a70747cdacd2d80dd65df4933286f8497d40e5fedac5317f060529bdcaebb33e

Analysis

max time kernel
150s
max time network
128s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/09/2024, 21:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a70747cdacd2d80dd65df4933286f8497d40e5fedac5317f060529bdcaebb33e.exe
Size

1.1MB
MD5

28e86566a92043cda0e9da3c61f24009
SHA1

58d28e75efdca6925a41d62efb3625d8c1b6eb4b
SHA256

a70747cdacd2d80dd65df4933286f8497d40e5fedac5317f060529bdcaebb33e
SHA512

d58fb3989c3b5046659aff2e592febdf16732b6bec52304cde8ea10e77bb667aac6efa80deff2da9681fd30e961e32e1d3403c3a1aba50f3b33efcfbfd729ff5
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QW:CcaClSFlG4ZM7QzMt

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2812	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2812	svchcst.exe
3004	svchcst.exe
1652	svchcst.exe
1772	svchcst.exe
2108	svchcst.exe
740	svchcst.exe
2212	svchcst.exe
264	svchcst.exe
2584	svchcst.exe
1528	svchcst.exe
2000	svchcst.exe
2876	svchcst.exe
788	svchcst.exe
620	svchcst.exe
968	svchcst.exe
1556	svchcst.exe
3032	svchcst.exe
2720	svchcst.exe
3068	svchcst.exe
1608	svchcst.exe
1816	svchcst.exe
1216	svchcst.exe
1752	svchcst.exe

Loads dropped DLL 45 IoCs

pid	Process
2964	WScript.exe
2964	WScript.exe
2608	WScript.exe
2024	WScript.exe
2024	WScript.exe
1072	WScript.exe
1072	WScript.exe
2208	WScript.exe
2208	WScript.exe
1812	WScript.exe
1812	WScript.exe
2104	WScript.exe
2104	WScript.exe
2120	WScript.exe
2120	WScript.exe
2984	WScript.exe
2984	WScript.exe
2096	WScript.exe
2096	WScript.exe
3040	WScript.exe
3040	WScript.exe
1744	WScript.exe
1744	WScript.exe
2896	WScript.exe
2896	WScript.exe
2208	WScript.exe
2208	WScript.exe
1812	WScript.exe
1812	WScript.exe
2416	WScript.exe
2416	WScript.exe
2716	WScript.exe
2716	WScript.exe
2828	WScript.exe
2828	WScript.exe
1472	WScript.exe
1472	WScript.exe
1528	WScript.exe
1528	WScript.exe
2384	WScript.exe
2384	WScript.exe
2276	WScript.exe
2276	WScript.exe
2316	WScript.exe
2316	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a70747cdacd2d80dd65df4933286f8497d40e5fedac5317f060529bdcaebb33e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2960	a70747cdacd2d80dd65df4933286f8497d40e5fedac5317f060529bdcaebb33e.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe
2812	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2960	a70747cdacd2d80dd65df4933286f8497d40e5fedac5317f060529bdcaebb33e.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2960	a70747cdacd2d80dd65df4933286f8497d40e5fedac5317f060529bdcaebb33e.exe
2960	a70747cdacd2d80dd65df4933286f8497d40e5fedac5317f060529bdcaebb33e.exe
2812	svchcst.exe
2812	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
1652	svchcst.exe
1652	svchcst.exe
1772	svchcst.exe
1772	svchcst.exe
2108	svchcst.exe
2108	svchcst.exe
740	svchcst.exe
740	svchcst.exe
2212	svchcst.exe
2212	svchcst.exe
264	svchcst.exe
264	svchcst.exe
2584	svchcst.exe
2584	svchcst.exe
1528	svchcst.exe
1528	svchcst.exe
2000	svchcst.exe
2000	svchcst.exe
2876	svchcst.exe
2876	svchcst.exe
788	svchcst.exe
788	svchcst.exe
620	svchcst.exe
620	svchcst.exe
968	svchcst.exe
968	svchcst.exe
1556	svchcst.exe
1556	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
2720	svchcst.exe
2720	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
1608	svchcst.exe
1608	svchcst.exe
1816	svchcst.exe
1816	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
1752	svchcst.exe
1752	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 2964	2960	a70747cdacd2d80dd65df4933286f8497d40e5fedac5317f060529bdcaebb33e.exe	30
PID 2960 wrote to memory of 2964	2960	a70747cdacd2d80dd65df4933286f8497d40e5fedac5317f060529bdcaebb33e.exe	30
PID 2960 wrote to memory of 2964	2960	a70747cdacd2d80dd65df4933286f8497d40e5fedac5317f060529bdcaebb33e.exe	30
PID 2960 wrote to memory of 2964	2960	a70747cdacd2d80dd65df4933286f8497d40e5fedac5317f060529bdcaebb33e.exe	30
PID 2964 wrote to memory of 2812	2964	WScript.exe	33
PID 2964 wrote to memory of 2812	2964	WScript.exe	33
PID 2964 wrote to memory of 2812	2964	WScript.exe	33
PID 2964 wrote to memory of 2812	2964	WScript.exe	33
PID 2812 wrote to memory of 2608	2812	svchcst.exe	34
PID 2812 wrote to memory of 2608	2812	svchcst.exe	34
PID 2812 wrote to memory of 2608	2812	svchcst.exe	34
PID 2812 wrote to memory of 2608	2812	svchcst.exe	34
PID 2608 wrote to memory of 3004	2608	WScript.exe	35
PID 2608 wrote to memory of 3004	2608	WScript.exe	35
PID 2608 wrote to memory of 3004	2608	WScript.exe	35
PID 2608 wrote to memory of 3004	2608	WScript.exe	35
PID 3004 wrote to memory of 2024	3004	svchcst.exe	36
PID 3004 wrote to memory of 2024	3004	svchcst.exe	36
PID 3004 wrote to memory of 2024	3004	svchcst.exe	36
PID 3004 wrote to memory of 2024	3004	svchcst.exe	36
PID 2024 wrote to memory of 1652	2024	WScript.exe	37
PID 2024 wrote to memory of 1652	2024	WScript.exe	37
PID 2024 wrote to memory of 1652	2024	WScript.exe	37
PID 2024 wrote to memory of 1652	2024	WScript.exe	37
PID 1652 wrote to memory of 1072	1652	svchcst.exe	38
PID 1652 wrote to memory of 1072	1652	svchcst.exe	38
PID 1652 wrote to memory of 1072	1652	svchcst.exe	38
PID 1652 wrote to memory of 1072	1652	svchcst.exe	38
PID 1072 wrote to memory of 1772	1072	WScript.exe	39
PID 1072 wrote to memory of 1772	1072	WScript.exe	39
PID 1072 wrote to memory of 1772	1072	WScript.exe	39
PID 1072 wrote to memory of 1772	1072	WScript.exe	39
PID 1772 wrote to memory of 2208	1772	svchcst.exe	40
PID 1772 wrote to memory of 2208	1772	svchcst.exe	40
PID 1772 wrote to memory of 2208	1772	svchcst.exe	40
PID 1772 wrote to memory of 2208	1772	svchcst.exe	40
PID 2208 wrote to memory of 2108	2208	WScript.exe	41
PID 2208 wrote to memory of 2108	2208	WScript.exe	41
PID 2208 wrote to memory of 2108	2208	WScript.exe	41
PID 2208 wrote to memory of 2108	2208	WScript.exe	41
PID 2108 wrote to memory of 1812	2108	svchcst.exe	42
PID 2108 wrote to memory of 1812	2108	svchcst.exe	42
PID 2108 wrote to memory of 1812	2108	svchcst.exe	42
PID 2108 wrote to memory of 1812	2108	svchcst.exe	42
PID 1812 wrote to memory of 740	1812	WScript.exe	43
PID 1812 wrote to memory of 740	1812	WScript.exe	43
PID 1812 wrote to memory of 740	1812	WScript.exe	43
PID 1812 wrote to memory of 740	1812	WScript.exe	43
PID 740 wrote to memory of 2104	740	svchcst.exe	44
PID 740 wrote to memory of 2104	740	svchcst.exe	44
PID 740 wrote to memory of 2104	740	svchcst.exe	44
PID 740 wrote to memory of 2104	740	svchcst.exe	44
PID 2104 wrote to memory of 2212	2104	WScript.exe	45
PID 2104 wrote to memory of 2212	2104	WScript.exe	45
PID 2104 wrote to memory of 2212	2104	WScript.exe	45
PID 2104 wrote to memory of 2212	2104	WScript.exe	45
PID 2212 wrote to memory of 2120	2212	svchcst.exe	46
PID 2212 wrote to memory of 2120	2212	svchcst.exe	46
PID 2212 wrote to memory of 2120	2212	svchcst.exe	46
PID 2212 wrote to memory of 2120	2212	svchcst.exe	46
PID 2120 wrote to memory of 264	2120	WScript.exe	47
PID 2120 wrote to memory of 264	2120	WScript.exe	47
PID 2120 wrote to memory of 264	2120	WScript.exe	47
PID 2120 wrote to memory of 264	2120	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\a70747cdacd2d80dd65df4933286f8497d40e5fedac5317f060529bdcaebb33e.exe
"C:\Users\Admin\AppData\Local\Temp\a70747cdacd2d80dd65df4933286f8497d40e5fedac5317f060529bdcaebb33e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2608
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3004
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:740
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:264
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2584
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1528
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2000
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1744
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2876
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:788
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:620
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1812
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:968
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2416
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1556
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3032
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2828
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2720
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1472
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3068
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1528
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1608
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1816
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2276
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1216
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1752
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:1044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
c2f98679e70c754b52674a1616d110e4

SHA1
2a1699b579e09ed851918883616152e978d59be5

SHA256
3fc8ac5b8071718c10ee59b2f6e6345f3cf443fd5e8b20a34d232b3035c27962

SHA512
90b782bec0c17b2fee589a2dc450296be2f9eb9eb99855e40bff70cb76b2a6e3cba9c4b21baf4740487f75ab38006dcad197f8c0678d27375f30083b70e30e0b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f262d0722b88145e786399f42047785d

SHA1
9f4426b6ac52bb0456945b0619fcd355d118a0b7

SHA256
f20592c5d5216a153e7d9fc67c87e2d3346f3781014162462e824a5dbc4c7aef

SHA512
da8aa8fd4f84c224f7c6f3fe483b030e2307f3313c003f17f6b9c943f9ea9d052d9d9297f93fdf49428eedd235ef6d7efe0199e1620e55cb052f2ca3cb492eb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
774844b08b364b32d1209ef0d962d2fd

SHA1
967a30d076aa269a5cef321d36ac1f5c1eb180cb

SHA256
c9beda5ae7965cd968f1e6b1e11f17b1b443b8fc6dddb9ad0fe830aafe35ae3a

SHA512
2bab1d82f2cf484029722e64dd75516645e3f2dc6028153b65479757a3d33bbe883a1ac97771f1a9dfff1927cbfc58b5460f0c21a3ce01a4eae32b205772c4ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1ddf68547078713a6bd04e589e87bc2f

SHA1
cdfb5481f8214590744133c77204eff54e733b90

SHA256
a5954677872e02157f5c6921ef883fbc22a4f7940d17403a9a0658931d4971fc

SHA512
194d12570a7d4e8e9341f56d23fda7ff49e131e818b93633b75c6ef05b6972b8428294bb95529af25cf75cbe2d86756dab000be200466a30a64922e764ebfc2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8e2ae053ceb7062fca84af2a4b776842

SHA1
e0efd0b54009a60e3682ed38deaddd833c8652b6

SHA256
58391f462883b293fdb398c52afb015698a4aa455fde921d706159ccccc6375f

SHA512
71b28f16bbcd83fd3cd69c985cc7482ddb167f287f6f331fc6c2f71b5b9759d6692ad93eb45e3a4039e5234f795076cd090e46c80b2661a00327a19b0ceab7b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ebf405e49dade13da94f737cdc03dba1

SHA1
8a0c39e59beed0deb4e726566b235c42c70942bb

SHA256
d15af3885670c4fea9dd97da21025faa5fd2b42bddc310bad2893e23a3ed2bef

SHA512
bbdef781757a387898665650d8f951e7fc495770d34595d9badbe5a39d46ec49a06ec00cbe28ed5e2677e5eeea518241fb638580668baca8d7728c44f2069ea2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
44c38fa25d3a9963483b583388b6f47b

SHA1
e9b37eb8bcbe2ddda96178ee7502616660cfce57

SHA256
004b640ccc72e36c16e85661847b12fff228d63de834042accadde333aa33e36

SHA512
c39bd240b263314169cef9af85a8e8a89146e96400026936b68a69a7c732d301c16561971dbeaee752e2618f2a592bff5a6a91ee75893522e77f574176887905

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d44632a3e4cce7689f6de0096ea7b712

SHA1
62726ae2641d71b6a218793f1ca8c00c81443eda

SHA256
013ba01f27689a865f4497bdab298b8914e8c235beac2311020fa928649a7603

SHA512
ed9934194e0211fca3d30bb16802ae080086a71d4b8b065afecea339f06f4d5dc43f51786059d6ccaf7718a54dde8b050268068ed6a416dacfa6c79a8ba0881a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f2d2f31794455ef80ea8a41b0b218045

SHA1
926c4e45922f43c6afc2cb31d96b5b35d4db3cae

SHA256
698e3bc7681704e68728030dcceb12377aae02f71e91a5fd15c12b686ba00141

SHA512
36cc2c9bd29c6bd97c2bd7eef7b9bffc512ebabf43d089a2866a66efc4f4f3f7d92b2d0719ae61ad07c38b89b1c0a4b59df57f84beef76c88bd376125048d714

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a28791ebea83786bb5889ef857a9e493

SHA1
0c7cc3d05c844d5edd4535fbd48d2c73b2764630

SHA256
ad8607d9518b14cf6e9f567194700afa64c424bbe7da5b1819babbc7678a98bf

SHA512
d357643579f32de1c3f28b9d717d4d82a91d2ae25014a2ab52c0b6340ea577c31386cfa7901694f47889e5966ab11ff6888ae19a8602f812d2484827295d12ce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
aa6578debd9e5045ad239d59ebeb6d15

SHA1
2a25e6293914cd6ada6649f34506c8bcf35494aa

SHA256
7acb095ca5298eb1d1e2ba7f02c1b876d7d28684762a9d180ae2ed8c9e68beb2

SHA512
150796c7aad73d1732103e41bd01d3c181b4a0afd37b673d184d5c6c643622704e7692b668e231a319549c2bb378f4d83c7ede82caf81dd15c934b81936e22b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
3af1e335d8b17e0d4be92be268fb467e

SHA1
5dfe6ae51b199273a8def4c763c895f524b9cc7d

SHA256
cc7aa7cb3b0b49497438e8da300b9eac3cbaa103ae81428240e3b4a23f0200bd

SHA512
1593af1d0c50137d6ebc60829fbf1b88726599db53132500c168c18bd82bcc5d6e67de997f139c00811ec98e69897d1d24655e6cfcb4c3516935c2daac5dea62

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
62b6a2212f5070eb9355cc048baefcc1

SHA1
f013885d2b6064c9c6e127bd97001e2b8952d23f

SHA256
17c98bdc8eee9b054887459b75cbda5345f18d6e179622c6f957f8a588f331c0

SHA512
cd5e45a88b85e0f7eb1b6e52efbba8c47187946c182f85244daf15e3648d0a2f9fb177c1e9ac016c71cb7e43fa9d2d893c7cd8869a1b5d46fbae4b7c4384ef92

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0ab7281401c7c5da799c122826eff014

SHA1
e4b28f80c1d900c6e231f0492e72bab4c2502cb5

SHA256
cfa0856b6a51bc9e8d6fbc37435ac6d1d0d0a685dd7b3c18668933269845492c

SHA512
3926bad8d1f9dd9be583ad26853fdf54fe5e744d934db7d321f836203a2ca71841a885d6e8a24ef1fb47ab40384e715a355f16f7c5f8fd942f145b84a68c0fe4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
117a45b9d9fec77a236fabbc147fedda

SHA1
f61c481573c2bd8508db8ff395246f15b1b705fd

SHA256
3b6bf525966740e398971448293509acb14806bac03af2d0d8249b42ea4fad88

SHA512
9e32e86a184424498a21c8304140ba115da5e70532dfde3d05413076bbb5128a7ce0f4856416e9b165978373a91604cb59c116309771139ffd1fa2ae460e4341

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ea7b11afcd32703726e224e0dd0cf1a3

SHA1
1bbf7f54c6d9499c9ee0a8705fb9d3dcc993e722

SHA256
aaed676d43b9a46dbf3ad06beaf19203db72e2f0899042c97ba751e9732d6a70

SHA512
004e20ee4d946d164a4dbbadea149458391878954168aa3f0c236774fdac6c3bf0e61c595d5b63a19591c6ec364b185a9c8d71235e8cc4ac67ba0a47ca3a0ab0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
32fe2edccbb744c4445bbf6ab17e718e

SHA1
42383b7f30db465127f51fc86546d0f3a21203b0

SHA256
cebdbb9375d964c40ee567a1fbb40192ab6be170af20c597dd6437edbbd27527

SHA512
d4a9d441f0030933a31be45f6fa81b834ebfb8f6c01b6c05759a7ef978f9923be4b65d80a472a1ac9167e0dc5370da363c91a0d518dc39c3bfc6d4d0102c013e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
36401a4f8d57eda7d3910f5e6e835d98

SHA1
3700d022cfec5f2fd0a69a6a647a12eadd407038

SHA256
001e34b504800b5cde61ca05161cd631a1394c3c356459f5f0d523107daef373

SHA512
4b4e90a0a89fa2c94cbbc7149136a30d822e13bdf8a4c755d2fe83a7d9a2acf7d6a5837a81bb0dfdb29d458ca8f0e875c6aa9bbe5d746556e00a11cc9ac1afce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
138e065859b09592420baaa4df605ad7

SHA1
611a675004fce598c31b5e84e524b78e6c3e9776

SHA256
a9e9b4c20554ec4426acdfa976fa43592aa0b5c655b3fcaeb3308371e3d5fa32

SHA512
7f9a8923f49a56aff2368dfcef68fc11d854a5c7b9d8213a3d0500dcdd9e8df5cdb2922b5380f242c63f72b7b606a0ef8bcaf916c9d84ac875d30a03bd9e4a90

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
393ce668786807fba67752ee6a730ae8

SHA1
d036cfdd9d4889ab5910517db5b0e321acea7a96

SHA256
2073ff24673b50bd5393519d1f5d3e8d7d0b5f584baa1b9582cc51a6cecca7c3

SHA512
2b5d4d8084386ec0dca26d6f07c3bc8617d1dfb03a18fddd476d860ea98fda06b0889c3e4be019c94c117751f6857daaf0a818a6863d96c7d5c80b3ab47ecd1d

Download Submit
memory/2960-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download