fd1c10db64ee05d1bf804bc0a9befe32e714cead4e839cb1f041d5145da0eccf2b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
120f0edc8157f6375d2d7265930a10c1

SHA1
73f5b4edfd706df2cc5c72be308ffd635015147d

SHA256
808945ceb24d7cb974689a48b9b69c56fd8490e4b2315932d6079a5539e37b6d

SHA512
fcc7fd37773afda3bd574078f9098dddd320ae2569bd1fdff8373974024d7f78b834b7e50d69393c54ac44bf81e8a365b0559e89724b2248aac2c59382c7a701

Download Submit
memory/2764-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download