4b4ad43fcc906ed8642c7569f20ef28bb3e9a9ace1bf214a7c45431b9773362f

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 17:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4b4ad43fcc906ed8642c7569f20ef28bb3e9a9ace1bf214a7c45431b9773362f.exe
Size

1.1MB
MD5

f9ba6348c07339bdb3321e2b26e3f7ae
SHA1

6eb9d1c03f4f99813c3908e746cd652165c8dc17
SHA256

4b4ad43fcc906ed8642c7569f20ef28bb3e9a9ace1bf214a7c45431b9773362f
SHA512

d07efaf2a56b87d8c31b8192df7f13ce3264794298b8b2d965a53abb2ab8cb9ec9d65036379f9d79b3b4cf5c12e6b81c557d46b089e787cbdab03c4be72bc87b
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qo:CcaClSFlG4ZM7QzMv

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2732	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2732	svchcst.exe
536	svchcst.exe
1496	svchcst.exe
1924	svchcst.exe
1416	svchcst.exe
1420	svchcst.exe
300	svchcst.exe
2176	svchcst.exe
2900	svchcst.exe
2420	svchcst.exe
1612	svchcst.exe
3036	svchcst.exe
2912	svchcst.exe
1584	svchcst.exe
1552	svchcst.exe
3012	svchcst.exe
2808	svchcst.exe
2476	svchcst.exe
2688	svchcst.exe
1080	svchcst.exe
1632	svchcst.exe
2196	svchcst.exe
2384	svchcst.exe

Loads dropped DLL 44 IoCs

pid	Process
2476	WScript.exe
2476	WScript.exe
2712	WScript.exe
2712	WScript.exe
1432	WScript.exe
1252	WScript.exe
2072	WScript.exe
2072	WScript.exe
1700	WScript.exe
1700	WScript.exe
2500	WScript.exe
2500	WScript.exe
2060	WScript.exe
2060	WScript.exe
2308	WScript.exe
2308	WScript.exe
2804	WScript.exe
2804	WScript.exe
2712	WScript.exe
2712	WScript.exe
912	WScript.exe
912	WScript.exe
832	WScript.exe
832	WScript.exe
1892	WScript.exe
1892	WScript.exe
2160	WScript.exe
2160	WScript.exe
3060	WScript.exe
3060	WScript.exe
2504	WScript.exe
2504	WScript.exe
1680	WScript.exe
1680	WScript.exe
2724	WScript.exe
2724	WScript.exe
2780	WScript.exe
2780	WScript.exe
2236	WScript.exe
2236	WScript.exe
1044	WScript.exe
1044	WScript.exe
2992	WScript.exe
2992	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b4ad43fcc906ed8642c7569f20ef28bb3e9a9ace1bf214a7c45431b9773362f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2024	4b4ad43fcc906ed8642c7569f20ef28bb3e9a9ace1bf214a7c45431b9773362f.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe
2732	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2024	4b4ad43fcc906ed8642c7569f20ef28bb3e9a9ace1bf214a7c45431b9773362f.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2024	4b4ad43fcc906ed8642c7569f20ef28bb3e9a9ace1bf214a7c45431b9773362f.exe
2024	4b4ad43fcc906ed8642c7569f20ef28bb3e9a9ace1bf214a7c45431b9773362f.exe
2732	svchcst.exe
2732	svchcst.exe
536	svchcst.exe
536	svchcst.exe
1496	svchcst.exe
1496	svchcst.exe
1924	svchcst.exe
1924	svchcst.exe
1416	svchcst.exe
1416	svchcst.exe
1420	svchcst.exe
1420	svchcst.exe
300	svchcst.exe
300	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2900	svchcst.exe
2900	svchcst.exe
2420	svchcst.exe
2420	svchcst.exe
1612	svchcst.exe
1612	svchcst.exe
3036	svchcst.exe
3036	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
1584	svchcst.exe
1584	svchcst.exe
1552	svchcst.exe
1552	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
2808	svchcst.exe
2808	svchcst.exe
2476	svchcst.exe
2476	svchcst.exe
2688	svchcst.exe
2688	svchcst.exe
1080	svchcst.exe
1080	svchcst.exe
1632	svchcst.exe
1632	svchcst.exe
2196	svchcst.exe
2196	svchcst.exe
2384	svchcst.exe
2384	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 2476	2024	4b4ad43fcc906ed8642c7569f20ef28bb3e9a9ace1bf214a7c45431b9773362f.exe	31
PID 2024 wrote to memory of 2476	2024	4b4ad43fcc906ed8642c7569f20ef28bb3e9a9ace1bf214a7c45431b9773362f.exe	31
PID 2024 wrote to memory of 2476	2024	4b4ad43fcc906ed8642c7569f20ef28bb3e9a9ace1bf214a7c45431b9773362f.exe	31
PID 2024 wrote to memory of 2476	2024	4b4ad43fcc906ed8642c7569f20ef28bb3e9a9ace1bf214a7c45431b9773362f.exe	31
PID 2476 wrote to memory of 2732	2476	WScript.exe	33
PID 2476 wrote to memory of 2732	2476	WScript.exe	33
PID 2476 wrote to memory of 2732	2476	WScript.exe	33
PID 2476 wrote to memory of 2732	2476	WScript.exe	33
PID 2732 wrote to memory of 2712	2732	svchcst.exe	34
PID 2732 wrote to memory of 2712	2732	svchcst.exe	34
PID 2732 wrote to memory of 2712	2732	svchcst.exe	34
PID 2732 wrote to memory of 2712	2732	svchcst.exe	34
PID 2712 wrote to memory of 536	2712	WScript.exe	35
PID 2712 wrote to memory of 536	2712	WScript.exe	35
PID 2712 wrote to memory of 536	2712	WScript.exe	35
PID 2712 wrote to memory of 536	2712	WScript.exe	35
PID 536 wrote to memory of 1432	536	svchcst.exe	36
PID 536 wrote to memory of 1432	536	svchcst.exe	36
PID 536 wrote to memory of 1432	536	svchcst.exe	36
PID 536 wrote to memory of 1432	536	svchcst.exe	36
PID 1432 wrote to memory of 1496	1432	WScript.exe	37
PID 1432 wrote to memory of 1496	1432	WScript.exe	37
PID 1432 wrote to memory of 1496	1432	WScript.exe	37
PID 1432 wrote to memory of 1496	1432	WScript.exe	37
PID 1496 wrote to memory of 1252	1496	svchcst.exe	38
PID 1496 wrote to memory of 1252	1496	svchcst.exe	38
PID 1496 wrote to memory of 1252	1496	svchcst.exe	38
PID 1496 wrote to memory of 1252	1496	svchcst.exe	38
PID 1252 wrote to memory of 1924	1252	WScript.exe	39
PID 1252 wrote to memory of 1924	1252	WScript.exe	39
PID 1252 wrote to memory of 1924	1252	WScript.exe	39
PID 1252 wrote to memory of 1924	1252	WScript.exe	39
PID 1924 wrote to memory of 2072	1924	svchcst.exe	40
PID 1924 wrote to memory of 2072	1924	svchcst.exe	40
PID 1924 wrote to memory of 2072	1924	svchcst.exe	40
PID 1924 wrote to memory of 2072	1924	svchcst.exe	40
PID 2072 wrote to memory of 1416	2072	WScript.exe	41
PID 2072 wrote to memory of 1416	2072	WScript.exe	41
PID 2072 wrote to memory of 1416	2072	WScript.exe	41
PID 2072 wrote to memory of 1416	2072	WScript.exe	41
PID 1416 wrote to memory of 1700	1416	svchcst.exe	42
PID 1416 wrote to memory of 1700	1416	svchcst.exe	42
PID 1416 wrote to memory of 1700	1416	svchcst.exe	42
PID 1416 wrote to memory of 1700	1416	svchcst.exe	42
PID 1700 wrote to memory of 1420	1700	WScript.exe	43
PID 1700 wrote to memory of 1420	1700	WScript.exe	43
PID 1700 wrote to memory of 1420	1700	WScript.exe	43
PID 1700 wrote to memory of 1420	1700	WScript.exe	43
PID 1420 wrote to memory of 2500	1420	svchcst.exe	44
PID 1420 wrote to memory of 2500	1420	svchcst.exe	44
PID 1420 wrote to memory of 2500	1420	svchcst.exe	44
PID 1420 wrote to memory of 2500	1420	svchcst.exe	44
PID 2500 wrote to memory of 300	2500	WScript.exe	45
PID 2500 wrote to memory of 300	2500	WScript.exe	45
PID 2500 wrote to memory of 300	2500	WScript.exe	45
PID 2500 wrote to memory of 300	2500	WScript.exe	45
PID 300 wrote to memory of 2060	300	svchcst.exe	46
PID 300 wrote to memory of 2060	300	svchcst.exe	46
PID 300 wrote to memory of 2060	300	svchcst.exe	46
PID 300 wrote to memory of 2060	300	svchcst.exe	46
PID 2060 wrote to memory of 2176	2060	WScript.exe	47
PID 2060 wrote to memory of 2176	2060	WScript.exe	47
PID 2060 wrote to memory of 2176	2060	WScript.exe	47
PID 2060 wrote to memory of 2176	2060	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\4b4ad43fcc906ed8642c7569f20ef28bb3e9a9ace1bf214a7c45431b9773362f.exe
"C:\Users\Admin\AppData\Local\Temp\4b4ad43fcc906ed8642c7569f20ef28bb3e9a9ace1bf214a7c45431b9773362f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2712
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:536
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:300
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2176
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2900
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2804
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2420
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2712
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1612
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:912
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3036
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:832
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2912
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1892
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1584
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1552
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3012
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2504
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2808
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2476
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:668
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2688
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2780
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1080
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1632
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1044
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2196
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2384
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:1096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
7150c8a96f209bbd9253f725df63813d

SHA1
a71760048b0d719736bf93b1918240a0cb8cb2b0

SHA256
0f7bb4bc8dde2106ee9d7ca29a8132922adcd37d6adf2f2a2a916b2113e05d3a

SHA512
44946c0c0cee82fb93b3a5d3be4e617b2ff63dfacb7c4c69b12179bb4b730066cfcc8898f33da3a172269b36a5a580ec240f995cf26d4f6dca77284154a47a9e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6a10838e65cf3aedda11230ee7f407b7

SHA1
7878e96feb82d309b74e4fe98ad256d3bfd63d08

SHA256
79b9776ab8d5f525f63ccab50ff6d79e7a7daeb47894ce971b63ab072314009e

SHA512
7fd419656935cef9e30f36f618df90399b015dc281dea6b30f12ba7bf2c07a58e7aa570ea5fd1f04b3643be33eb1d8521787c94384cb7ef0ec8d5459a8c50eaa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
152cdcb10a0dcbdcaeb00bd4b08b2f94

SHA1
d957bd7eff64e6b13d3a088c0ae764eaeedf0ad2

SHA256
5525126f60e1b6cf4d353d30db46873836712e3964020d1dbca2694b6dc3d599

SHA512
c2e61516af9e5c14978792ec3b5e20aa84d5f6d9607322575d2f0448a67b6a10911ebf350f51e24e19f40840897251c891cda2c651c0881fccc9e0006d1a2f99

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
cd34ba54e0dd84bc94990092afc183a9

SHA1
938feedabe63e3e7c6cbb6a405512e21a7ebe449

SHA256
44358f1aedf540acf9e56069e4cc6d4e6a2445ccba362dad9ec4e2f59e0178ab

SHA512
1c261ac13591d4d1cd3692dae12de7fb393134b014dbc766b2946b6ea983e74cef7984bb7003241d5221dea9df78e5f5fe31a839ad7d8453a79db887c8d09958

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
66dec81d7f7dc4e36f9d8151fe38056a

SHA1
fc169994b2239eb407778d28d35025f7c9a1658e

SHA256
a09a3c722b494400011829c5645415020d39c8e6ec90f466fc3109a1ba49db2a

SHA512
3e8af1d301ba9228d5afcfaa1e1d3e6f931c5f0ba5e19c74f73b88ddf7c4baa7b24f13533679096f6c94871985de9e47d0f91362ec2ee9132b1e1b772d56fbcc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1a94fff9bade36e4d067e0fcefb1a8f5

SHA1
1713c3fc499a56cd97035e44405e0b5e1a0a586b

SHA256
1977a5ac15e88252efdd11b9aace6de92383e71132a94273b0e890e92ae91048

SHA512
89a7dd6811f9491a14bf49f1cbce3e869107d2e0d410fa3d3c867ce68d573d6f8e6ada98ac3635fc620c96c61676b5cef2563b5fbea14f617c1fa61bce4f3ac7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
9e8dca236ce949019c46b94428612ac9

SHA1
0917050afcbb7b94fce6fbb9827fb57de7432b0b

SHA256
bd9f06dbb8f2165c3b75da289ad7983f0c57328d236b2c68a2b5798188874fb3

SHA512
23ce9deba9286cbb24c1725503542b63d7e44ea7ada302e5aba6595f84398e2162008d7431f842cccfb2b8fae126216d85c566931d5fcc8c8c5625e2c05f44d6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5c256ba320c7487a2c3cdb62bea97bb5

SHA1
2a28e5d7bd4483a40fb6035f1ec6fcf1d66cb2fc

SHA256
854aeaf6ba44537fc01088f8c336552a1aab4c6df84938d241c8616b6f0802e4

SHA512
bb55f293471dda9b074664d4cf2dad094f8f0c2479c1fd754dd85199d1d1b1012cfa3b050711ac0b59368d6bf1756cfcadcaff1e47d4f103a093a0b77782fdc0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
bb73f45ba0ab8d0e25bc6dcd5900a0f1

SHA1
18dd20b311cabf033725cb71f00e22449f559963

SHA256
c5b311f8ce95c93ed51768b74c6765874352e5fc61641ab54034281a5206c3b5

SHA512
f2adbb4978b02ce150fc2f4a8f6d7734ca465351c502e5a425a9dc0f751be9a048df54dfff086b4b049a80cdc8127863ea704a3b6e1855f9d4406e5778b82e04

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
297aff64991480fd92a4ce9fb4d40807

SHA1
c586f7003f854f442db26448516e59826dfe41e9

SHA256
5137a62e031c71093a7d6c2684519614bb5eed80fd8daa92912f085a6ab82b8a

SHA512
f7a2fae80f26e6fb846ec9675c5a03932c8bd842d75f68cdb05c2f18e9397ed32774ce0a1f495e5618a5ce1b37e088c8991a69fb999559d1e2b0dd360cc96b4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
75b8f60cfe6895a93f2d8f1b5568af94

SHA1
b80485bc82864b4e1bf0bcc44579eaa01776b1fb

SHA256
6ff47f7681e8f497470bd11b2cfd8156c5d8f1b01f48bfd89037cc4bfe0f34cc

SHA512
089e237c5309d36058e036f69d78deb4144749e91b3a8a8383f817af051a3452acfdf42227cc721517e93428cfd5d48b42e9750e9548762609e81917a4de29c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e941c404604f780e37c7e63233301fa0

SHA1
d27c9a3b90881add1a06b41b5931267fc818ff08

SHA256
6add2531fc05662418f48a46f522fa4507053ece8d0d94a04c0c213d27da81ce

SHA512
1f448e52f5aa81f30ecf10d6222fa0913ab7a5f3c0f2c7e6a9deb231e9bf55937c4fb0f84bbaeccdd9040e163ae371daec55eff48d633cd6d6bd409433fbf4f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9a635e0e5a00d441d2b957aef99d6ff5

SHA1
499ce5d3557ca7626e8f9a8f3f481d865468ac77

SHA256
bbfefbb9e59e3e3089c5ddd5035388e5409bafa19b8f729696bf84ddd95e0ab7

SHA512
f489afcd41e18d4c587ec33af09999f33d7d73722cefd28dec66d833a776eb2b54506c7b079eb12bd094e70815db8580e26af8b941f3911236a8dc3e7eaa4668

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
14410f5022f7cb4021c39f6e5f14d081

SHA1
ebb8135c88be51164bbc5582f5e8d305f32d03ff

SHA256
1a638764414baef4437051d7ab673b52342e4f9a8e056126dc43363d5841b9f9

SHA512
a0a36b2dd8c043f0fdc5dc5bec4c97cb921d961335841e2e58df08e0b23877e021f21ebd01dbb478c5378dc078162c56f12dcf4c07f4f8f53e24e35bcdc34fa6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0ad01179a3e02be777c08dfaee1913d4

SHA1
501402219a17e0169e351decde3bada42493dd29

SHA256
260b2b018ab8387f30ef2df9bd42cf358798d2395953a2ce9e3551e5da2a1526

SHA512
63371d17bb010929cf7fc87598f137240e231af59add0c11aa486175d2ed66063bbe48c6bad3e79e3ea62340db43fc6a2c440fc59227c9d55433237000db1470

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0b40b1f0ffcf8129001b16b909aa02ce

SHA1
10ae80c1139ee1b461833758145c78d4d20bfe9f

SHA256
a3b71d8c112101e0e6334ddd06d9ea8c2fc640a49e9a77614a69d1d434333ee0

SHA512
a06cbadd5e2ec1390d5a24035d99c05f6d96a346b7ed0625b02b851f5bcc5d8d3fe695507c5dbbf7c1c8463d3bf78c972544ddefc75f18c22acbdab5296c9316

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
bb27d188055257cb96c237bb8203627b

SHA1
9107e31b13af36752bc3e60aba95714ec2869866

SHA256
22b22f5652ba520214d0f9a0677931505695b8197f34a1ca00709f68104c8dcb

SHA512
092d674479e4866e0a2eae536f51af6227f0d060b7088b8f5ac200934352cf420881184a4b40038dfeb3519ef8bfa2cb3d8d7abed356bc582aa5b9a6d9aabdd7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2a68d05723e14f4785657c3177777a34

SHA1
5883360be132d2217742b8bbd436a141d3dab732

SHA256
4f6bf3876848a7a8ae9f894a1b95f6121c9bd6dbf69cda8b345f63f8165f68ae

SHA512
07b8784b1ca67ee9a5caba9563b72fac96fc9ad5501f5e42eb7f3b49bd29abdedc8b080fd4cff8d252b1fab0d6636cbf2dfd452c84e64cd7168ea13a10878295

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0a144377ce0f84b222325938d51303e4

SHA1
9bf984d0a047056c4285855fb20fe837d23f55a5

SHA256
e63ee3564e02e154da2a24700da4dbdd9d626bbfc9239c9baed5a664219e5322

SHA512
ce793b29e0c1aa28dd4f44c3598b7ab901f146e3183e389999ebc090f067ed589e6aec46e86d13c3b9328fc9d9899d74307f14f5ecf1816a55009b1ac637e9d8

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
de42117ae96a06c41684c862f566b818

SHA1
0c282548540758792d975952860140cec58e6a8e

SHA256
c0dc59498e570017df177d394590b53704a1837e352554aa57fa159096c8daba

SHA512
cc0ca0c053c5f0a8c78ef4170a12cba8110d32e4b436b45186920a2015533a00a2ec97e18248a5a2cbd07e37d3f2ffa21957418bb1dfae1a9a832146bfab4060

Download Submit
memory/2024-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download