a4d1f2b01a6db0251a8158ea883948bf1a540be6f4ebb437cd8bab08a097ebb2

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 23:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4d1f2b01a6db0251a8158ea883948bf1a540be6f4ebb437cd8bab08a097ebb2.exe
Size

1.1MB
MD5

807a1fc88f109f3bf7b827524cb200fd
SHA1

db0e8a68d0a5ae1b824fb30e57925fa6644bb62e
SHA256

a4d1f2b01a6db0251a8158ea883948bf1a540be6f4ebb437cd8bab08a097ebb2
SHA512

5407e6e9f9e77c8d69d7f62155e8f57d65411361bc4fa740794647138283f2b96b1a06031478d0dbbc225ae2c69bf92499abe330f5cdc8080b82024ac3ae4117
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qz:CcaClSFlG4ZM7QzMU

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2796	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2796	svchcst.exe
1624	svchcst.exe
1948	svchcst.exe
1388	svchcst.exe
832	svchcst.exe
1320	svchcst.exe
2108	svchcst.exe
1676	svchcst.exe
3036	svchcst.exe
2628	svchcst.exe
2792	svchcst.exe
2160	svchcst.exe
1540	svchcst.exe
3016	svchcst.exe
1592	svchcst.exe
2468	svchcst.exe
316	svchcst.exe
2840	svchcst.exe
2312	svchcst.exe
1512	svchcst.exe
2188	svchcst.exe
1388	svchcst.exe
2528	svchcst.exe

Loads dropped DLL 40 IoCs

pid	Process
2456	WScript.exe
2456	WScript.exe
2560	WScript.exe
2560	WScript.exe
2544	WScript.exe
2544	WScript.exe
1692	WScript.exe
2404	WScript.exe
2404	WScript.exe
2416	WScript.exe
2416	WScript.exe
2824	WScript.exe
2248	WScript.exe
2248	WScript.exe
2248	WScript.exe
2248	WScript.exe
1204	WScript.exe
1204	WScript.exe
2128	WScript.exe
2128	WScript.exe
2220	WScript.exe
2220	WScript.exe
2412	WScript.exe
2412	WScript.exe
1980	WScript.exe
1980	WScript.exe
2828	WScript.exe
2828	WScript.exe
2968	WScript.exe
2968	WScript.exe
2296	WScript.exe
2296	WScript.exe
2508	WScript.exe
2508	WScript.exe
2884	WScript.exe
2884	WScript.exe
648	WScript.exe
648	WScript.exe
1964	WScript.exe
1964	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a4d1f2b01a6db0251a8158ea883948bf1a540be6f4ebb437cd8bab08a097ebb2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2280	a4d1f2b01a6db0251a8158ea883948bf1a540be6f4ebb437cd8bab08a097ebb2.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe
2796	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2280	a4d1f2b01a6db0251a8158ea883948bf1a540be6f4ebb437cd8bab08a097ebb2.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2280	a4d1f2b01a6db0251a8158ea883948bf1a540be6f4ebb437cd8bab08a097ebb2.exe
2280	a4d1f2b01a6db0251a8158ea883948bf1a540be6f4ebb437cd8bab08a097ebb2.exe
2796	svchcst.exe
2796	svchcst.exe
1624	svchcst.exe
1624	svchcst.exe
1948	svchcst.exe
1948	svchcst.exe
1388	svchcst.exe
1388	svchcst.exe
832	svchcst.exe
832	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
2108	svchcst.exe
2108	svchcst.exe
1676	svchcst.exe
1676	svchcst.exe
3036	svchcst.exe
3036	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
2792	svchcst.exe
2792	svchcst.exe
2160	svchcst.exe
2160	svchcst.exe
1540	svchcst.exe
1540	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
1592	svchcst.exe
1592	svchcst.exe
2468	svchcst.exe
2468	svchcst.exe
316	svchcst.exe
316	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2312	svchcst.exe
2312	svchcst.exe
1512	svchcst.exe
1512	svchcst.exe
2188	svchcst.exe
2188	svchcst.exe
1388	svchcst.exe
1388	svchcst.exe
2528	svchcst.exe
2528	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2456	2280	a4d1f2b01a6db0251a8158ea883948bf1a540be6f4ebb437cd8bab08a097ebb2.exe	31
PID 2280 wrote to memory of 2456	2280	a4d1f2b01a6db0251a8158ea883948bf1a540be6f4ebb437cd8bab08a097ebb2.exe	31
PID 2280 wrote to memory of 2456	2280	a4d1f2b01a6db0251a8158ea883948bf1a540be6f4ebb437cd8bab08a097ebb2.exe	31
PID 2280 wrote to memory of 2456	2280	a4d1f2b01a6db0251a8158ea883948bf1a540be6f4ebb437cd8bab08a097ebb2.exe	31
PID 2456 wrote to memory of 2796	2456	WScript.exe	33
PID 2456 wrote to memory of 2796	2456	WScript.exe	33
PID 2456 wrote to memory of 2796	2456	WScript.exe	33
PID 2456 wrote to memory of 2796	2456	WScript.exe	33
PID 2796 wrote to memory of 2560	2796	svchcst.exe	34
PID 2796 wrote to memory of 2560	2796	svchcst.exe	34
PID 2796 wrote to memory of 2560	2796	svchcst.exe	34
PID 2796 wrote to memory of 2560	2796	svchcst.exe	34
PID 2560 wrote to memory of 1624	2560	WScript.exe	35
PID 2560 wrote to memory of 1624	2560	WScript.exe	35
PID 2560 wrote to memory of 1624	2560	WScript.exe	35
PID 2560 wrote to memory of 1624	2560	WScript.exe	35
PID 1624 wrote to memory of 2544	1624	svchcst.exe	36
PID 1624 wrote to memory of 2544	1624	svchcst.exe	36
PID 1624 wrote to memory of 2544	1624	svchcst.exe	36
PID 1624 wrote to memory of 2544	1624	svchcst.exe	36
PID 2544 wrote to memory of 1948	2544	WScript.exe	37
PID 2544 wrote to memory of 1948	2544	WScript.exe	37
PID 2544 wrote to memory of 1948	2544	WScript.exe	37
PID 2544 wrote to memory of 1948	2544	WScript.exe	37
PID 1948 wrote to memory of 1692	1948	svchcst.exe	38
PID 1948 wrote to memory of 1692	1948	svchcst.exe	38
PID 1948 wrote to memory of 1692	1948	svchcst.exe	38
PID 1948 wrote to memory of 1692	1948	svchcst.exe	38
PID 1692 wrote to memory of 1388	1692	WScript.exe	39
PID 1692 wrote to memory of 1388	1692	WScript.exe	39
PID 1692 wrote to memory of 1388	1692	WScript.exe	39
PID 1692 wrote to memory of 1388	1692	WScript.exe	39
PID 1388 wrote to memory of 2404	1388	svchcst.exe	40
PID 1388 wrote to memory of 2404	1388	svchcst.exe	40
PID 1388 wrote to memory of 2404	1388	svchcst.exe	40
PID 1388 wrote to memory of 2404	1388	svchcst.exe	40
PID 2404 wrote to memory of 832	2404	WScript.exe	41
PID 2404 wrote to memory of 832	2404	WScript.exe	41
PID 2404 wrote to memory of 832	2404	WScript.exe	41
PID 2404 wrote to memory of 832	2404	WScript.exe	41
PID 832 wrote to memory of 1720	832	svchcst.exe	42
PID 832 wrote to memory of 1720	832	svchcst.exe	42
PID 832 wrote to memory of 1720	832	svchcst.exe	42
PID 832 wrote to memory of 1720	832	svchcst.exe	42
PID 2404 wrote to memory of 1320	2404	WScript.exe	43
PID 2404 wrote to memory of 1320	2404	WScript.exe	43
PID 2404 wrote to memory of 1320	2404	WScript.exe	43
PID 2404 wrote to memory of 1320	2404	WScript.exe	43
PID 1320 wrote to memory of 2416	1320	svchcst.exe	44
PID 1320 wrote to memory of 2416	1320	svchcst.exe	44
PID 1320 wrote to memory of 2416	1320	svchcst.exe	44
PID 1320 wrote to memory of 2416	1320	svchcst.exe	44
PID 2416 wrote to memory of 2108	2416	WScript.exe	45
PID 2416 wrote to memory of 2108	2416	WScript.exe	45
PID 2416 wrote to memory of 2108	2416	WScript.exe	45
PID 2416 wrote to memory of 2108	2416	WScript.exe	45
PID 2108 wrote to memory of 1744	2108	svchcst.exe	46
PID 2108 wrote to memory of 1744	2108	svchcst.exe	46
PID 2108 wrote to memory of 1744	2108	svchcst.exe	46
PID 2108 wrote to memory of 1744	2108	svchcst.exe	46
PID 2416 wrote to memory of 1676	2416	WScript.exe	47
PID 2416 wrote to memory of 1676	2416	WScript.exe	47
PID 2416 wrote to memory of 1676	2416	WScript.exe	47
PID 2416 wrote to memory of 1676	2416	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\a4d1f2b01a6db0251a8158ea883948bf1a540be6f4ebb437cd8bab08a097ebb2.exe
"C:\Users\Admin\AppData\Local\Temp\a4d1f2b01a6db0251a8158ea883948bf1a540be6f4ebb437cd8bab08a097ebb2.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2560
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1624
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:832
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:1744
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1676
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3036
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2248
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2628
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:2036
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2792
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1204
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2160
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2128
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1540
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2220
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3016
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2412
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1592
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1980
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2468
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2828
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:316
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2840
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2296
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2312
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2508
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1512
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2188
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:648
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1388
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1964
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2528
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
8c8e2f056d63add2759983ad9cbc20e3

SHA1
2c9d546d9c2f8b68b0781574145f164372dea9f4

SHA256
fc38e74ba34956d24271cd9ced3ef1e540614b4b1abcf6cf52e2c64b0349d00b

SHA512
cf9708fa939b33d1ff9ea4c47355a40f1a0b2edfb352c06a13a5fb101bdc3cdb54a348e62070f61b87d18aea03e59aa01bf3bdf5aebcbb654d89ed764c7c6995

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5c256ba320c7487a2c3cdb62bea97bb5

SHA1
2a28e5d7bd4483a40fb6035f1ec6fcf1d66cb2fc

SHA256
854aeaf6ba44537fc01088f8c336552a1aab4c6df84938d241c8616b6f0802e4

SHA512
bb55f293471dda9b074664d4cf2dad094f8f0c2479c1fd754dd85199d1d1b1012cfa3b050711ac0b59368d6bf1756cfcadcaff1e47d4f103a093a0b77782fdc0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
be85ce7bb02d959078db568ee3a8905d

SHA1
e3598468f1db49d961a98da4deda91a619b56985

SHA256
4d76969f7a746574f6be0eca7b1939230ca7607610f12f82b670f4b7bf829806

SHA512
8ffd0d9432c57b2a445afb0701de88903bee1df5295b7ec14042623bfd5d72d0d3cdf198bbdce55be06439c8ac594ddc9bcf53f425bf9e9c9ebb299f6d8150cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5ba8c208c5700f7f25c2e24e00d50ac8

SHA1
9838a0ab093ed94bc85a80b1feee14b68e4df8d1

SHA256
213371c33e19f6f9e28f089e3206fe50c39b190548b0500f7ba8aff869a68cd6

SHA512
065e45ebe4197cdf7e13b799928dfb29e17d4a1741e3e103000b147288b34f16300b72874ec85aefa2c04cc939df115a9fb383d5c95982c1371e75605d1a9b17

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7c92f92a39b74a1a62d4e78cab1e85ce

SHA1
12be3de5566511f06ef1d1354ce14e74381ef078

SHA256
919b452d34117c54e6e79cf6c3d338679c3553dd3ef1bb8d750da8738f6f4166

SHA512
ad945215baeb1b488a43705d18520fea653a881632cfcd8bc79182ce2863d7167e8631043bdea1ee1071eabfb87f7ce63f460becf63c9c2060e51a30fc8171b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
423a0fabd3a9fd2cbedc3aba67c69650

SHA1
880097557ac6718e93822ac7efc9a3e2986c51de

SHA256
d77f549afde3b88ac747c3d0dee3069f914fac77b572ae08737ffc05f696491b

SHA512
c65d3db8250c7885b05075ebc3485db4506dde6c435247ad6a86e9085d59b039f4629583b327662a2eb40c79bc135d5d17b5bfb01f63ee02726aa57ecd7ed139

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d04e4fa1d3c8ba67f98c8e40c157ed97

SHA1
c0d95df53f8a804370ce7230fd02b9e58f75ec22

SHA256
b0544b1226f7cfd08fbffa33537e742cae314ef9ebc6a146d9aae7ead895ae1f

SHA512
7436211ec14314df3689406a0b828f28a337929922fe1d381569b3eedc40dd9639764a73adfb033ede68ff760c5c0429de44a865e96f105cd0a2b6ec80269890

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e74576d29f1c1a7185cdf1e12b96a260

SHA1
f76ee203cb56b7dda62a2947ff1e2fc954efa777

SHA256
e31ecb9dcf31c19fbd131b31e5191375f7aeb708ffa678363de99e118715eb65

SHA512
934e3a9171de8fe03c9b398b4e79b3eee77845750ba2b0d16c3a38bc8299d3d72643cedfbb025df848f4c5ab302f5d4b145da13c2ac3ed96bdc1658791d4f5bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
9f87870aabac31b89e8f641cc4796a67

SHA1
0e7c4d9fa14eb4afe07e0ded564229685c3cbe4b

SHA256
c5ccc91ebc3838b354e5ae05c7b3efa01813e004b427f843ba23e78ff272e695

SHA512
28c7fe3049354286831a5c2b52ea96583bef30c4a294d07bfb10c11bb9e3469b944d8029d58f73611daa616a279e280d0c14fa037d390ab34a5daa2f5a25c4f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ae75c3a96c26ddc15e3c678434b18374

SHA1
7abb4cd173f5c8565c891bc5305922439e880fed

SHA256
1b84f073d7c021672b1951a420b183f570b94f4d7c14c86698b22bbd353bf965

SHA512
e817ab91d4d73840a290ff2e999a5136328b315afa16ec831b6ddabea08cf07d8dd61b332cbeded13bde712e7c87538228ff8d163c0f659da84134f04e5a3b7e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2c3b5340da071ac89dded61dffd49fb5

SHA1
77a880658d0b70e5455379099427bfdae8cc0ae8

SHA256
d7433fbea40ea3f87e991ce54c73436c110cfbb83748d554aea8d94051a5224e

SHA512
7e69f14c55afec39149491531c2a499b6253aa71ad448e722912f239fde055826b34383bd8d14773af08ef475b5fe53451a0a93e0bcc46fbeba3872198200f3c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5f2a40f410e1db471d583c90bb1bf208

SHA1
1e49ed23e02976dede24633c367ab8c92fb4fd9b

SHA256
03c04fafe55862423025fe6e16bbeda1dbded8150a0c0dd363164733051fe1e4

SHA512
98a4ba3960f66728d4a286c8cff2223742d701467a647b6d4a2f118a6e2c53c9a4f6c329a36c099b151d42279ba0823ff07a8df49c87d02a7470f595052f725c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
56b642f742552f48c6b8b9c099412a21

SHA1
c3cf968546d550feddcded0747d331305147e1e3

SHA256
a91e4afb0d2f495e9c4fd5031514174673505464922192f9d87832fc21ef119b

SHA512
43edab26c4c27b9458d393f139895b68ce6b230685fd112658b4046094beac5479329f63c9c836dace1e76984fc22b96aecdf0c0252cf656e6d1fe639abf403a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b01deb2dadc8260c4bcb435df78599d9

SHA1
7ac78543d19aefbe54d4e7d12d045cff0e7934f0

SHA256
4f88b370f98b6357f72a7942c293827b72164112e87fbbb6c842d9b206ab53b0

SHA512
319c1925e74af3cace9d3c3fafb7ff3c28ae3240e1d67da7d05ed25b7ec523eec9a974f21ff9914e602334c192e5801a55695ad705dbaa2a32e3b08e7996bb4b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7f4a30c959a105f5b129f462fda41bd3

SHA1
b4602f3e0347678c8197a082e76e2a75a97d272a

SHA256
8410793e1f87c1daebd99924384f7776d366bf6a0b92e62f72476181659c2552

SHA512
f855bc14521993d0816d375d4852a54ae8a960a6bf6dd0995e09cdd736228a76a44fc992aa20ed19f3213ccc7e62c5b1cc303fd282e52d9ecce506256014343d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f67914cf156fe6ff2dd09fbba32240aa

SHA1
88da23d3da586a8c435e0be4ed501e305492bc7d

SHA256
0ab284b615bac4b0841a3d9b0be797ed43f3bb5757a92a2a33b2e4de9a046423

SHA512
78db1e35203245dc10b2a8e1ecfd999eca8776c545fd7e94209c8077a4b41ec40703a5421e35dc94f1879c217cd83374fea5d0221a0012a5aa3dff88b2277335

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
3b6d9683a1c14101f5dcf4644bce1879

SHA1
9374782be8ee973892bc3c292664f92120b01494

SHA256
297f3c91265da386d7cd74d0180b51ea6bda8d0c47f9f2382e69d385468a3f68

SHA512
93dcf4ce1c6142fbf3c43a1d57ed67e1722152dba85b5395d0cdd216150c35d2caba5cc6e0dc7e9c92f6867d6b39464f08e7c49abded88944383e479f07af44e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
13f3c1a0e635c1dfb6afa8f46b59c932

SHA1
7c132889b23b94147e9a8dec52dfde3c4ef11ae2

SHA256
3cb3e320b0786a95d8b9f74c2700a09c18bfcf6019c7d67a63686bb209fb17a8

SHA512
80d466f3a1ae86db77147bc61eff8961edd3e5c5ee2c03719e132185946eb4ec02c8c5d5f6d39c121c72763f8ebea2b8e195176f5849f593d76affc1bdd34632

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
5478b49509d9d4161fbf41e73af1d1b1

SHA1
74b5ce49342d337bd47e4508e2f79b5a351de6fb

SHA256
3b659d29661c01ad38ab89f9a6187dd8d8a557e44697b9235cbc43c1aa5ab313

SHA512
ff53bd4a7c1704ff24af20ff82a9fd1b25c28aee8a9153d4d6b07ca8df21b5ebdfb9ec69aa255026e67cc35d199a46dd083e273c0a152632225f82bdee2bc31d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
22a3105a8a25f73d5eb237d17448a63d

SHA1
292109ebe65266926586adf12f5213a86fa161bd

SHA256
e4a616f638d0c3f257667b5cf4b8758752fc20ad091f41706cb2041094a99d2f

SHA512
0c05b5160a4ff734f65ce818e0e7b23313b8b702e89fbf0f2f2df29273429b1bb8714675c30621501031ca1d8aa9221e0650751ad363911e4042e1966462dfea

Download Submit
memory/2280-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download