9e5900c47efb5fbdfb8c9e2fa288b7421b87bc81b47d141bd8d79b11f549d0c3

Analysis

max time kernel
110s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/09/2024, 21:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e5900c47efb5fbdfb8c9e2fa288b7421b87bc81b47d141bd8d79b11f549d0c3.exe
Size

1.1MB
MD5

8faa5b16670373760161e9bee8db8183
SHA1

83866a5d1e7640497605d1482c3aa1e4906243a4
SHA256

9e5900c47efb5fbdfb8c9e2fa288b7421b87bc81b47d141bd8d79b11f549d0c3
SHA512

92be5a4f0c8832c2df07ed1490ae0c529769781de6d5df2519c1b1b74535a8cd77c5b5b3ab01b5305c50ecba0d1f15e01625c833c7dacd43fd4cd515c919a05b
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Q6:CcaClSFlG4ZM7QzMJ

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2660	svchcst.exe

Executes dropped EXE 19 IoCs

pid	Process
2660	svchcst.exe
2976	svchcst.exe
1232	svchcst.exe
2000	svchcst.exe
2032	svchcst.exe
1636	svchcst.exe
1288	svchcst.exe
2704	svchcst.exe
1612	svchcst.exe
2976	svchcst.exe
2352	svchcst.exe
1632	svchcst.exe
2140	svchcst.exe
3060	svchcst.exe
2964	svchcst.exe
2824	svchcst.exe
264	svchcst.exe
2236	svchcst.exe
1780	svchcst.exe

Loads dropped DLL 37 IoCs

pid	Process
2576	WScript.exe
2576	WScript.exe
2076	WScript.exe
2076	WScript.exe
2696	WScript.exe
2696	WScript.exe
2524	WScript.exe
2524	WScript.exe
2388	WScript.exe
2388	WScript.exe
2388	WScript.exe
2388	WScript.exe
1492	WScript.exe
1492	WScript.exe
1596	WScript.exe
1596	WScript.exe
2184	WScript.exe
2184	WScript.exe
1600	WScript.exe
1600	WScript.exe
2104	WScript.exe
900	WScript.exe
900	WScript.exe
2068	WScript.exe
2068	WScript.exe
2080	WScript.exe
2080	WScript.exe
1320	WScript.exe
1320	WScript.exe
3020	WScript.exe
3020	WScript.exe
2904	WScript.exe
2904	WScript.exe
2680	WScript.exe
2680	WScript.exe
2408	WScript.exe
2408	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 41 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9e5900c47efb5fbdfb8c9e2fa288b7421b87bc81b47d141bd8d79b11f549d0c3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
320	9e5900c47efb5fbdfb8c9e2fa288b7421b87bc81b47d141bd8d79b11f549d0c3.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe
2660	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
320	9e5900c47efb5fbdfb8c9e2fa288b7421b87bc81b47d141bd8d79b11f549d0c3.exe

Suspicious use of SetWindowsHookEx 40 IoCs

pid	Process
320	9e5900c47efb5fbdfb8c9e2fa288b7421b87bc81b47d141bd8d79b11f549d0c3.exe
320	9e5900c47efb5fbdfb8c9e2fa288b7421b87bc81b47d141bd8d79b11f549d0c3.exe
2660	svchcst.exe
2660	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
1232	svchcst.exe
1232	svchcst.exe
2000	svchcst.exe
2000	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
1636	svchcst.exe
1636	svchcst.exe
1288	svchcst.exe
1288	svchcst.exe
2704	svchcst.exe
2704	svchcst.exe
1612	svchcst.exe
1612	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2352	svchcst.exe
2352	svchcst.exe
1632	svchcst.exe
1632	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
3060	svchcst.exe
3060	svchcst.exe
2964	svchcst.exe
2964	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
264	svchcst.exe
264	svchcst.exe
2236	svchcst.exe
2236	svchcst.exe
1780	svchcst.exe
1780	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 320 wrote to memory of 2576	320	9e5900c47efb5fbdfb8c9e2fa288b7421b87bc81b47d141bd8d79b11f549d0c3.exe	30
PID 320 wrote to memory of 2576	320	9e5900c47efb5fbdfb8c9e2fa288b7421b87bc81b47d141bd8d79b11f549d0c3.exe	30
PID 320 wrote to memory of 2576	320	9e5900c47efb5fbdfb8c9e2fa288b7421b87bc81b47d141bd8d79b11f549d0c3.exe	30
PID 320 wrote to memory of 2576	320	9e5900c47efb5fbdfb8c9e2fa288b7421b87bc81b47d141bd8d79b11f549d0c3.exe	30
PID 2576 wrote to memory of 2660	2576	WScript.exe	32
PID 2576 wrote to memory of 2660	2576	WScript.exe	32
PID 2576 wrote to memory of 2660	2576	WScript.exe	32
PID 2576 wrote to memory of 2660	2576	WScript.exe	32
PID 2660 wrote to memory of 2696	2660	svchcst.exe	33
PID 2660 wrote to memory of 2696	2660	svchcst.exe	33
PID 2660 wrote to memory of 2696	2660	svchcst.exe	33
PID 2660 wrote to memory of 2696	2660	svchcst.exe	33
PID 2660 wrote to memory of 2076	2660	svchcst.exe	34
PID 2660 wrote to memory of 2076	2660	svchcst.exe	34
PID 2660 wrote to memory of 2076	2660	svchcst.exe	34
PID 2660 wrote to memory of 2076	2660	svchcst.exe	34
PID 2076 wrote to memory of 2976	2076	WScript.exe	35
PID 2076 wrote to memory of 2976	2076	WScript.exe	35
PID 2076 wrote to memory of 2976	2076	WScript.exe	35
PID 2076 wrote to memory of 2976	2076	WScript.exe	35
PID 2696 wrote to memory of 1232	2696	WScript.exe	36
PID 2696 wrote to memory of 1232	2696	WScript.exe	36
PID 2696 wrote to memory of 1232	2696	WScript.exe	36
PID 2696 wrote to memory of 1232	2696	WScript.exe	36
PID 1232 wrote to memory of 2524	1232	svchcst.exe	37
PID 1232 wrote to memory of 2524	1232	svchcst.exe	37
PID 1232 wrote to memory of 2524	1232	svchcst.exe	37
PID 1232 wrote to memory of 2524	1232	svchcst.exe	37
PID 2524 wrote to memory of 2000	2524	WScript.exe	38
PID 2524 wrote to memory of 2000	2524	WScript.exe	38
PID 2524 wrote to memory of 2000	2524	WScript.exe	38
PID 2524 wrote to memory of 2000	2524	WScript.exe	38
PID 2000 wrote to memory of 864	2000	svchcst.exe	39
PID 2000 wrote to memory of 864	2000	svchcst.exe	39
PID 2000 wrote to memory of 864	2000	svchcst.exe	39
PID 2000 wrote to memory of 864	2000	svchcst.exe	39
PID 2000 wrote to memory of 2388	2000	svchcst.exe	40
PID 2000 wrote to memory of 2388	2000	svchcst.exe	40
PID 2000 wrote to memory of 2388	2000	svchcst.exe	40
PID 2000 wrote to memory of 2388	2000	svchcst.exe	40
PID 2388 wrote to memory of 2032	2388	WScript.exe	41
PID 2388 wrote to memory of 2032	2388	WScript.exe	41
PID 2388 wrote to memory of 2032	2388	WScript.exe	41
PID 2388 wrote to memory of 2032	2388	WScript.exe	41
PID 2032 wrote to memory of 1320	2032	svchcst.exe	42
PID 2032 wrote to memory of 1320	2032	svchcst.exe	42
PID 2032 wrote to memory of 1320	2032	svchcst.exe	42
PID 2032 wrote to memory of 1320	2032	svchcst.exe	42
PID 2388 wrote to memory of 1636	2388	WScript.exe	43
PID 2388 wrote to memory of 1636	2388	WScript.exe	43
PID 2388 wrote to memory of 1636	2388	WScript.exe	43
PID 2388 wrote to memory of 1636	2388	WScript.exe	43
PID 1636 wrote to memory of 1492	1636	svchcst.exe	44
PID 1636 wrote to memory of 1492	1636	svchcst.exe	44
PID 1636 wrote to memory of 1492	1636	svchcst.exe	44
PID 1636 wrote to memory of 1492	1636	svchcst.exe	44
PID 1492 wrote to memory of 1288	1492	WScript.exe	45
PID 1492 wrote to memory of 1288	1492	WScript.exe	45
PID 1492 wrote to memory of 1288	1492	WScript.exe	45
PID 1492 wrote to memory of 1288	1492	WScript.exe	45
PID 1288 wrote to memory of 1596	1288	svchcst.exe	46
PID 1288 wrote to memory of 1596	1288	svchcst.exe	46
PID 1288 wrote to memory of 1596	1288	svchcst.exe	46
PID 1288 wrote to memory of 1596	1288	svchcst.exe	46

C:\Users\Admin\AppData\Local\Temp\9e5900c47efb5fbdfb8c9e2fa288b7421b87bc81b47d141bd8d79b11f549d0c3.exe
"C:\Users\Admin\AppData\Local\Temp\9e5900c47efb5fbdfb8c9e2fa288b7421b87bc81b47d141bd8d79b11f549d0c3.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:320
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1232
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:864
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1320
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2704
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1612
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2976
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2104
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2352
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:900
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1632
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2068
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2140
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2080
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3060
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1320
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2964
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2824
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:264
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2236
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1780
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        
        PID:940
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        
        PID:1280
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:2708
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2076
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
8253189c48834dfb270745585e0237cf

SHA1
0b9b1a50ca1acf76138c03b7a9b87be4a92a2879

SHA256
78c05314da49864eb22a4fa2074d8e91160ccdf6c8483bc58f53a80f1efc8c16

SHA512
6b10b3fa53a3351cdbbfe6b4adeed03efa19be7025786a4dc235fe1850d338f4e903a3431e75e5f997f0e3e55710756a3dac76443467b2596ffa74c8896df07a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
234d3bd7d4c79c9f8515c4e3812a1c9b

SHA1
f0add1f9e02bad7016d7b183f6d64d4800df4e12

SHA256
c9ba84b70031261f15918f7e74bd45b7b889b8e8427efa4ff19537e3d27633d0

SHA512
3d42cb367d8ba46cff006692c69f88ab165b9b326000c0bf187e682ce181413dd6f8eb083972765f332dc4309996b3621018ce3cf22d4d944c2b3c0e51f4aea0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
51b2348c37bbedcb127fa176820f5ea2

SHA1
6e70ca09179127890e64c4ffa345b2af573c39fa

SHA256
7b37f5580068bfba5583d762d9b64c8ee6468a9e064547f230757c4be595bd02

SHA512
0f9755ae0408b0dd6e1279bfa8c5dfbe63b3775a81a3c5b342c5e56e7521d292b0c4e94053e6fa0c3da233f3af60aae2dc28749f991ea81fd9bf2627698a343e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
93bffb400f506fbd69421b6075802c65

SHA1
b9d8c4ea6a8fd739f6cf167e1f58412525f15784

SHA256
2e455d4d9ba6db3056e273b33c3cc67d60d76c4a750b98b2d4d0e2bcc6aa57b1

SHA512
e00a5d4ad19c488dc18e50150fcd50505133666e333f12f9e0cb3a894162951e4195886798de3531561ff99b4a3fbca6fb351f1ff0bcd0e1ac20cd685962ec23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3612d3ea6472851cf27d0650f30a8461

SHA1
6deb8050a9d5911a2bcaa1dff30442b243389423

SHA256
2952c41a53b0569f4005c91e142940e5e96ab915146591fd27e380826de74370

SHA512
274ea073a41fbb585172d72f0f3c37132154378212b24cf3609f2bb450d631741c438035f81046ec36f08e62f287949079776d359cd42602ad097cfc0689f49c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
18daeaff7fc134fc2edabbaea7e7e9f0

SHA1
a6a3002f7828141bac042e08241df957ef348bb4

SHA256
56a26505482cb65715785a972070bd6b72ad56c09ec26f7a97d7b0ac5bf52303

SHA512
6a91ececa4ca5ffbd12c7ca83888a63a7baf2be281610d9b0d83ee9dfcb8f6d04c1466de5ac1b53abe3daaf2998ec40b4b3a1a1d6fc271f35d25523358bd3df0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
53586000e76ee6942df430b8716b4616

SHA1
97afd48071b6043c0a04b823875956b98a8d33bd

SHA256
486e66f5aafdb179f41e1d1f39c8fb5662bfad43d5d53dfa89405a04b0d42d69

SHA512
3a9a94289a667899d5ba7db41486854b9234929ecaa9d9aaff3188740cc084c0a633702be218f4b1a8afbfbd8a4e1a892eebbdfde1a7d3fb9c27c3482aa03bd7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ddd204c2596c95e0b37f2faf17345158

SHA1
fb5c9a676eb0b0e08ed0498a5696bbd7d443b1a2

SHA256
6ba8498e50d16dedd7a4479998981b504b684f524c08329269fd4eb6e3fe52a2

SHA512
17f8ff158d74cb8b37954cd5d458440cbf7e41dd03d08d5101b55f7ca259fdd1e36967e5231a31362c68456d0e91bdbac1c83cc19876ab7ec1c97bde0ec03244

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b42266100fb9f5e0b7be593aac3c37cf

SHA1
7cd55f31fd2871d09de73a6f62e3a7e1a53327b2

SHA256
1a6710caaf3886be368f3205ee8c9905e10f8ed754d80598c80f1455a700d846

SHA512
d3e5a4f7395d6196403e60214239043b2da6e546cbe080f74c3a680a6f4a7fe1374988df0a1aa84dbc0e41199efd8fb11050d1d1295f3b45811935d740a5108b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
152cdcb10a0dcbdcaeb00bd4b08b2f94

SHA1
d957bd7eff64e6b13d3a088c0ae764eaeedf0ad2

SHA256
5525126f60e1b6cf4d353d30db46873836712e3964020d1dbca2694b6dc3d599

SHA512
c2e61516af9e5c14978792ec3b5e20aa84d5f6d9607322575d2f0448a67b6a10911ebf350f51e24e19f40840897251c891cda2c651c0881fccc9e0006d1a2f99

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
308b7da7ec377746fab239c88940c7ea

SHA1
62356f1d6078f5587c1e0fa2201b199ebfdd0372

SHA256
3c6e5a89529248f6074cab8ca705d7f399c2808e185a451f2520d767e7aecd77

SHA512
bfd886261d3c9ae90f40968acb30b229e8d6754768bee5430f246594b5f81952de101a572cedb84bd1ab9a39cb607ec981287e9e03ea45b829744c47ee9bc877

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
8f7c98d1a477997452fa2dd4a606902b

SHA1
9e56fae88e51688a3e0d3dbaa5b49b0eec5f9282

SHA256
e300f919ecb93a8b928426f5d9e025f04901ed9fdbdd055226ca41e75f8be37f

SHA512
3506b21e26f730df6efadafa23e44d4a90df46d02e125196e279b222b832aaa4356ef44bb661006a05afc56e379ada5362965e78a30bfa389be8558573789e69

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f9d067cfea68dbe82140f50de98ca967

SHA1
98d99a71e7816e9a212fcc40e0673b8d0b5b29b6

SHA256
c9f1e50d7a23603af3e0b641db24c00a30d6fd497ae1774ffa2183d4b7897945

SHA512
8b5297f6f4d16fe14a0ae836e3cb2f363a6c00348bb4cbfb3733187d7d2bbb98d6bc9b00529af9f3ef779be90a6015bf38d3c689c93af462a41a56b562dc79fb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
175eafa886c168d227b1215e968cc509

SHA1
a91091faaa85095880c117575dae87b9ce3ab74b

SHA256
010f71795124d93c501af59747feb565a4b8d2c293d3d2f9bc565da52b00f01b

SHA512
b2cffe074e9b689379161d0bece75a9efb82dff1e9fc80fd5f8a6300fc84c3c06314b647552343e45057ea83286871904c0fd8f5147295bb9ef796eaf1006521

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
bc4eb48671fcc36a228ca6e994533091

SHA1
5ae7e62c9ff8b7a39cdafbf749c6fe74689ac96e

SHA256
70a55bbe5dd2e440a1760826ed6752523fcafe543387707e918361ed94c86e4a

SHA512
9c45cd736da26cb9b3ecfff2846294e263e5fc0b1adffacbc398e59707bba76f2c2e9d9cc75e22b586886321fad87d1dfe3714f8fd03e85bd07c6021d35dc225

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
aa9871f3e4b4bf7358111b19162da3ca

SHA1
382b7a65222bcc368302b01ec5579188c22321c7

SHA256
0e38e274fa73e19554d597adda610aff0d7640c7e5a9adb57c7cb890d124c555

SHA512
d2a41f05ce96b38abea5a73ad2ed55ea726036d6fccd526bd79bddda698bf5e655e9b78d4fb029e88620e5a4ab4ef7d59563640282c6e8163fa0f592341266c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
204f6c17b96ab03a57af4c4129db5ccb

SHA1
a4a6f89138083fdca72c03116a74f76817b95078

SHA256
e08fe214ddb094986e289e0a429c272af5547b9e7f4ad0cd4d6d1ed120af9e99

SHA512
300b74aa5328437dee11f55efc79cc3ec567e1520ebf813a434606a1b5bb06ca58aff2c10e18e3b19ed2e1e43c72dbc48274fb8c8a14439a301be8cd60d79e11

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
60d59dfd589c5f14ad1eb6fb69fc3f05

SHA1
c916449564dc50920de168a29a12f7a14e29d3c1

SHA256
157ff9ce3f6da5d10d8141d12f558384e04a1d18288d7761b6592b94ab9bcdab

SHA512
d3c1b7aed8dbdc8b8fa3b999c43e55bf081ad82bc8bfdcb33d66f2624f4009740fbe5deba7e9d84ac302c1a322daae697682f6b36e799fa401354ae13b03eb50

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
bc908a42a8d6a0e24bf07b0020f43736

SHA1
5df60d5bfab8f9cb9e347d3c3e7d393f5a648027

SHA256
536507b739dbb87cc54c9870457621183a859f5a0989f6d45e6591f581b98796

SHA512
74584b69d55f2827e048a50cf0b406a94fb3cf7758b1a951a01deca4b924efec7cc834bfb022c837eb1c4c41ec9dbb33e4332e29c7a8f9ec3e504fe9a6a222e0

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c40f35e6430bac669ad5bd76f95b29d4

SHA1
0babf1e55096d1498643a2bc5d66631c5ccf93ff

SHA256
dae7665b297a8eb2ccbe283613ee8ba5fa7a41f12be7ca585713c84b32cf2a8a

SHA512
4695389c2bdd1df30acf29489a271842e33534b911f93fd48807d8433e2ebbd2bd14d6f4a25140cc3432946b31f84503a8803e282738a14757ce8f5f108aa87a

Download Submit
memory/320-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download