8a72c93ddd72c8a591680e6f68136ef895637ec00a9454d0d9817cfd9955bc85

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09-08-2024 00:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a72c93ddd72c8a591680e6f68136ef895637ec00a9454d0d9817cfd9955bc85.exe
Size

1.1MB
MD5

29f0e9e74f43e87260872ebb2ec4bb3d
SHA1

2702f1af53e31e08ea24f0a7329b135aef809922
SHA256

8a72c93ddd72c8a591680e6f68136ef895637ec00a9454d0d9817cfd9955bc85
SHA512

b453e8bcf31131d6345e18c361e928cc0d067124f52d1d101a3e84f43e41599afa009cf93866747bc7c1a8721805c85f7875964156316293e434c91d3ea44204
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Q0:CcaClSFlG4ZM7QzMT

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
692	svchcst.exe

Executes dropped EXE 24 IoCs

pid	Process
692	svchcst.exe
2380	svchcst.exe
1808	svchcst.exe
2956	svchcst.exe
3040	svchcst.exe
852	svchcst.exe
1288	svchcst.exe
2800	svchcst.exe
2176	svchcst.exe
836	svchcst.exe
2328	svchcst.exe
2524	svchcst.exe
796	svchcst.exe
1940	svchcst.exe
2412	svchcst.exe
2644	svchcst.exe
2416	svchcst.exe
2144	svchcst.exe
2784	svchcst.exe
2888	svchcst.exe
2328	svchcst.exe
604	svchcst.exe
2276	svchcst.exe
852	svchcst.exe

Loads dropped DLL 46 IoCs

pid	Process
2792	WScript.exe
2792	WScript.exe
1772	WScript.exe
1772	WScript.exe
2044	WScript.exe
2044	WScript.exe
2036	WScript.exe
2036	WScript.exe
1112	WScript.exe
1112	WScript.exe
2192	WScript.exe
2192	WScript.exe
1516	WScript.exe
1516	WScript.exe
2748	WScript.exe
2748	WScript.exe
572	WScript.exe
572	WScript.exe
2420	WScript.exe
1144	WScript.exe
1144	WScript.exe
1704	WScript.exe
1704	WScript.exe
1712	WScript.exe
1712	WScript.exe
1716	WScript.exe
1716	WScript.exe
1784	WScript.exe
1784	WScript.exe
980	WScript.exe
980	WScript.exe
3028	WScript.exe
3028	WScript.exe
2172	WScript.exe
2172	WScript.exe
2352	WScript.exe
2352	WScript.exe
2164	WScript.exe
2460	WScript.exe
2460	WScript.exe
1688	WScript.exe
1688	WScript.exe
1328	WScript.exe
1328	WScript.exe
1540	WScript.exe
1540	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 50 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8a72c93ddd72c8a591680e6f68136ef895637ec00a9454d0d9817cfd9955bc85.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2860	8a72c93ddd72c8a591680e6f68136ef895637ec00a9454d0d9817cfd9955bc85.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe
692	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2860	8a72c93ddd72c8a591680e6f68136ef895637ec00a9454d0d9817cfd9955bc85.exe

Suspicious use of SetWindowsHookEx 50 IoCs

pid	Process
2860	8a72c93ddd72c8a591680e6f68136ef895637ec00a9454d0d9817cfd9955bc85.exe
2860	8a72c93ddd72c8a591680e6f68136ef895637ec00a9454d0d9817cfd9955bc85.exe
692	svchcst.exe
692	svchcst.exe
2380	svchcst.exe
2380	svchcst.exe
1808	svchcst.exe
1808	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
3040	svchcst.exe
3040	svchcst.exe
852	svchcst.exe
852	svchcst.exe
1288	svchcst.exe
1288	svchcst.exe
2800	svchcst.exe
2800	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
836	svchcst.exe
836	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
796	svchcst.exe
796	svchcst.exe
1940	svchcst.exe
1940	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
604	svchcst.exe
604	svchcst.exe
2276	svchcst.exe
2276	svchcst.exe
852	svchcst.exe
852	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 2792	2860	8a72c93ddd72c8a591680e6f68136ef895637ec00a9454d0d9817cfd9955bc85.exe	30
PID 2860 wrote to memory of 2792	2860	8a72c93ddd72c8a591680e6f68136ef895637ec00a9454d0d9817cfd9955bc85.exe	30
PID 2860 wrote to memory of 2792	2860	8a72c93ddd72c8a591680e6f68136ef895637ec00a9454d0d9817cfd9955bc85.exe	30
PID 2860 wrote to memory of 2792	2860	8a72c93ddd72c8a591680e6f68136ef895637ec00a9454d0d9817cfd9955bc85.exe	30
PID 2792 wrote to memory of 692	2792	WScript.exe	32
PID 2792 wrote to memory of 692	2792	WScript.exe	32
PID 2792 wrote to memory of 692	2792	WScript.exe	32
PID 2792 wrote to memory of 692	2792	WScript.exe	32
PID 692 wrote to memory of 1772	692	svchcst.exe	33
PID 692 wrote to memory of 1772	692	svchcst.exe	33
PID 692 wrote to memory of 1772	692	svchcst.exe	33
PID 692 wrote to memory of 1772	692	svchcst.exe	33
PID 1772 wrote to memory of 2380	1772	WScript.exe	34
PID 1772 wrote to memory of 2380	1772	WScript.exe	34
PID 1772 wrote to memory of 2380	1772	WScript.exe	34
PID 1772 wrote to memory of 2380	1772	WScript.exe	34
PID 2380 wrote to memory of 2044	2380	svchcst.exe	35
PID 2380 wrote to memory of 2044	2380	svchcst.exe	35
PID 2380 wrote to memory of 2044	2380	svchcst.exe	35
PID 2380 wrote to memory of 2044	2380	svchcst.exe	35
PID 2044 wrote to memory of 1808	2044	WScript.exe	36
PID 2044 wrote to memory of 1808	2044	WScript.exe	36
PID 2044 wrote to memory of 1808	2044	WScript.exe	36
PID 2044 wrote to memory of 1808	2044	WScript.exe	36
PID 1808 wrote to memory of 2036	1808	svchcst.exe	37
PID 1808 wrote to memory of 2036	1808	svchcst.exe	37
PID 1808 wrote to memory of 2036	1808	svchcst.exe	37
PID 1808 wrote to memory of 2036	1808	svchcst.exe	37
PID 2036 wrote to memory of 2956	2036	WScript.exe	39
PID 2036 wrote to memory of 2956	2036	WScript.exe	39
PID 2036 wrote to memory of 2956	2036	WScript.exe	39
PID 2036 wrote to memory of 2956	2036	WScript.exe	39
PID 2956 wrote to memory of 1112	2956	svchcst.exe	40
PID 2956 wrote to memory of 1112	2956	svchcst.exe	40
PID 2956 wrote to memory of 1112	2956	svchcst.exe	40
PID 2956 wrote to memory of 1112	2956	svchcst.exe	40
PID 1112 wrote to memory of 3040	1112	WScript.exe	41
PID 1112 wrote to memory of 3040	1112	WScript.exe	41
PID 1112 wrote to memory of 3040	1112	WScript.exe	41
PID 1112 wrote to memory of 3040	1112	WScript.exe	41
PID 3040 wrote to memory of 2192	3040	svchcst.exe	42
PID 3040 wrote to memory of 2192	3040	svchcst.exe	42
PID 3040 wrote to memory of 2192	3040	svchcst.exe	42
PID 3040 wrote to memory of 2192	3040	svchcst.exe	42
PID 2192 wrote to memory of 852	2192	WScript.exe	43
PID 2192 wrote to memory of 852	2192	WScript.exe	43
PID 2192 wrote to memory of 852	2192	WScript.exe	43
PID 2192 wrote to memory of 852	2192	WScript.exe	43
PID 852 wrote to memory of 1516	852	svchcst.exe	44
PID 852 wrote to memory of 1516	852	svchcst.exe	44
PID 852 wrote to memory of 1516	852	svchcst.exe	44
PID 852 wrote to memory of 1516	852	svchcst.exe	44
PID 1516 wrote to memory of 1288	1516	WScript.exe	45
PID 1516 wrote to memory of 1288	1516	WScript.exe	45
PID 1516 wrote to memory of 1288	1516	WScript.exe	45
PID 1516 wrote to memory of 1288	1516	WScript.exe	45
PID 1288 wrote to memory of 2748	1288	svchcst.exe	46
PID 1288 wrote to memory of 2748	1288	svchcst.exe	46
PID 1288 wrote to memory of 2748	1288	svchcst.exe	46
PID 1288 wrote to memory of 2748	1288	svchcst.exe	46
PID 2748 wrote to memory of 2800	2748	WScript.exe	47
PID 2748 wrote to memory of 2800	2748	WScript.exe	47
PID 2748 wrote to memory of 2800	2748	WScript.exe	47
PID 2748 wrote to memory of 2800	2748	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\8a72c93ddd72c8a591680e6f68136ef895637ec00a9454d0d9817cfd9955bc85.exe
"C:\Users\Admin\AppData\Local\Temp\8a72c93ddd72c8a591680e6f68136ef895637ec00a9454d0d9817cfd9955bc85.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:692
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1772
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2380
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1112
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2800
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:572
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2176
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:836
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1144
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2328
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1704
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2524
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1712
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:796
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1940
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1784
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2412
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:980
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2644
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3028
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2416
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2172
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2144
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2888
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2460
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2328
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:604
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1328
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2276
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:852
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:1816
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
4c428a4eb5876e9ec1f6204618da92ea

SHA1
dbccbcc9b20e647546907720ffe9ab4ae9b47556

SHA256
8d8d7a7a91a72f29d6dabd3566738374199a77019dee7b9fb30ef2e2f002b861

SHA512
32d6f876cda4f7021b1e25c91285a7daadb08bdc70a472819b3525d416d92b8bc6e53b0d606d4e1a3be6db186744da31a814c3e9de35cf4ea912e8b22f6b7474

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1cd04c63c025f0297f2ae60e978d92a1

SHA1
047246564f4b2ab71494a82cef25f5bcdeb63469

SHA256
c5d481502d8e9429512066a0eb058459e0d7d60fbfc4aed5169b3ea47966c9ed

SHA512
dede45f2ae3b7da526e64e82f5e550d9f29d7ad0409fe97a0067bcd8ad70859a8f05441dcad0f2364710f8d9bf58997ffea6874b4797948b61486570394325a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1af246ca0660faf0fa7da4b4c9c61316

SHA1
c050b0bd311f2e5240cd7e9df583e41b133e9521

SHA256
2b84bcefb62d7564e2e7d1be8105a26f798b4c73cca142c054da02262f61ede8

SHA512
3fadf6605620aea1f9c9e94d62193fc416af6d5272bc675d399ea1ea96a070b4de69cab61736cea89c744ce3b203f0790d617789d25811a6ca535fc9f6159793

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
052d0351a5a2283ca385805bf30cc37b

SHA1
0f86c2c33b5641b89bcc430a98956447cb8f6f06

SHA256
643f8c0adfd63b72f9419f5b077829fa7f6d454b738cbcaeead63cd1feb4a9af

SHA512
6e4f1c407fa96a3ed03b416fcf4cb300f7ecefd2e67ddc0d45407b0f97f254ffa55cf34fac7c8ed1e69ece8704fae1d483612948dab8fb6d0c9d39e06bbb23ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
73dd42e0ba8cff47f0542d7d8aa40f90

SHA1
ffbb1b56415be5abcf4613aed3136768f2edbc38

SHA256
c73b4e554a4ae515ae3aa320a19d752e3d848d00ed0cd8f084081ed530b8fc3d

SHA512
efd0075f9e70dd557271bdbcd782a083ae2cde8cd5674bf7f8cf63064847951adfcbaa9c9cff91c57d19c7308d0b7bf4754bfbe8fce6ec0e41d920bde7f5a67e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
57e51d7e4374cd875109b11b9b8deb29

SHA1
aa5554bdcf8417f4b5fc9242f1de625e2fb820bf

SHA256
054ccb4671ec5693715c290f0bed875878cda62addcb38ef21257c59037fe30a

SHA512
6f58d52a71466d92d7da68e1bfdd91db03619d810eae2622b4e5623d2ad4e30e294d885c8c5405b775aa3256e3acbd0442a3bb2a4b6eb50001ee5f8848d66da3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2c6490a42a6a0c40ff0c4e23b3e1aa2f

SHA1
673399038e095a86936267b5014fc7d216ee5c0a

SHA256
4b5b75f23c5d2765bccf9691327947fcdd4e1e17e6da73c1b1c47dab8db99b3d

SHA512
8ffd13c3e9ecd8c522703bf13f839b3925bf3dd0418c33e8b4edc5cd07ca53d76d21e3d8f2e47622d51cc73ac3eed7dd2f7308bb332cde1bd1e6f1cb8f8bb8d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
81911744d71ed066085116eec2026095

SHA1
47cfe383cd90c80f367d20667fa26cd160507a8f

SHA256
3154f7fe0c77b8441733285f257a444605ca5badb1148288aa7275033f75d3f5

SHA512
e64925ee682737251c7d5f42a378a4f6c23a50a07a6811882547567725b59c172da356b235afc977d4c1e8209f5c1ba696b9dd54e7739f67a71c099c031d7396

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5465e98b54b47d65941e5d12deb27c9d

SHA1
50e5e6ced6e5e332b303de4fa146482fbdf782d5

SHA256
38f339c2f4c0d7ea1ba1500460c63bc626a2465b3ca48c4d63ee2b0f3eafb82a

SHA512
50c6bc8c7da8c036c909672ade71b08aea49bc58474c40e660d7dc23c3a9869cfad82b4dc96335057ecd5bd1011f3db712f667b4085555e3dc6fb90de56b1c3a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
51b2348c37bbedcb127fa176820f5ea2

SHA1
6e70ca09179127890e64c4ffa345b2af573c39fa

SHA256
7b37f5580068bfba5583d762d9b64c8ee6468a9e064547f230757c4be595bd02

SHA512
0f9755ae0408b0dd6e1279bfa8c5dfbe63b3775a81a3c5b342c5e56e7521d292b0c4e94053e6fa0c3da233f3af60aae2dc28749f991ea81fd9bf2627698a343e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f988db0382571319f9b0af53097c2376

SHA1
fd83936b61f5d4256a899610d5c13c5a9b24e625

SHA256
8557443470cff4b30c533603a8e73dd9b9c55af2bae1ed0a7ce86d860fe4953c

SHA512
8f0df896cf7432ac5248f1149a79cc721e40e80dc1ced770f830725c00e64bb96944bbdd375aa25587e0574dba32375934cbf99bf99f33267296c1e605ac8703

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
efa4b9f79f0e80cc4480b4196f965c98

SHA1
56401c277c2e9c8111a865c9225b943fc4a7433b

SHA256
5db1107f337e47becfbcacfdc107678db82fb69fc4a9a1341c0decacff5146c3

SHA512
c3b3f2cd4b0a7257fcb391a7defee9a0db1650febb3dab466732bf81cdec9a8bbfb9e28afd2ffff03d57f2cd2be8adc8da67abeb39e295c94b3dd536fb092180

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
3efc78de9c3c09bee9731f067ed67362

SHA1
d2c2897b7f14830571dd93722ac08c403d9bcf75

SHA256
8532a5a741f3b2194e2ed26e37576b86c3e5fd46bb1260e9d5803e682e2eac25

SHA512
a0d39f190644dcbc468afa91038d7dc214f33d22ab3e9f054d3d98d1fc7bd9aedc695afabb56f0e6aa538d64f0dd10b1d88747e61d053031c48ea2bf4e50643e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9616c62de4c64df90781aee2e3c7d0fa

SHA1
3c83fd103e1f9f34fd54e6c941723e2292bfe3dd

SHA256
94eb102a924ed5b0153ba6b354dc61fc7ad51b30d1d62311634d8c88f26729c7

SHA512
e19024b4a0d5264bda604768f11248a27d8a1bd9682feda8ab0fb088e89b700a0452bb355e90a9ed7ef3913ad28f1b5b8a7a47639ca5d491974d9c66e3e6d513

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
430a1b1dbef9abb94be52e776ad0cb84

SHA1
f1f3ced105d9f421076e62c55b929d1d8f89e5aa

SHA256
b92cf92e9f96856dde094fac30e580a8cec529fe457b95485a847b51f6bff511

SHA512
877efc33c7cab07eb02a01377fc494b8765a350269cc6eed32f7123a5c4db09924e0e5975a04834194ac5bdcfcfb136f8bfc80cf671a3cfab322c12d2d1e3012

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
bd7013eee0fb299bb54e959a78104e7c

SHA1
3149d122fbdf4be19785ce39bed0bd43383a48fa

SHA256
6f58cd43c9f4e24ba3786f6c3440fb4e332a6ac01c0fd1ae16c2a24b70157ee3

SHA512
fcab71c2295f4383b1afe92ff9dd27d1944e6e8c90da9afa9691dde9c93b5a15fd031cec920425407e602e8e58dc10dfd349585b2e8edbea9787575a536a154c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c6819887ebfaf9a28fe67c0e3e392675

SHA1
ad0ee2d1c899a22f6f32988baed17f6085f31503

SHA256
d2fcd384dc21870405652958c1133e7b629e80a7e326d2892a82bf97c8300d5e

SHA512
a134b06c82dddd91e0d27a61fe1417d4f96342f01f187b76c07db5ab8e096262d87cadb678ac0f2cea04d70cf4476e0532efde1de0fae79b6ac9b22eb7ad7eef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
27419bfefe076b915dbd3f6513e99c88

SHA1
2930539ccf4360129b9930038da057fa0658c3ed

SHA256
0f115aad465b704681733cb3c5110e68fed68436c624737433b7623bb4d84bd1

SHA512
ddda681bc5b3a32865864979583e424c82d28d9ce32a43dbbef8e80a8be9884d9ae4cc9a2c93e09d99b847c8c5257aa726efe179449c6f75f2a28ee62aa46930

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
bbef68f073481dacc189f73737742400

SHA1
a85697ebdab51086ecb83ffefa5a3f197745b362

SHA256
52836201919874e04a03ce34df24db6d23ada60870478117b364345132a2d83c

SHA512
241dd43b0761e0d2e6465c1f76085db97970086f8989705dd228446819345ba2bc1811d4a5017bf9e531f2f7c84205c4c03984dcc039b9f2fd5e530ef8201985

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e6263da0167497a840ae92b28e1cd565

SHA1
e3a2981bc6c0a86f8d446bf19ec10c5a2b7a1ddb

SHA256
c744919d5c8e7b47060cad36730f965e55feb74ff40804356185cad8ebf8880e

SHA512
699285b4bf6c0022b12dd06a0b6a44cfc444b9c8cd89f1083cbe7f45136ecce0f7c913aedc436e1e88e106b849af59bccc23967b6078d6fe68b85eb69cff104a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
daae7486569e8938d503950c60f107b1

SHA1
0c5514e6599a00e57281bdf6aab092c68bbf19c0

SHA256
b56d8994249744a731f4bd8168d7850d695245b2673229e8f873852ec4433838

SHA512
93be1c32b342a13671e8981d58b60a47c75993d9200dab22806f9a07165d57038453cd1311ca5497412dac936c4bbe02aca81cac1b401bdad9d39b4285029f75

Download Submit
memory/2860-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download