02209b2a018e52c65c979ffba7ada8172398bba17fe8e9d55789d79e5f2f9823

Analysis

max time kernel
119s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 04:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02209b2a018e52c65c979ffba7ada8172398bba17fe8e9d55789d79e5f2f9823N.exe
Size

1.1MB
MD5

03b7a88bc3b17d60691d3e22f66abaa0
SHA1

77ec0c964c2993e4de2581cf41fe16edb1e0d273
SHA256

02209b2a018e52c65c979ffba7ada8172398bba17fe8e9d55789d79e5f2f9823
SHA512

99ff66784a2a79afa4d5c2eecc068ec1afcba58f3be29b264df236da3ebfda33b448456df6c05aae873220d60c42a0c4b96095da5f5af54fd8c6a1ee3acc0545
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q0:acallSllG4ZM7QzMj

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2616	svchcst.exe

Executes dropped EXE 18 IoCs

pid	Process
2616	svchcst.exe
3012	svchcst.exe
492	svchcst.exe
2492	svchcst.exe
988	svchcst.exe
1836	svchcst.exe
2072	svchcst.exe
2804	svchcst.exe
2104	svchcst.exe
396	svchcst.exe
592	svchcst.exe
2492	svchcst.exe
1532	svchcst.exe
292	svchcst.exe
2000	svchcst.exe
2328	svchcst.exe
2988	svchcst.exe
1036	svchcst.exe

Loads dropped DLL 36 IoCs

pid	Process
2800	WScript.exe
2800	WScript.exe
2688	WScript.exe
2688	WScript.exe
2888	WScript.exe
2888	WScript.exe
1300	WScript.exe
1300	WScript.exe
328	WScript.exe
328	WScript.exe
1616	WScript.exe
1616	WScript.exe
572	WScript.exe
572	WScript.exe
2228	WScript.exe
2228	WScript.exe
2696	WScript.exe
2696	WScript.exe
1788	WScript.exe
1788	WScript.exe
3048	WScript.exe
3048	WScript.exe
1004	WScript.exe
1004	WScript.exe
2204	WScript.exe
2204	WScript.exe
1988	WScript.exe
1988	WScript.exe
2420	WScript.exe
2420	WScript.exe
2772	WScript.exe
2772	WScript.exe
764	WScript.exe
764	WScript.exe
1940	WScript.exe
1940	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 38 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	02209b2a018e52c65c979ffba7ada8172398bba17fe8e9d55789d79e5f2f9823N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2932	02209b2a018e52c65c979ffba7ada8172398bba17fe8e9d55789d79e5f2f9823N.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2932	02209b2a018e52c65c979ffba7ada8172398bba17fe8e9d55789d79e5f2f9823N.exe

Suspicious use of SetWindowsHookEx 38 IoCs

pid	Process
2932	02209b2a018e52c65c979ffba7ada8172398bba17fe8e9d55789d79e5f2f9823N.exe
2932	02209b2a018e52c65c979ffba7ada8172398bba17fe8e9d55789d79e5f2f9823N.exe
2616	svchcst.exe
2616	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
492	svchcst.exe
492	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
988	svchcst.exe
988	svchcst.exe
1836	svchcst.exe
1836	svchcst.exe
2072	svchcst.exe
2072	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
396	svchcst.exe
396	svchcst.exe
592	svchcst.exe
592	svchcst.exe
2492	svchcst.exe
2492	svchcst.exe
1532	svchcst.exe
1532	svchcst.exe
292	svchcst.exe
292	svchcst.exe
2000	svchcst.exe
2000	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
1036	svchcst.exe
1036	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2800	2932	02209b2a018e52c65c979ffba7ada8172398bba17fe8e9d55789d79e5f2f9823N.exe	30
PID 2932 wrote to memory of 2800	2932	02209b2a018e52c65c979ffba7ada8172398bba17fe8e9d55789d79e5f2f9823N.exe	30
PID 2932 wrote to memory of 2800	2932	02209b2a018e52c65c979ffba7ada8172398bba17fe8e9d55789d79e5f2f9823N.exe	30
PID 2932 wrote to memory of 2800	2932	02209b2a018e52c65c979ffba7ada8172398bba17fe8e9d55789d79e5f2f9823N.exe	30
PID 2800 wrote to memory of 2616	2800	WScript.exe	32
PID 2800 wrote to memory of 2616	2800	WScript.exe	32
PID 2800 wrote to memory of 2616	2800	WScript.exe	32
PID 2800 wrote to memory of 2616	2800	WScript.exe	32
PID 2616 wrote to memory of 2688	2616	svchcst.exe	33
PID 2616 wrote to memory of 2688	2616	svchcst.exe	33
PID 2616 wrote to memory of 2688	2616	svchcst.exe	33
PID 2616 wrote to memory of 2688	2616	svchcst.exe	33
PID 2688 wrote to memory of 3012	2688	WScript.exe	34
PID 2688 wrote to memory of 3012	2688	WScript.exe	34
PID 2688 wrote to memory of 3012	2688	WScript.exe	34
PID 2688 wrote to memory of 3012	2688	WScript.exe	34
PID 3012 wrote to memory of 2888	3012	svchcst.exe	35
PID 3012 wrote to memory of 2888	3012	svchcst.exe	35
PID 3012 wrote to memory of 2888	3012	svchcst.exe	35
PID 3012 wrote to memory of 2888	3012	svchcst.exe	35
PID 2888 wrote to memory of 492	2888	WScript.exe	36
PID 2888 wrote to memory of 492	2888	WScript.exe	36
PID 2888 wrote to memory of 492	2888	WScript.exe	36
PID 2888 wrote to memory of 492	2888	WScript.exe	36
PID 492 wrote to memory of 1300	492	svchcst.exe	37
PID 492 wrote to memory of 1300	492	svchcst.exe	37
PID 492 wrote to memory of 1300	492	svchcst.exe	37
PID 492 wrote to memory of 1300	492	svchcst.exe	37
PID 1300 wrote to memory of 2492	1300	WScript.exe	39
PID 1300 wrote to memory of 2492	1300	WScript.exe	39
PID 1300 wrote to memory of 2492	1300	WScript.exe	39
PID 1300 wrote to memory of 2492	1300	WScript.exe	39
PID 2492 wrote to memory of 328	2492	svchcst.exe	40
PID 2492 wrote to memory of 328	2492	svchcst.exe	40
PID 2492 wrote to memory of 328	2492	svchcst.exe	40
PID 2492 wrote to memory of 328	2492	svchcst.exe	40
PID 328 wrote to memory of 988	328	WScript.exe	41
PID 328 wrote to memory of 988	328	WScript.exe	41
PID 328 wrote to memory of 988	328	WScript.exe	41
PID 328 wrote to memory of 988	328	WScript.exe	41
PID 988 wrote to memory of 1616	988	svchcst.exe	42
PID 988 wrote to memory of 1616	988	svchcst.exe	42
PID 988 wrote to memory of 1616	988	svchcst.exe	42
PID 988 wrote to memory of 1616	988	svchcst.exe	42
PID 1616 wrote to memory of 1836	1616	WScript.exe	43
PID 1616 wrote to memory of 1836	1616	WScript.exe	43
PID 1616 wrote to memory of 1836	1616	WScript.exe	43
PID 1616 wrote to memory of 1836	1616	WScript.exe	43
PID 1836 wrote to memory of 572	1836	svchcst.exe	44
PID 1836 wrote to memory of 572	1836	svchcst.exe	44
PID 1836 wrote to memory of 572	1836	svchcst.exe	44
PID 1836 wrote to memory of 572	1836	svchcst.exe	44
PID 572 wrote to memory of 2072	572	WScript.exe	45
PID 572 wrote to memory of 2072	572	WScript.exe	45
PID 572 wrote to memory of 2072	572	WScript.exe	45
PID 572 wrote to memory of 2072	572	WScript.exe	45
PID 2072 wrote to memory of 2228	2072	svchcst.exe	46
PID 2072 wrote to memory of 2228	2072	svchcst.exe	46
PID 2072 wrote to memory of 2228	2072	svchcst.exe	46
PID 2072 wrote to memory of 2228	2072	svchcst.exe	46
PID 2228 wrote to memory of 2804	2228	WScript.exe	47
PID 2228 wrote to memory of 2804	2228	WScript.exe	47
PID 2228 wrote to memory of 2804	2228	WScript.exe	47
PID 2228 wrote to memory of 2804	2228	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\02209b2a018e52c65c979ffba7ada8172398bba17fe8e9d55789d79e5f2f9823N.exe
"C:\Users\Admin\AppData\Local\Temp\02209b2a018e52c65c979ffba7ada8172398bba17fe8e9d55789d79e5f2f9823N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2688
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3012
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:492
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:328
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:988
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:572
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2804
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2104
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1788
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:396
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:592
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1004
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2492
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2204
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1532
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1988
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:292
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2000
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2328
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:764
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2988
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1940
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1036
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        
        PID:1448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
754B

MD5
433062d386119dd57e0d6c56ecf77a95

SHA1
dab9c6bcc8c3f18877556cc2c04f554cf2da9b72

SHA256
1ada7ab0a031d8d4de7f8b59013a6103cc30a016d71f776642af474891bdfbb7

SHA512
34b2ba3f0a78bef46c5b36d5db74d533c042e473f732b975925d01c51feef2524e2d5e24747ac68faeeb35e30b3d7e5cf49ab94d852f6d63176305caf161a39a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5d0d203da02edb604545d3d826c88b42

SHA1
9be0cfd40b48d4e6041e00827047a8b0d877d4a1

SHA256
5f341c2f1ff381eecedbf6fcbe549724323c30c05728132a98ea55f607bc3e81

SHA512
a3e01552a9576ba8dd9aa9f65211f74a69588a316d984b8887e740c6c174e19df2056dc0138d5af26bd927e192ec2c7d355fc8b4092e30d55de910e932fbd49f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
fb757130836576e5f952cb011021776c

SHA1
68f6351ef6dd363f67e76b91e7d8150050948698

SHA256
2d8143967be00cc4d6f3a1b8671885498b80e57ec52a84e19eaf136e64980e5b

SHA512
6f7311c6964be509733152377344d37f311021a6638946d275d282aa1b0212d8d790175b8c4e61fba6f5f4299c0e5da3307b69b03f619273462edd5c3cfce0d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b5e11596fa3b5ec67af0232750a3cadb

SHA1
80cb25f5250390b6b2130c8b4eefc9872cc4939d

SHA256
d6429bbb3e3d5c86f30efdb3aa599d47eb8f130c1d0f2a6345e3e9387f7670b3

SHA512
06c71dd481c8936cb5c8a259111986a31b94e7bf73267a081e2162e16b3bffc633a257b5dcf2fd64c7bcc95a20ee841d5d07ca2ea5a16b7f862aec9cde5f17f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c1f667683c1809dc2fa81d863ea10a4e

SHA1
dc9fdbeca32f2afbcfdc5363769ebb594fc93e44

SHA256
a0afd04975f7f5cf26533640020a9533d4dcf1b152143e69196f93bd5b49fa1e

SHA512
e4c894530934444cb97392b0180e5b6040b84ab5c639412c6b9e5355a13152412da8d881403832c2f3c601624465b16242ebd8710f6e6a4666a27e15ce759b2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7c7211c6ab078878929bb3683f705560

SHA1
5a52049f54692294392837b5922d865e9c407022

SHA256
bb9e2a89c0fc9574eac35f2b2c4bc696f3642fc96ff2fd1f6a2d3467784fbeff

SHA512
4d9b5d0053b0f57651c08084c87416d2ae8613b9ea74651e51f251e5d806f36c194735e4f6f3152d7c72592f60f2a7e971ee82c60410762472942823b1956c38

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e74576d29f1c1a7185cdf1e12b96a260

SHA1
f76ee203cb56b7dda62a2947ff1e2fc954efa777

SHA256
e31ecb9dcf31c19fbd131b31e5191375f7aeb708ffa678363de99e118715eb65

SHA512
934e3a9171de8fe03c9b398b4e79b3eee77845750ba2b0d16c3a38bc8299d3d72643cedfbb025df848f4c5ab302f5d4b145da13c2ac3ed96bdc1658791d4f5bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
427acf0d31e4c051a5ecca486df18aaa

SHA1
66ed2e8e5533846366375ce855fb7b5d574d97fc

SHA256
397aa2536df328968f7006d3c5a2d0e7e53ab1e6d2deae8bb5bc7a242b4ba012

SHA512
aa2fe9a10550076d478762ed2043437460bfa1d81c3e6b793127d1235f8a6e75dc6002aad415f8086387faf7dc75a83f1790662cdfa58aa66596c640ed35b778

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
95cbcc068b61f14455af7f3daea5c57f

SHA1
7121bec25241666a150cd1a58eb7efb0b26eab96

SHA256
205412cd3d890bd070295ebf41e4a831de855a2b755c1a583b4dd2df66d5bc81

SHA512
5ae57031bb2ce71bf93c683f07f82b521918ef8a145a80f8e488e403d7ca97079cb305bb3f9ad93f2b3a99f44954063447a5f9a2c0f6f276a2ef84beff5674a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
dabf4e9d32908d961aaffdd1c77d4879

SHA1
e41572d98b7452016fb004c843236377364ab1d3

SHA256
3488c64a6d2da3c00e50e954c495ac354ee504e54f3ed6dda6a991c5b9d33e19

SHA512
911d46aca8005857c86eddbb3cbbc4301ee5e173b2358a717053cf12727c06cc3b2d757ddf513f969dafe61c6b88d03b1478d8c483495f153e30bf64585195aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
910e8b4a682865877d5b4c6b32ac2db3

SHA1
7df0ffdcff6b2f1d51878af2ca989990c399c005

SHA256
0eaa114fec2febec98337efcccfbb2863979005935decd44f9cd7db110b33b9f

SHA512
eb3e30e57f8ae59dc62d7c7f6c20296c7105a3fead464229b7b037924a20127266c0f09a6090cdeae4bea0f728f6213b2da67b44c3cd85a662c6b0cdf34c24bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b5f6ab24f1bbc1745570c1a0edfe20be

SHA1
84d2642329049ad5a558c64856318dcd3ba9513c

SHA256
37a8513138025841ac6b3e05e09e5e86f33dd2ddae73cc65334a1bee82f6013a

SHA512
5c7b315f415598f399ad2711d7e7bde002feb16f93afd5ea764b3a4a4c23cbdcbd050a78938378cd6a92ec465d4f3ee9a0b1099f950370c94f5e05e0b7a6fa6b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
3905db85590dac4e5e1173ede3003461

SHA1
e8726bb1ab0b941d5b877b90f0657268d8c3c1dd

SHA256
1af83bb690b69cbcf363a44747e5b14851efccc02f9b077aa5d24902ce0e5336

SHA512
6c9b7d315573c425ef9573cf60fab02d6dff19144adf2d8b86bcd26c03a97c45ad01b1d7bc5e682fdfc9acc4f1623c324ea5985d5efec2109d9ffe473488c429

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ecb5ca6645772ded9560e9cdd7ebb089

SHA1
6c72fae79987cdc6a807aec7f302615a83285a54

SHA256
6c0499f8f79013f4fb660f095fc85678c96e38e749facdf1d57a431ce60c6d9f

SHA512
f40a04d611dede79c2cde73a7aca69c46015875b1bbd2253c731f9512ff3e09eaaee2e79bd7591e0b8eb995fbae9c8f0517ad90f69e393972ddac646583a3a53

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
28e4c33ad8d7e3e948698b0d2f378287

SHA1
e95d2a39e20c02b020594990b8977c1b75c72026

SHA256
81ddb6f211535892335cbc5c776fa4517a4e7d1caf98ed64151a523876a37018

SHA512
f16b1304088f53a590428f72cfc36303fd1de6e3bf19b1d97089826b902b42c5f70414afa748bfd96cb4bc05a2c3877b3f13b04dbe7f1cb84568485cf2b5fe62

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
442395b11a388e8775cfb68987180180

SHA1
587382c5cab3613a5c24efd2fb5791fbbe380b8f

SHA256
074d6154244ebe94c291f6353dd1381985b212d063e708e878e4f1bbdb8770b1

SHA512
a72f03887ba8199ae144bb4aff8a11e55b1c52f44f0124e643d0c5cc66ff17cf14879904f1653e4e157cc7841ce18435927dcc4e63230fcf4514a91e3fea60d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
06e5c5cc167304f7114d0b6ed498e382

SHA1
bfc822d0d8ed0c9aae36eab1290be789a0676c2a

SHA256
6551b9f2915185bf0f66aefc6d2144de731d50c2ff578fbd25e88d2e8ff02d74

SHA512
8640a75744416cc50344265e9fc5ba9f9ca288a82fb5ba6a9d27088848532ff24c1ed1f50e13709aa779ebe171c88c1ace2fc74f33f4a49aedcbee53e7b78c23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
fa599b299d66010c39386f32fe73e8ed

SHA1
00240a3587d21a184e758684a6089e28a5b23b05

SHA256
42a0afc912693aa7b9a6c4fd984147f4802ec71b3a59dad192e16dc1f88726b5

SHA512
2fd3bce98d6d01db3245a8aadcc987f7369e19fe55a48af5c2178d90abcc02bf12c395fa62af1628c3bc8fdedffde87d454f285f4cce0e1f9a681e2245e0d42c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a0417488679fa057b380b9498254b7f8

SHA1
9d554483fcd139d7c1a7dc98d476d351368fcc0a

SHA256
e82ba0c085cc88097566febc679397e8161f8deffabc1817852c0ab56a09989e

SHA512
87dd9ea61d6a4c9cd1b44afd4f5550a915d80e4bbea4145b129ffad4fde7e892d0dbe5c00d84040a8111985230618c85cb2b2b26f13dfbc7aa7b8a53fc2cae1e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b8fda647bdfa9242f89d2a81ab031ab1

SHA1
edafe7f6fb35737875d165bd46ef5f6066083949

SHA256
919141fe2658fb4f8f99a039b7aa07651233e8e10587e521a28ac7c7657b84eb

SHA512
8fb996f33ca34e45970e5c699ff329e2d5ef2e7978de3ccdd7ccf4977af3145c4ec82677b7e8b66824c4cfd18cccbfc5a7b2947f4bbb0005b6220c5cc87afc51

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d9e8c4b5bfbe3234b0ccba745b5ee733

SHA1
d8cf013e241d5a3fa52e5f9186bcbfa1d0f7d702

SHA256
8a59c698f15b7ea496a88422972213b6f368a6e2d7a23457f56d8a06efec4a67

SHA512
fa924c9cb54abfd1adfeed27dc45f9eded3b8dc942297dbaf50875546b9b23d015ee48387ad3994c07c4ae1da53ff695eb73ebce9797332af1cdc9dae7f306ab

Download Submit
memory/292-184-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/328-73-0x0000000005BE0000-0x0000000005D3F000-memory.dmp

Filesize
1.4MB

Download
memory/328-72-0x0000000005BE0000-0x0000000005D3F000-memory.dmp

Filesize
1.4MB

Download
memory/396-152-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/492-53-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/572-101-0x0000000005B20000-0x0000000005C7F000-memory.dmp

Filesize
1.4MB

Download
memory/572-100-0x0000000005B20000-0x0000000005C7F000-memory.dmp

Filesize
1.4MB

Download
memory/592-160-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/764-201-0x0000000005A40000-0x0000000005B9F000-memory.dmp

Filesize
1.4MB

Download
memory/988-82-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1004-161-0x0000000004640000-0x000000000479F000-memory.dmp

Filesize
1.4MB

Download
memory/1036-210-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1036-217-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1300-57-0x0000000005AB0000-0x0000000005C0F000-memory.dmp

Filesize
1.4MB

Download
memory/1300-58-0x0000000005AB0000-0x0000000005C0F000-memory.dmp

Filesize
1.4MB

Download
memory/1532-176-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1788-144-0x0000000005C00000-0x0000000005D5F000-memory.dmp

Filesize
1.4MB

Download
memory/1788-218-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1836-95-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1988-177-0x00000000043D0000-0x000000000452F000-memory.dmp

Filesize
1.4MB

Download
memory/2000-185-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2000-192-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2072-110-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2104-139-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2204-169-0x00000000046D0000-0x000000000482F000-memory.dmp

Filesize
1.4MB

Download
memory/2228-115-0x0000000004760000-0x00000000048BF000-memory.dmp

Filesize
1.4MB

Download
memory/2328-200-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2328-193-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2492-168-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2492-67-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2616-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2616-26-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2688-31-0x0000000004740000-0x000000000489F000-memory.dmp

Filesize
1.4MB

Download
memory/2696-130-0x0000000005CA0000-0x0000000005DFF000-memory.dmp

Filesize
1.4MB

Download
memory/2800-13-0x00000000040E0000-0x000000000423F000-memory.dmp

Filesize
1.4MB

Download
memory/2800-14-0x00000000040E0000-0x000000000423F000-memory.dmp

Filesize
1.4MB

Download
memory/2804-125-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2888-43-0x0000000004370000-0x00000000044CF000-memory.dmp

Filesize
1.4MB

Download
memory/2932-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2932-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2988-202-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2988-209-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3012-39-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3048-153-0x0000000004720000-0x000000000487F000-memory.dmp

Filesize
1.4MB

Download