c9df9d8062025f8b93b4322bc4ab41defa112db8c263a8a7b9960499faf234b2

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/09/2024, 05:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9df9d8062025f8b93b4322bc4ab41defa112db8c263a8a7b9960499faf234b2.exe
Size

1.1MB
MD5

0e6b9be67bbf3f4ec1efe2fd8b5ab1d0
SHA1

5f08f01b54e6eb2d16ea07403535410e50bdfdd0
SHA256

c9df9d8062025f8b93b4322bc4ab41defa112db8c263a8a7b9960499faf234b2
SHA512

d1254b9d9788d3318de2417362f9c0356260e2eb442b248d44aed20f5d2ca67113025ca10b6bedd3cfdc1fd6ef2ab92eae7afed61efa59a02f20e2731d606066
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qj:CcaClSFlG4ZM7QzMk

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2976	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2976	svchcst.exe
2304	svchcst.exe
2140	svchcst.exe
2224	svchcst.exe
2808	svchcst.exe
920	svchcst.exe
308	svchcst.exe
2756	svchcst.exe
2728	svchcst.exe
1052	svchcst.exe
3064	svchcst.exe
2416	svchcst.exe
328	svchcst.exe
2004	svchcst.exe
2448	svchcst.exe
2740	svchcst.exe
2708	svchcst.exe
2620	svchcst.exe
3032	svchcst.exe
1284	svchcst.exe
2288	svchcst.exe
1592	svchcst.exe
568	svchcst.exe

Loads dropped DLL 44 IoCs

pid	Process
2412	WScript.exe
2412	WScript.exe
2880	WScript.exe
2880	WScript.exe
268	WScript.exe
1320	WScript.exe
2200	WScript.exe
2200	WScript.exe
2200	WScript.exe
2200	WScript.exe
1760	WScript.exe
1760	WScript.exe
896	WScript.exe
896	WScript.exe
2860	WScript.exe
2860	WScript.exe
2644	WScript.exe
2644	WScript.exe
2928	WScript.exe
2928	WScript.exe
2948	WScript.exe
2948	WScript.exe
1548	WScript.exe
1548	WScript.exe
1564	WScript.exe
1564	WScript.exe
2228	WScript.exe
2228	WScript.exe
1600	WScript.exe
1600	WScript.exe
2884	WScript.exe
2884	WScript.exe
2976	WScript.exe
2976	WScript.exe
2900	WScript.exe
2900	WScript.exe
1272	WScript.exe
1272	WScript.exe
2960	WScript.exe
2960	WScript.exe
1092	WScript.exe
1092	WScript.exe
1492	WScript.exe
1492	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c9df9d8062025f8b93b4322bc4ab41defa112db8c263a8a7b9960499faf234b2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3044	c9df9d8062025f8b93b4322bc4ab41defa112db8c263a8a7b9960499faf234b2.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3044	c9df9d8062025f8b93b4322bc4ab41defa112db8c263a8a7b9960499faf234b2.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
3044	c9df9d8062025f8b93b4322bc4ab41defa112db8c263a8a7b9960499faf234b2.exe
3044	c9df9d8062025f8b93b4322bc4ab41defa112db8c263a8a7b9960499faf234b2.exe
2976	svchcst.exe
2976	svchcst.exe
2304	svchcst.exe
2304	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2808	svchcst.exe
2808	svchcst.exe
920	svchcst.exe
920	svchcst.exe
308	svchcst.exe
308	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2728	svchcst.exe
2728	svchcst.exe
1052	svchcst.exe
1052	svchcst.exe
3064	svchcst.exe
3064	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
328	svchcst.exe
328	svchcst.exe
2004	svchcst.exe
2004	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2740	svchcst.exe
2740	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2620	svchcst.exe
2620	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
1284	svchcst.exe
1284	svchcst.exe
2288	svchcst.exe
2288	svchcst.exe
1592	svchcst.exe
1592	svchcst.exe
568	svchcst.exe
568	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2412	3044	c9df9d8062025f8b93b4322bc4ab41defa112db8c263a8a7b9960499faf234b2.exe	31
PID 3044 wrote to memory of 2412	3044	c9df9d8062025f8b93b4322bc4ab41defa112db8c263a8a7b9960499faf234b2.exe	31
PID 3044 wrote to memory of 2412	3044	c9df9d8062025f8b93b4322bc4ab41defa112db8c263a8a7b9960499faf234b2.exe	31
PID 3044 wrote to memory of 2412	3044	c9df9d8062025f8b93b4322bc4ab41defa112db8c263a8a7b9960499faf234b2.exe	31
PID 2412 wrote to memory of 2976	2412	WScript.exe	33
PID 2412 wrote to memory of 2976	2412	WScript.exe	33
PID 2412 wrote to memory of 2976	2412	WScript.exe	33
PID 2412 wrote to memory of 2976	2412	WScript.exe	33
PID 2976 wrote to memory of 2880	2976	svchcst.exe	34
PID 2976 wrote to memory of 2880	2976	svchcst.exe	34
PID 2976 wrote to memory of 2880	2976	svchcst.exe	34
PID 2976 wrote to memory of 2880	2976	svchcst.exe	34
PID 2880 wrote to memory of 2304	2880	WScript.exe	35
PID 2880 wrote to memory of 2304	2880	WScript.exe	35
PID 2880 wrote to memory of 2304	2880	WScript.exe	35
PID 2880 wrote to memory of 2304	2880	WScript.exe	35
PID 2304 wrote to memory of 268	2304	svchcst.exe	36
PID 2304 wrote to memory of 268	2304	svchcst.exe	36
PID 2304 wrote to memory of 268	2304	svchcst.exe	36
PID 2304 wrote to memory of 268	2304	svchcst.exe	36
PID 268 wrote to memory of 2140	268	WScript.exe	37
PID 268 wrote to memory of 2140	268	WScript.exe	37
PID 268 wrote to memory of 2140	268	WScript.exe	37
PID 268 wrote to memory of 2140	268	WScript.exe	37
PID 2140 wrote to memory of 1320	2140	svchcst.exe	38
PID 2140 wrote to memory of 1320	2140	svchcst.exe	38
PID 2140 wrote to memory of 1320	2140	svchcst.exe	38
PID 2140 wrote to memory of 1320	2140	svchcst.exe	38
PID 1320 wrote to memory of 2224	1320	WScript.exe	39
PID 1320 wrote to memory of 2224	1320	WScript.exe	39
PID 1320 wrote to memory of 2224	1320	WScript.exe	39
PID 1320 wrote to memory of 2224	1320	WScript.exe	39
PID 2224 wrote to memory of 2200	2224	svchcst.exe	40
PID 2224 wrote to memory of 2200	2224	svchcst.exe	40
PID 2224 wrote to memory of 2200	2224	svchcst.exe	40
PID 2224 wrote to memory of 2200	2224	svchcst.exe	40
PID 2200 wrote to memory of 2808	2200	WScript.exe	41
PID 2200 wrote to memory of 2808	2200	WScript.exe	41
PID 2200 wrote to memory of 2808	2200	WScript.exe	41
PID 2200 wrote to memory of 2808	2200	WScript.exe	41
PID 2808 wrote to memory of 2580	2808	svchcst.exe	42
PID 2808 wrote to memory of 2580	2808	svchcst.exe	42
PID 2808 wrote to memory of 2580	2808	svchcst.exe	42
PID 2808 wrote to memory of 2580	2808	svchcst.exe	42
PID 2200 wrote to memory of 920	2200	WScript.exe	43
PID 2200 wrote to memory of 920	2200	WScript.exe	43
PID 2200 wrote to memory of 920	2200	WScript.exe	43
PID 2200 wrote to memory of 920	2200	WScript.exe	43
PID 920 wrote to memory of 1760	920	svchcst.exe	44
PID 920 wrote to memory of 1760	920	svchcst.exe	44
PID 920 wrote to memory of 1760	920	svchcst.exe	44
PID 920 wrote to memory of 1760	920	svchcst.exe	44
PID 1760 wrote to memory of 308	1760	WScript.exe	45
PID 1760 wrote to memory of 308	1760	WScript.exe	45
PID 1760 wrote to memory of 308	1760	WScript.exe	45
PID 1760 wrote to memory of 308	1760	WScript.exe	45
PID 308 wrote to memory of 896	308	svchcst.exe	46
PID 308 wrote to memory of 896	308	svchcst.exe	46
PID 308 wrote to memory of 896	308	svchcst.exe	46
PID 308 wrote to memory of 896	308	svchcst.exe	46
PID 896 wrote to memory of 2756	896	WScript.exe	47
PID 896 wrote to memory of 2756	896	WScript.exe	47
PID 896 wrote to memory of 2756	896	WScript.exe	47
PID 896 wrote to memory of 2756	896	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\c9df9d8062025f8b93b4322bc4ab41defa112db8c263a8a7b9960499faf234b2.exe
"C:\Users\Admin\AppData\Local\Temp\c9df9d8062025f8b93b4322bc4ab41defa112db8c263a8a7b9960499faf234b2.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2880
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2304
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:268
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:308
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:896
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2756
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2728
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1052
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3064
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2416
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1548
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:328
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2004
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2448
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2740
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2708
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2620
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3032
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1272
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1284
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2288
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1092
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1592
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1492
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:568
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
37fa35e79bc6d03fe1d59713859060a0

SHA1
dbc3da98cc57099adf2961cc9467503fc3c40f55

SHA256
ef64fc05f20733a69058403d96081f98d02aef9e299477a3afffbc4790e1cc52

SHA512
53eaa9f6f805ab3598cd1fd8e50230adfe5c8ce7ca33a0a0a5bfca9b6e5a6dd97fec1beddb8972daaa2b688be17554f288fd49f57f5d3ce44283fa33c7a7c308

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b5e11596fa3b5ec67af0232750a3cadb

SHA1
80cb25f5250390b6b2130c8b4eefc9872cc4939d

SHA256
d6429bbb3e3d5c86f30efdb3aa599d47eb8f130c1d0f2a6345e3e9387f7670b3

SHA512
06c71dd481c8936cb5c8a259111986a31b94e7bf73267a081e2162e16b3bffc633a257b5dcf2fd64c7bcc95a20ee841d5d07ca2ea5a16b7f862aec9cde5f17f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7f92a34f71720b04d60028801eb07932

SHA1
1701bae49609dc0ad1ab56823ae2414fd6c286c5

SHA256
b7445df62a392850e8ed07fba398dd5896625b6bcd694dfb5a02797ca2c637ee

SHA512
f5173fb410530956a6fcc8a15894c4186ae7fbac8e408714143359b476a2a2b1bd528cdb2e4647d1c16b99f108e452fb4fcb0a6db5eae6750fc6f6d8edd85360

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f9d25791d9949ef33ed0c208f3d11851

SHA1
1cdf525209a1d7ade65168011e4de530de7bdc5a

SHA256
d3592a18c2a195dba2db76e25fb1516b2a9ef5297e9d72716e232d3540bc4481

SHA512
efb6f3882b9c75aa5193cf1bfeeb430b0a963681bf5367f535e3eb9c4e7c796c0aa1d0e3df9803c635ba6d863dc129a9ab30c954c6d4af27803036859d3d3113

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f9749c13b20bc60748c3f72c2cf20740

SHA1
227698fcf7919e5c66d91e4e0fd51a5d54ffcd6e

SHA256
2ea51d4fb5a6022d3cf66550189fa271c025d8fabd55cc24025d12e600b70594

SHA512
541c5d5e8187257adb03505430c87bd364bec53487b373ecf4f91aee21dcecc746a4855ca0ee72fbfddcf34e52fe2453770ae66183b308d6b45a0f37342e44d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6d7f7c489889b75561316023d3e8b801

SHA1
222906d8a273e49d99b9107d388856ba8e6a5400

SHA256
3c01dd72d85883db4a345c0092b799f8deb31d43fde226e7df011c64d95202a7

SHA512
7238e65f9b93ee3be8828f01b54fbb6acaeaaf31e2b62af398356b02fa80d615acc3f41139fb001b9c1e8855e5cfa467f2883acda663a08194955cadb409a24a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
55765ba68da8820ee35d2d4d1dedeac0

SHA1
19f5f147056f3d837a11d6b08a7fc9544f9927f6

SHA256
1eb237d283717ac45bdfef217d3d09fb4ef73db3838859057c94e488b329c522

SHA512
61b6361b8dfef2067016c50e830db1fc768d0654a3f643cf4b4cb1193de722f74401e73f719d8cff5a443058adfa7e3cd0dfc502f25dd249cdc36a7056c81c18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
41bdc303960afcda8ebae4f3e29f0b52

SHA1
4cbf649fb04c836614138308a06ecd48dcb2882d

SHA256
da674cdbd4dd762cc32ce0bd2ec36929a626e0e87f7ab7a4a1b1e1ce0123d999

SHA512
800b5b01cc41e7633f203579e7f6ec0a9f6408f7af79dcfa74596be9264dbb8baade6b1439dedb5194496aa27b8b0e2680ce65ad91032138ea0ac2c8a0872cf1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ee35194fa07bea6145178b37a18edb25

SHA1
7cbe9989cbc0090cc0ab534c7aa77d64d959e489

SHA256
e323603a594cf3a7e03aea20d2ab69a17040a02f256ac1e3fe02f8a36889a483

SHA512
d292e22575da17d694a33d6132cea65ca1c58a16bd2532dd24db161d2a77cf233039ed1b66b48868210f4d0ffff16678db3be341eca044432b8087b520e59f71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
4f1c3e04fe09c26eac61a6a5e73d41a6

SHA1
5d61ea8f22af3a41286cfd2e03bf0d5fe912527e

SHA256
fcea651549aa97e3646b2b5857daab87dfa90158918203ea713fbc3d8dc96d2b

SHA512
23a253717242040b3497cc5dd9736a2a19adac084ebdf17f578f11a3c07aa584c78a8155ece8de4317293c4b75fca53b4cc225d05785f69e01d18ef6582e01f5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f262d0722b88145e786399f42047785d

SHA1
9f4426b6ac52bb0456945b0619fcd355d118a0b7

SHA256
f20592c5d5216a153e7d9fc67c87e2d3346f3781014162462e824a5dbc4c7aef

SHA512
da8aa8fd4f84c224f7c6f3fe483b030e2307f3313c003f17f6b9c943f9ea9d052d9d9297f93fdf49428eedd235ef6d7efe0199e1620e55cb052f2ca3cb492eb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
99190cc32e9995c46b8a5b9b268a5bbe

SHA1
4ad00bc8655bced61776b40f2cc5bf0180a175d4

SHA256
308f79dad8498e1020104d40c992a2a6b9d4841f2c9c705e4b4401c48764a096

SHA512
f6447cdd779f7e95f6e84469388e55d7c18249f434aadf7cb7d4ec18cded20161a1cd8bb8830186c55ce8a945ab7c7cff08f85787c2616d447a90cb6f4622571

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
72ba6a57eb348faa021c29c026b9cc64

SHA1
7efa350148747304b44d28f61513bd0b8a6b544a

SHA256
95f2f1be9f0bf9a1b086b8c91e36103eed5fbd0c40bcb22ee72f6e0414b88308

SHA512
f9b3bb67ce239c3fc52dd5791d4cca2d203d2271c6aa5fb7839dcf29a398da8c755ae36bd8995b05fd839e8b12bfaa5958e6a1f32efa38dbf1dcb1f30994f90a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
eae3e690fa1f3627d6c90bc099499775

SHA1
cf9157af1e5f78b97a76b1d319cee6993668b1b8

SHA256
515c2b23b9ec6f5f6e72950d0ca3b09e32f6490bdc2dddd78cf2f7140f41b8e5

SHA512
44d6376bff36e16285cc69dc8813fd17b8563e7de39d294a473c27aa9b2449297b59006a2fb8ca22927515c4d80aeb550880784fdbe196c7a6c3a7655de4a16d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
38a6aabdcdb2bdc83fc1a03797cf0e87

SHA1
f81b8fa5e751f162e6e96f453c49e23e6909af14

SHA256
4a5a6ed6553d1b65ddec9d489ed0bdb18ea62fd2cb0e8f9470a801523ded4ee6

SHA512
9a586135e5d28d664cb0d63f8c16fd71452fb13b1b3ba68073733b271003f856bf8fef034d09091e9e54b48e11a350e686d726ee681e65d9659be51eb301808b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1b2b2daca6a205f792a1126f0b822b1b

SHA1
0f42b9303e4b04ec2b75b2ab5e817aa1648145c9

SHA256
d01238cb45822c3e5510657a076febd8c2bd547c41bd7e228606720c5f4d919e

SHA512
4a37a50d271786532b4aa4570cb496270a0be1652913b5c50e97d2cdb7a4c555e0f0ba8eb7f2ad4be3ae882a8412c70eee2655bd0fb68041851b114167ae87a3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7a2e871f9407101ebc8bd02a1129c1bc

SHA1
a3ea1e3241e362cc2fce46212704eb27b8632d51

SHA256
7b2f44264968a4c571db40a1e1c7a64ad33ca72be788e618ae7333a42e1b7fc2

SHA512
4abdd28fc4f53e090802dcb1d4f0ebf78b7c0aea8b904b433346d26ed0b53db7bcdc2466cc2c7427160f71378f36d1983b252a6f56f13e4474a86b7ff182435d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
3492b401dc50277f999a976fcbe45e6a

SHA1
8618684c50cb13b179e97401e0eabc6fc880df85

SHA256
8e59466f6cdcadc99175933a5f07bb5700dfa1aade8cbe61a028b98494998824

SHA512
a4e2019224cc4117a0a78a43657788edc2fdf33437db015a172b110bbb8cfd7142a306f2111471ea9291f3a52872cefdaa4fb1f5ef7284d5551565c63ad419a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
245b1404de0d0c70a6d80cc6b0f5a5a0

SHA1
cbdb90413d1b60d2136899335eff0a45afd3c032

SHA256
f4bc5b865f5a93785979a0844590b5ab1568e249b24c0d59c5e21a2037a89df0

SHA512
a70efff6e2629e69e0d043c170f9e3e9cee3057a6457d1db8dd6f6f6c8c62743d5f8af3db12f5e358123c34af2071cd06555cd603703be40d4dceca3a3c924e7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1e78319bd52a32b47a2d4e0e9bd4fdb8

SHA1
29a3a4167bc903c868610895b72243ea990d2659

SHA256
cafb1faf9ccae58300802b394a485801cfddf341289253304c8d757bb4710e54

SHA512
b647f570717a44d9efd331fe104287d54ddeeda67622ba5a2abfaac182ab09f2c16852a39a7194cad6eb4252e092c55b24b467a0d69af2d216dd5501b921e551

Download Submit
memory/3044-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download