fee35732f5ac90d2074a3103c0f021fb602c364617cf297038a8834f8f30fa5d

Analysis

max time kernel
149s
max time network
125s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
08-08-2024 22:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fee35732f5ac90d2074a3103c0f021fb602c364617cf297038a8834f8f30fa5d.exe
Size

1.1MB
MD5

cab674004c6f76c5d994724abf83e4fa
SHA1

ad1df8b1bbc7ea4fd06ac7544cd366f8c3ff70b0
SHA256

fee35732f5ac90d2074a3103c0f021fb602c364617cf297038a8834f8f30fa5d
SHA512

90b7672b9f84efaeda3a0906da69fd17cf6f6b10557c2eabee3800d3c632e7fd884ef8cb43dc39e57f1444dd5289ada7915c7bb47bf1242bf68897c71019866c
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qy:CcaClSFlG4ZM7QzMx

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2224	svchcst.exe

Executes dropped EXE 24 IoCs

pid	Process
2224	svchcst.exe
2924	svchcst.exe
1740	svchcst.exe
1788	svchcst.exe
2016	svchcst.exe
1728	svchcst.exe
2252	svchcst.exe
1596	svchcst.exe
2684	svchcst.exe
1632	svchcst.exe
2656	svchcst.exe
2108	svchcst.exe
3036	svchcst.exe
1472	svchcst.exe
2268	svchcst.exe
1988	svchcst.exe
2692	svchcst.exe
2716	svchcst.exe
1756	svchcst.exe
1716	svchcst.exe
536	svchcst.exe
2924	svchcst.exe
2440	svchcst.exe
1472	svchcst.exe

Loads dropped DLL 39 IoCs

pid	Process
2788	WScript.exe
2788	WScript.exe
2328	WScript.exe
2976	WScript.exe
2976	WScript.exe
2976	WScript.exe
2420	WScript.exe
1796	WScript.exe
2544	WScript.exe
1556	WScript.exe
1556	WScript.exe
1556	WScript.exe
2864	WScript.exe
572	WScript.exe
1220	WScript.exe
2800	WScript.exe
2800	WScript.exe
2800	WScript.exe
2800	WScript.exe
816	WScript.exe
816	WScript.exe
1560	WScript.exe
1560	WScript.exe
916	WScript.exe
916	WScript.exe
1604	WScript.exe
1604	WScript.exe
1192	WScript.exe
1192	WScript.exe
2684	WScript.exe
2684	WScript.exe
1724	WScript.exe
1724	WScript.exe
1052	WScript.exe
1052	WScript.exe
2176	WScript.exe
2176	WScript.exe
1892	WScript.exe
1892	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fee35732f5ac90d2074a3103c0f021fb602c364617cf297038a8834f8f30fa5d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2716	fee35732f5ac90d2074a3103c0f021fb602c364617cf297038a8834f8f30fa5d.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2716	fee35732f5ac90d2074a3103c0f021fb602c364617cf297038a8834f8f30fa5d.exe

Suspicious use of SetWindowsHookEx 50 IoCs

pid	Process
2716	fee35732f5ac90d2074a3103c0f021fb602c364617cf297038a8834f8f30fa5d.exe
2716	fee35732f5ac90d2074a3103c0f021fb602c364617cf297038a8834f8f30fa5d.exe
2224	svchcst.exe
2224	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
1740	svchcst.exe
1740	svchcst.exe
1788	svchcst.exe
1788	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
1728	svchcst.exe
1728	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
1596	svchcst.exe
1596	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
1632	svchcst.exe
1632	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2108	svchcst.exe
2108	svchcst.exe
3036	svchcst.exe
3036	svchcst.exe
1472	svchcst.exe
1472	svchcst.exe
2268	svchcst.exe
2268	svchcst.exe
1988	svchcst.exe
1988	svchcst.exe
2692	svchcst.exe
2692	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
1756	svchcst.exe
1756	svchcst.exe
1716	svchcst.exe
1716	svchcst.exe
536	svchcst.exe
536	svchcst.exe
2924	svchcst.exe
2924	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
1472	svchcst.exe
1472	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 2788	2716	fee35732f5ac90d2074a3103c0f021fb602c364617cf297038a8834f8f30fa5d.exe	30
PID 2716 wrote to memory of 2788	2716	fee35732f5ac90d2074a3103c0f021fb602c364617cf297038a8834f8f30fa5d.exe	30
PID 2716 wrote to memory of 2788	2716	fee35732f5ac90d2074a3103c0f021fb602c364617cf297038a8834f8f30fa5d.exe	30
PID 2716 wrote to memory of 2788	2716	fee35732f5ac90d2074a3103c0f021fb602c364617cf297038a8834f8f30fa5d.exe	30
PID 2788 wrote to memory of 2224	2788	WScript.exe	32
PID 2788 wrote to memory of 2224	2788	WScript.exe	32
PID 2788 wrote to memory of 2224	2788	WScript.exe	32
PID 2788 wrote to memory of 2224	2788	WScript.exe	32
PID 2224 wrote to memory of 2328	2224	svchcst.exe	33
PID 2224 wrote to memory of 2328	2224	svchcst.exe	33
PID 2224 wrote to memory of 2328	2224	svchcst.exe	33
PID 2224 wrote to memory of 2328	2224	svchcst.exe	33
PID 2328 wrote to memory of 2924	2328	WScript.exe	34
PID 2328 wrote to memory of 2924	2328	WScript.exe	34
PID 2328 wrote to memory of 2924	2328	WScript.exe	34
PID 2328 wrote to memory of 2924	2328	WScript.exe	34
PID 2924 wrote to memory of 2976	2924	svchcst.exe	35
PID 2924 wrote to memory of 2976	2924	svchcst.exe	35
PID 2924 wrote to memory of 2976	2924	svchcst.exe	35
PID 2924 wrote to memory of 2976	2924	svchcst.exe	35
PID 2976 wrote to memory of 1740	2976	WScript.exe	36
PID 2976 wrote to memory of 1740	2976	WScript.exe	36
PID 2976 wrote to memory of 1740	2976	WScript.exe	36
PID 2976 wrote to memory of 1740	2976	WScript.exe	36
PID 1740 wrote to memory of 1984	1740	svchcst.exe	37
PID 1740 wrote to memory of 1984	1740	svchcst.exe	37
PID 1740 wrote to memory of 1984	1740	svchcst.exe	37
PID 1740 wrote to memory of 1984	1740	svchcst.exe	37
PID 2976 wrote to memory of 1788	2976	WScript.exe	38
PID 2976 wrote to memory of 1788	2976	WScript.exe	38
PID 2976 wrote to memory of 1788	2976	WScript.exe	38
PID 2976 wrote to memory of 1788	2976	WScript.exe	38
PID 1788 wrote to memory of 2420	1788	svchcst.exe	39
PID 1788 wrote to memory of 2420	1788	svchcst.exe	39
PID 1788 wrote to memory of 2420	1788	svchcst.exe	39
PID 1788 wrote to memory of 2420	1788	svchcst.exe	39
PID 2420 wrote to memory of 2016	2420	WScript.exe	40
PID 2420 wrote to memory of 2016	2420	WScript.exe	40
PID 2420 wrote to memory of 2016	2420	WScript.exe	40
PID 2420 wrote to memory of 2016	2420	WScript.exe	40
PID 2016 wrote to memory of 1796	2016	svchcst.exe	41
PID 2016 wrote to memory of 1796	2016	svchcst.exe	41
PID 2016 wrote to memory of 1796	2016	svchcst.exe	41
PID 2016 wrote to memory of 1796	2016	svchcst.exe	41
PID 1796 wrote to memory of 1728	1796	WScript.exe	42
PID 1796 wrote to memory of 1728	1796	WScript.exe	42
PID 1796 wrote to memory of 1728	1796	WScript.exe	42
PID 1796 wrote to memory of 1728	1796	WScript.exe	42
PID 1728 wrote to memory of 2544	1728	svchcst.exe	43
PID 1728 wrote to memory of 2544	1728	svchcst.exe	43
PID 1728 wrote to memory of 2544	1728	svchcst.exe	43
PID 1728 wrote to memory of 2544	1728	svchcst.exe	43
PID 2544 wrote to memory of 2252	2544	WScript.exe	44
PID 2544 wrote to memory of 2252	2544	WScript.exe	44
PID 2544 wrote to memory of 2252	2544	WScript.exe	44
PID 2544 wrote to memory of 2252	2544	WScript.exe	44
PID 2252 wrote to memory of 1556	2252	svchcst.exe	45
PID 2252 wrote to memory of 1556	2252	svchcst.exe	45
PID 2252 wrote to memory of 1556	2252	svchcst.exe	45
PID 2252 wrote to memory of 1556	2252	svchcst.exe	45
PID 1556 wrote to memory of 1596	1556	WScript.exe	46
PID 1556 wrote to memory of 1596	1556	WScript.exe	46
PID 1556 wrote to memory of 1596	1556	WScript.exe	46
PID 1556 wrote to memory of 1596	1556	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\fee35732f5ac90d2074a3103c0f021fb602c364617cf297038a8834f8f30fa5d.exe
"C:\Users\Admin\AppData\Local\Temp\fee35732f5ac90d2074a3103c0f021fb602c364617cf297038a8834f8f30fa5d.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2224
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2328
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2924
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1984
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1596
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1632
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2684
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:572
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2656
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1220
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2108
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3036
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:820
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1472
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:816
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2268
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1560
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1988
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:916
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2692
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1604
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2716
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1192
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1756
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1716
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1724
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:536
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1052
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2924
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2440
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1892
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1472
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
403bb4676c4d6181d3b6889b67266347

SHA1
c279f5011c57ed35a96358b6d410f2d2a1800bb5

SHA256
12c5de53ba0d1694bef93f6dd52fcf16b981b0d26a8a382fde9389bfda987352

SHA512
19cfc6d836aa0909cb3d70b11fa47154fc8e90a1a74c166c19e8290f86ea6f91f560a8f5af4984d862370e0fe14bf1e8ff420d090937d899ca79bcd518dc14c1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8e2ae053ceb7062fca84af2a4b776842

SHA1
e0efd0b54009a60e3682ed38deaddd833c8652b6

SHA256
58391f462883b293fdb398c52afb015698a4aa455fde921d706159ccccc6375f

SHA512
71b28f16bbcd83fd3cd69c985cc7482ddb167f287f6f331fc6c2f71b5b9759d6692ad93eb45e3a4039e5234f795076cd090e46c80b2661a00327a19b0ceab7b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
4d8de8aafa7849de2f40f61eb205cc42

SHA1
67decea42f8c2ee805e859a898922c90ae105cdc

SHA256
44a2def2aab8221d4302282a111d1b9592b8828363736aa27a3343836817d2e2

SHA512
a44c1b2e8bc3b432daac94073c22e3b93ee412e345f4b2037586fc178fc7909f9360c2ba0817d7648d0739aabf51c6533e87226bffcd7109974e561d901610fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
308b7da7ec377746fab239c88940c7ea

SHA1
62356f1d6078f5587c1e0fa2201b199ebfdd0372

SHA256
3c6e5a89529248f6074cab8ca705d7f399c2808e185a451f2520d767e7aecd77

SHA512
bfd886261d3c9ae90f40968acb30b229e8d6754768bee5430f246594b5f81952de101a572cedb84bd1ab9a39cb607ec981287e9e03ea45b829744c47ee9bc877

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
66073a2944d79129b28645fed6bc1286

SHA1
2cbba938ab66f7f5c9b0cb2a5c58940e2e14599b

SHA256
87d79920ed0fb49971153bdcb8a8ca003a247e5937d8cc3dc3b871e91ef79042

SHA512
95b8dffed82c126394ce16db0af1874ade41cca2b096d9ffe388e9c6a462c86e21723f811c0fb8c8445047906b0dfe035f5a421b5d406b8e8d3e6a1ad5d4351b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
780c5b88f55c3463a252f361d53f98db

SHA1
244e739c7401ce41027d7786f4a48f4806a9939b

SHA256
d8b383df125f83a39c299a3134c88e981cf47755ddd6b44310f70231305c6bb0

SHA512
b12e3266edea4f9dff105ed8617c81a29f9873d646b6b326c5c29c0c590049dd85458b8ff7541957f9ab995896e7bfd08b171959e592ccc6edbedf998fdf1045

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
4f1c3e04fe09c26eac61a6a5e73d41a6

SHA1
5d61ea8f22af3a41286cfd2e03bf0d5fe912527e

SHA256
fcea651549aa97e3646b2b5857daab87dfa90158918203ea713fbc3d8dc96d2b

SHA512
23a253717242040b3497cc5dd9736a2a19adac084ebdf17f578f11a3c07aa584c78a8155ece8de4317293c4b75fca53b4cc225d05785f69e01d18ef6582e01f5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f262d0722b88145e786399f42047785d

SHA1
9f4426b6ac52bb0456945b0619fcd355d118a0b7

SHA256
f20592c5d5216a153e7d9fc67c87e2d3346f3781014162462e824a5dbc4c7aef

SHA512
da8aa8fd4f84c224f7c6f3fe483b030e2307f3313c003f17f6b9c943f9ea9d052d9d9297f93fdf49428eedd235ef6d7efe0199e1620e55cb052f2ca3cb492eb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d0a7594dbfff2934bae6e22de9f233fe

SHA1
b2a276918a0f5fb2da4440d77ec65c3c644dcf74

SHA256
b5ba466f75e4b160d164ce3886c42fe86c339961f2f303cfdba40d2c711bc61d

SHA512
3d0c5b27841efaa0286d2b58d1749c1efe45ce115cbcb2af1473e29ec3791501a278c90f087e995279518b3c3aec687edca8937f77ff2520ed6b8d3dff6c0a63

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6cc9dd78b42e2ca0e1deb237988b6ae2

SHA1
6ec16a7e43a4c558a19f125758d56ed9a180e6ee

SHA256
11367ac6f6a1b237ca69aeeb571a435181256f8836d6910f036beb90e160f7b2

SHA512
331f0ae896c0fb9906dd2fc2e3d58860073af97deb31cdb2184cc4bd104e2e066bfec6bdef0e16a8eda3d5605875fe7c03480b1e2d68bc9d7e3a2b237a3020a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3be529c48598ce74c5871846d63ca15c

SHA1
93bb8e6882b776b47589ffa48116e17c98071383

SHA256
f9f80c033a3cb1e2e9a8aa108427d6985dd2a08c2bea70e4dda2309f03ab7b2a

SHA512
e848a532aa9acfddfb754e081353660af23f3d0ee7720f6162fc5e8a2104d98b7be8aa461ea274a311634ae3b5b0bd219731da7d6b43c3b381de56d03bb43608

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
8b60bfc4692ecd53e01d7b9d06ec95a2

SHA1
69c495126e0a6d0d1cbbf54a0afc87ae4e1cd2f7

SHA256
752ba5cb27fd8974fcdac48a8075a036d76b7cc4b62cef1d0c43913e1cf127b2

SHA512
3ad2705b0e207751371776dd361748c10f0e72fdba91f515c3aa2e72c4f44cf8a538ad35cf70254daa88ec2fa078dfcbfb05ab228e312dcd60593d249cf4bee7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9265a6a6b93312e77d47d2e5157bcd0d

SHA1
07d424311e43e39da7ea77caf94c51315cf2110b

SHA256
89cf2d0d431b2ea6abe69ef23dcd2503b3dae49cc060b1478a638df968ad1c96

SHA512
5775a772db87d0fbfcb0441d1cd4462140487b53de7116654a746f5559a9a0b7f4f34440727da4e90bcc8994c2c0be2cb049ff6128958ccdb815ef74763ad02a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d0a4baeaeea2158555d232d07bd79a57

SHA1
303f9c4d154a945debe143030ce98d56ffec469d

SHA256
d688686af7187a493883428cf554ca63320235b7204ed2ed27a0c79e7bb620d4

SHA512
16db34eda6ad42ff75a15440fe74a434792e1c855897d736fec45b53c21ce485b186700977acda89a9cbde3ee8b1a244f8ace7033d569bd1681ed30aed7eeb60

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
566555bf4756246aa07fb8baaeaf9929

SHA1
29379b7052a8ffbc4acee3bd2223d6c14636f6d3

SHA256
5285957db6c7d125bf2a945a43a76f478a18593fcce280010bf5ac11678b6c61

SHA512
0c434fd95b37de48ddbe71a0fb97fa59fcafbe2ab9c9353e152e480ab9c07ff9fa5c6db32f3ef505982e188669e5a0dc91352b1c66167384db806299d8dd4d9b

Download Submit
memory/2716-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download