a17751845f69bbfeb6a6eed8f38280c09c51adee7bc7125a31bde304ccd569f0

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/09/2024, 23:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a17751845f69bbfeb6a6eed8f38280c09c51adee7bc7125a31bde304ccd569f0.exe
Size

1.1MB
MD5

8d87d05ca04413c9cfc7e5d56692fc6d
SHA1

1ee85396d84d27830c145eec3f7a00a6ea50d097
SHA256

a17751845f69bbfeb6a6eed8f38280c09c51adee7bc7125a31bde304ccd569f0
SHA512

6d1ce16db3324c5529733787c10f7c9a50250a83008061129672bbcf5e4ba5e4b2aa9a330fcc29751c6f24dc7d885f7ec95932137f30b66d6f682bf1df4411a2
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QS:CcaClSFlG4ZM7QzMR

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2524	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2524	svchcst.exe
2540	svchcst.exe
276	svchcst.exe
2208	svchcst.exe
268	svchcst.exe
1980	svchcst.exe
1956	svchcst.exe
2840	svchcst.exe
2584	svchcst.exe
1464	svchcst.exe
1120	svchcst.exe
2260	svchcst.exe
2992	svchcst.exe
3060	svchcst.exe
1524	svchcst.exe
2660	svchcst.exe
3024	svchcst.exe
2088	svchcst.exe
2320	svchcst.exe
276	svchcst.exe
2264	svchcst.exe
1284	svchcst.exe
1028	svchcst.exe

Loads dropped DLL 43 IoCs

pid	Process
2708	WScript.exe
2708	WScript.exe
2896	WScript.exe
1280	WScript.exe
536	WScript.exe
536	WScript.exe
2076	WScript.exe
2076	WScript.exe
1696	WScript.exe
1696	WScript.exe
2984	WScript.exe
2984	WScript.exe
2916	WScript.exe
2916	WScript.exe
764	WScript.exe
764	WScript.exe
1356	WScript.exe
1356	WScript.exe
2732	WScript.exe
548	WScript.exe
548	WScript.exe
408	WScript.exe
408	WScript.exe
2620	WScript.exe
2620	WScript.exe
1944	WScript.exe
1944	WScript.exe
1956	WScript.exe
1956	WScript.exe
2920	WScript.exe
2920	WScript.exe
2892	WScript.exe
2892	WScript.exe
1728	WScript.exe
1728	WScript.exe
2540	WScript.exe
2540	WScript.exe
2412	WScript.exe
2412	WScript.exe
928	WScript.exe
928	WScript.exe
800	WScript.exe
800	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a17751845f69bbfeb6a6eed8f38280c09c51adee7bc7125a31bde304ccd569f0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
764	a17751845f69bbfeb6a6eed8f38280c09c51adee7bc7125a31bde304ccd569f0.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
764	a17751845f69bbfeb6a6eed8f38280c09c51adee7bc7125a31bde304ccd569f0.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
764	a17751845f69bbfeb6a6eed8f38280c09c51adee7bc7125a31bde304ccd569f0.exe
764	a17751845f69bbfeb6a6eed8f38280c09c51adee7bc7125a31bde304ccd569f0.exe
2524	svchcst.exe
2524	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
276	svchcst.exe
276	svchcst.exe
2208	svchcst.exe
2208	svchcst.exe
268	svchcst.exe
268	svchcst.exe
1980	svchcst.exe
1980	svchcst.exe
1956	svchcst.exe
1956	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
1464	svchcst.exe
1464	svchcst.exe
1120	svchcst.exe
1120	svchcst.exe
2260	svchcst.exe
2260	svchcst.exe
2992	svchcst.exe
2992	svchcst.exe
3060	svchcst.exe
3060	svchcst.exe
1524	svchcst.exe
1524	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
2088	svchcst.exe
2088	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
276	svchcst.exe
276	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
1028	svchcst.exe
1028	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 764 wrote to memory of 2708	764	a17751845f69bbfeb6a6eed8f38280c09c51adee7bc7125a31bde304ccd569f0.exe	31
PID 764 wrote to memory of 2708	764	a17751845f69bbfeb6a6eed8f38280c09c51adee7bc7125a31bde304ccd569f0.exe	31
PID 764 wrote to memory of 2708	764	a17751845f69bbfeb6a6eed8f38280c09c51adee7bc7125a31bde304ccd569f0.exe	31
PID 764 wrote to memory of 2708	764	a17751845f69bbfeb6a6eed8f38280c09c51adee7bc7125a31bde304ccd569f0.exe	31
PID 2708 wrote to memory of 2524	2708	WScript.exe	33
PID 2708 wrote to memory of 2524	2708	WScript.exe	33
PID 2708 wrote to memory of 2524	2708	WScript.exe	33
PID 2708 wrote to memory of 2524	2708	WScript.exe	33
PID 2524 wrote to memory of 2896	2524	svchcst.exe	34
PID 2524 wrote to memory of 2896	2524	svchcst.exe	34
PID 2524 wrote to memory of 2896	2524	svchcst.exe	34
PID 2524 wrote to memory of 2896	2524	svchcst.exe	34
PID 2896 wrote to memory of 2540	2896	WScript.exe	35
PID 2896 wrote to memory of 2540	2896	WScript.exe	35
PID 2896 wrote to memory of 2540	2896	WScript.exe	35
PID 2896 wrote to memory of 2540	2896	WScript.exe	35
PID 2540 wrote to memory of 1280	2540	svchcst.exe	36
PID 2540 wrote to memory of 1280	2540	svchcst.exe	36
PID 2540 wrote to memory of 1280	2540	svchcst.exe	36
PID 2540 wrote to memory of 1280	2540	svchcst.exe	36
PID 1280 wrote to memory of 276	1280	WScript.exe	37
PID 1280 wrote to memory of 276	1280	WScript.exe	37
PID 1280 wrote to memory of 276	1280	WScript.exe	37
PID 1280 wrote to memory of 276	1280	WScript.exe	37
PID 276 wrote to memory of 536	276	svchcst.exe	38
PID 276 wrote to memory of 536	276	svchcst.exe	38
PID 276 wrote to memory of 536	276	svchcst.exe	38
PID 276 wrote to memory of 536	276	svchcst.exe	38
PID 536 wrote to memory of 2208	536	WScript.exe	39
PID 536 wrote to memory of 2208	536	WScript.exe	39
PID 536 wrote to memory of 2208	536	WScript.exe	39
PID 536 wrote to memory of 2208	536	WScript.exe	39
PID 2208 wrote to memory of 2076	2208	svchcst.exe	40
PID 2208 wrote to memory of 2076	2208	svchcst.exe	40
PID 2208 wrote to memory of 2076	2208	svchcst.exe	40
PID 2208 wrote to memory of 2076	2208	svchcst.exe	40
PID 2076 wrote to memory of 268	2076	WScript.exe	41
PID 2076 wrote to memory of 268	2076	WScript.exe	41
PID 2076 wrote to memory of 268	2076	WScript.exe	41
PID 2076 wrote to memory of 268	2076	WScript.exe	41
PID 268 wrote to memory of 1696	268	svchcst.exe	42
PID 268 wrote to memory of 1696	268	svchcst.exe	42
PID 268 wrote to memory of 1696	268	svchcst.exe	42
PID 268 wrote to memory of 1696	268	svchcst.exe	42
PID 1696 wrote to memory of 1980	1696	WScript.exe	43
PID 1696 wrote to memory of 1980	1696	WScript.exe	43
PID 1696 wrote to memory of 1980	1696	WScript.exe	43
PID 1696 wrote to memory of 1980	1696	WScript.exe	43
PID 1980 wrote to memory of 2984	1980	svchcst.exe	44
PID 1980 wrote to memory of 2984	1980	svchcst.exe	44
PID 1980 wrote to memory of 2984	1980	svchcst.exe	44
PID 1980 wrote to memory of 2984	1980	svchcst.exe	44
PID 2984 wrote to memory of 1956	2984	WScript.exe	45
PID 2984 wrote to memory of 1956	2984	WScript.exe	45
PID 2984 wrote to memory of 1956	2984	WScript.exe	45
PID 2984 wrote to memory of 1956	2984	WScript.exe	45
PID 1956 wrote to memory of 2916	1956	svchcst.exe	46
PID 1956 wrote to memory of 2916	1956	svchcst.exe	46
PID 1956 wrote to memory of 2916	1956	svchcst.exe	46
PID 1956 wrote to memory of 2916	1956	svchcst.exe	46
PID 2916 wrote to memory of 2840	2916	WScript.exe	47
PID 2916 wrote to memory of 2840	2916	WScript.exe	47
PID 2916 wrote to memory of 2840	2916	WScript.exe	47
PID 2916 wrote to memory of 2840	2916	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\a17751845f69bbfeb6a6eed8f38280c09c51adee7bc7125a31bde304ccd569f0.exe
"C:\Users\Admin\AppData\Local\Temp\a17751845f69bbfeb6a6eed8f38280c09c51adee7bc7125a31bde304ccd569f0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:764
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2896
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2540
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:276
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:268
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2840
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:764
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2584
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1356
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1464
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1120
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:548
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2260
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:408
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2992
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2620
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3060
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1524
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1956
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2660
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3024
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2088
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1728
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2320
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2540
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:276
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2412
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2264
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:928
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1284
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:800
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1028
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
4d78b061bad67c464b200ae379ed2f4d

SHA1
ab2286afa29ef599a2530ca050b62638715372c8

SHA256
31d771a7910c2968cc6af91ee3915a052e2bbe837553d59b21e52a0f340357e8

SHA512
b964d6b93775f61e1e21916dd07d64b77ac0639d25524fb88734931a6a6de4536397f6130662c8e52f670535d8b389685946a8abf4d6608c1e0fc279271772c0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
9627e3850f4f7495f6d36ebae56aa594

SHA1
001694633bc632a7ae2812ed74828335bec77531

SHA256
0aeaf02fb74a0799c8eccaa37e1586435318608e7945b8084fe87f956822cb25

SHA512
03986ee3b4faf96fdb2bdeb1c41e216c81e1c0f7d4403b69c7e7e39baa45e2806d57fad32904bdf04728eb9db7570d94341e73bf8a1f6ba1964072a65de4e894

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1a9d2727f5157f704f57fb2f0e0a7939

SHA1
4085542ccb9a53b29208916307ee515880d6410f

SHA256
46c5d3b8a158fe319dfd325df66634b1bdef724bab79b7007f565e44beb34f31

SHA512
7ec52df630965769dae3e05a1b9fd489c7d5413ea77b28cbe2435e839f80d7eabdbbcc74af4cf544b9f0f57403a505501b08753ffeaec8cf6c32972fc3e72d68

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
30eafc82ac9962314c98d54ef2588957

SHA1
3bf1e1f24264448ba2688366b10b083c808e1e7a

SHA256
fc93c94af2daa9c8b70b9f6104f613a1cf0ac39bf1856542a3dbb6f828d2bee6

SHA512
5cd90109e61e06fda91874fd3cd28d83b42b6e586446ce99cf69a611f0015f56010937fadca4accef57ab47b5bca54b4171479a9a989ab5b1a015d491f985fb5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1ef0f0b572c2f4293cad723d25d00c42

SHA1
21070aedce103ee5e41ef411b732699f04623804

SHA256
92f0114d24a1bf7f670197c1b6e8cecc445559bbf6b12e1a82538aa9213fe4a3

SHA512
0af8482f8df004ae0534ab1d23addd55149209ab50bfb1ecbfc4d9ee49c7cce91b53fd3ed3b155e020286772eaa8396c89b8f67befe3ca5d9804b7871add0c4c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
bdff210bf33c9ed5f2b10773c8c98ff5

SHA1
fc4fbaca4c7f23506dc792dec89e640050ad62e9

SHA256
900ab6b8ac0df4e138335d9d8e283495f569bf9fa1f401a6f8122661104f8cf8

SHA512
45849b735796586ea2518bd4aec42377db54b2de01025df65e52d8d1561d7e26702051c945ac7257857e00d7ab9d2d7fbf87f178e1e606905e095b22d95e5b32

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3f88ed4a802ff96db44e34ad53ac06c2

SHA1
446fe4e265af02ea012b5a8d5d0e7a0c9867f1ed

SHA256
04a5abb92c689fa7b9d768a067b1d9bd16c0a5d856c67c7f7881d62662ae0911

SHA512
f1afaf53ee96969d58902836b841ca7feed9769c81d9b2d63b72db5d7cf04d6a659b50869f8dba0d650aa6833d892261c0c3dd918e8bfbed13237e6333c47fdf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1ddf68547078713a6bd04e589e87bc2f

SHA1
cdfb5481f8214590744133c77204eff54e733b90

SHA256
a5954677872e02157f5c6921ef883fbc22a4f7940d17403a9a0658931d4971fc

SHA512
194d12570a7d4e8e9341f56d23fda7ff49e131e818b93633b75c6ef05b6972b8428294bb95529af25cf75cbe2d86756dab000be200466a30a64922e764ebfc2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
4f1c3e04fe09c26eac61a6a5e73d41a6

SHA1
5d61ea8f22af3a41286cfd2e03bf0d5fe912527e

SHA256
fcea651549aa97e3646b2b5857daab87dfa90158918203ea713fbc3d8dc96d2b

SHA512
23a253717242040b3497cc5dd9736a2a19adac084ebdf17f578f11a3c07aa584c78a8155ece8de4317293c4b75fca53b4cc225d05785f69e01d18ef6582e01f5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3fe126921f6537cf36cd507b1649ffbb

SHA1
445c8796d072bb5829f0af8421e3eb7da34add70

SHA256
b4af7c7ab452f12e0ea38532d00cfa19cf99247ef169e5e698acd882e72750a6

SHA512
5d8527210f01cc30bda93521cdbd9828d03f2af3e2810996ad8c60cf62a35e415c0e54a34e00847ae30bf2718e8c431b65ed4f509c11986a8eb54ed6ed64ac94

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
18daeaff7fc134fc2edabbaea7e7e9f0

SHA1
a6a3002f7828141bac042e08241df957ef348bb4

SHA256
56a26505482cb65715785a972070bd6b72ad56c09ec26f7a97d7b0ac5bf52303

SHA512
6a91ececa4ca5ffbd12c7ca83888a63a7baf2be281610d9b0d83ee9dfcb8f6d04c1466de5ac1b53abe3daaf2998ec40b4b3a1a1d6fc271f35d25523358bd3df0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f5e68c69dba4bafa45fb814811f5a024

SHA1
f2e22f2c0f4bd5a169759a355df0b9b8b768f49e

SHA256
e4482470fd6c028041c6d603ac02d141d26469002ff3f2f5717005d70545f745

SHA512
d9020daf2194d0490a2f4705769b99eab870b7c23afacff11c86000116b849416eac1e722c96cc3f9c62b4c2f893f2b92b2869bdbc97fb6bd2c4b82598f0d7bc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c00d469a658ef113f4a8f8ce3ae38e37

SHA1
56048ff8815db05e1490213216a58650c81b0cba

SHA256
2302a503c7f15e15fb2bf619078975d139a4c91da90b70b35ce278716b2f1aab

SHA512
3310415d164127e68082b2332a2d8df47e199003e996ca68b3b7759d6817d4a4f582959dedbcf9a20eac6c342f9ecd435d9d202662fd81b70858f12b11c56702

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
16b7c14e14ff155ba6ce5bbd3dd78dfb

SHA1
262859ee41066557018ae41017d64afc8720f720

SHA256
8760b99421503e16eb7a281be45c98a7b6879a9fdb6429ee7eb21edb9e7eeb2e

SHA512
e04078e9996c3fc9a6512c817b32052890c154653be909fa8f8b7315aa15b0e177bd2a0b5691d70aec7af995fc47a24b625b26043ddbb4670f0ddff57333e509

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ce0a6262f6810add128f46952fe66471

SHA1
dd0b5c0d6c8c233735761c6a49bc8ac34272bbf8

SHA256
f5e371d730951595ea5452c8c58dc2696e50c5c13055f9bcf21c5c10db3567ac

SHA512
51f6d8becdecfd925e6a307c14c6a9d44504d1843584d35db21d7594c6374997f963e14985e77f52a5b13b255bee2cf98ac631d92eff6befa2ec7270eb09432a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
66d304fc7ae670ada8d201abc1f72cb4

SHA1
49651962f391c532bd3a06c37e210cdacf909b9f

SHA256
d42b14fdcb185b7d51a28242eb878988339c51fa7f35302c8ed1f32de53b2b76

SHA512
a71c88afe0c13d891076355aae1131bcc0ab9ba211bd9288f7e2e647ab313f31a64cbb303cd169909e4b36d1441242bd43923a0c8e75e21e94e6747b58d62c9e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
8d33459f6e3a716bd851c50d9a86bfce

SHA1
3c7c9c720d11fc5696031aa8a612a572b19e8969

SHA256
2cb1368bf0c8cc3116f7ed570621423cc9431bf7c77ada5b32f7e224a8ad6b6d

SHA512
21951395572ea19d6bc68625ec9776212326d03ed1ed496eb931a23a79db97d56e1d3a98c420eb353b178ff5e1b114a95300cb56fbc9a2f454bab4a590be06fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c222fc10dc74b659849b0d59706c463a

SHA1
278863fc37ff16380580ee42789ce93d2606f471

SHA256
e6459e44001c9ee230d1eb0671808bb1d6f96a7742f7712b105763987e868c3c

SHA512
9693cd90f285b8d2a046b88e4a04b760aa752449e05543ac4bafc08d724d1ab5a3928efc78339c760eb467bd221590f7f72405da3dcae2bb86283f4f305ef95e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
abc8987d6119816013871838ba6ce758

SHA1
e9022e364713f2b76c9d280bdd0369e14a00e06f

SHA256
6ee388148eac507f07ee0fed73ca3b7f2080a9dee047b4785532cd84711fb860

SHA512
0c78402d90c505624b6da7dfc2f1f44914248b419461d5076286c08de51b574c4410e6599633761b9cb1dda4befef2ad99baf4355611f207dfd6bec242ac0286

Download Submit
memory/764-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download