2394137e6d309d88a0fdab84782a1c5b5398b92e78d155ff7f065af221693ee3

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21/08/2024, 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2394137e6d309d88a0fdab84782a1c5b5398b92e78d155ff7f065af221693ee3.exe
Size

1.1MB
MD5

bb6a06ec465ee453bc8767e0ad257b4d
SHA1

bc6e5515a1d2e2fa73ac4f16d30cf78edc693d76
SHA256

2394137e6d309d88a0fdab84782a1c5b5398b92e78d155ff7f065af221693ee3
SHA512

1dca6322d94bf4a0d202f34612377a1e65f38515720a92656016e5db69d895f6824a36742134b32f1f4d81fe0d9ae8c0b6f73c489b8d02f29c5357acb0bd5d31
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qa:CcaClSFlG4ZM7QzMJ

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2192	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2192	svchcst.exe
2200	svchcst.exe
2024	svchcst.exe
1472	svchcst.exe
1344	svchcst.exe
1728	svchcst.exe
2096	svchcst.exe
2712	svchcst.exe
2972	svchcst.exe
1828	svchcst.exe
2124	svchcst.exe
3052	svchcst.exe
2984	svchcst.exe
824	svchcst.exe
2932	svchcst.exe
2536	svchcst.exe
3068	svchcst.exe
2008	svchcst.exe
1864	svchcst.exe
1828	svchcst.exe
2248	svchcst.exe
3064	svchcst.exe
1716	svchcst.exe

Loads dropped DLL 44 IoCs

pid	Process
2108	WScript.exe
2108	WScript.exe
1928	WScript.exe
1648	WScript.exe
1648	WScript.exe
1648	WScript.exe
3056	WScript.exe
3056	WScript.exe
1932	WScript.exe
1932	WScript.exe
620	WScript.exe
620	WScript.exe
2052	WScript.exe
2052	WScript.exe
2576	WScript.exe
2576	WScript.exe
1320	WScript.exe
1320	WScript.exe
556	WScript.exe
556	WScript.exe
2432	WScript.exe
2432	WScript.exe
700	WScript.exe
700	WScript.exe
1620	WScript.exe
1620	WScript.exe
2280	WScript.exe
2280	WScript.exe
2856	WScript.exe
2856	WScript.exe
2084	WScript.exe
2084	WScript.exe
1080	WScript.exe
1080	WScript.exe
300	WScript.exe
300	WScript.exe
2312	WScript.exe
2312	WScript.exe
624	WScript.exe
624	WScript.exe
2128	WScript.exe
2128	WScript.exe
2148	WScript.exe
2148	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2394137e6d309d88a0fdab84782a1c5b5398b92e78d155ff7f065af221693ee3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2740	2394137e6d309d88a0fdab84782a1c5b5398b92e78d155ff7f065af221693ee3.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2740	2394137e6d309d88a0fdab84782a1c5b5398b92e78d155ff7f065af221693ee3.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2740	2394137e6d309d88a0fdab84782a1c5b5398b92e78d155ff7f065af221693ee3.exe
2740	2394137e6d309d88a0fdab84782a1c5b5398b92e78d155ff7f065af221693ee3.exe
2192	svchcst.exe
2192	svchcst.exe
2200	svchcst.exe
2200	svchcst.exe
2024	svchcst.exe
2024	svchcst.exe
1472	svchcst.exe
1472	svchcst.exe
1344	svchcst.exe
1344	svchcst.exe
1728	svchcst.exe
1728	svchcst.exe
2096	svchcst.exe
2096	svchcst.exe
2712	svchcst.exe
2712	svchcst.exe
2972	svchcst.exe
2972	svchcst.exe
1828	svchcst.exe
1828	svchcst.exe
2124	svchcst.exe
2124	svchcst.exe
3052	svchcst.exe
3052	svchcst.exe
2984	svchcst.exe
2984	svchcst.exe
824	svchcst.exe
824	svchcst.exe
2932	svchcst.exe
2932	svchcst.exe
2536	svchcst.exe
2536	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
2008	svchcst.exe
2008	svchcst.exe
1864	svchcst.exe
1864	svchcst.exe
1828	svchcst.exe
1828	svchcst.exe
2248	svchcst.exe
2248	svchcst.exe
3064	svchcst.exe
3064	svchcst.exe
1716	svchcst.exe
1716	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 2108	2740	2394137e6d309d88a0fdab84782a1c5b5398b92e78d155ff7f065af221693ee3.exe	30
PID 2740 wrote to memory of 2108	2740	2394137e6d309d88a0fdab84782a1c5b5398b92e78d155ff7f065af221693ee3.exe	30
PID 2740 wrote to memory of 2108	2740	2394137e6d309d88a0fdab84782a1c5b5398b92e78d155ff7f065af221693ee3.exe	30
PID 2740 wrote to memory of 2108	2740	2394137e6d309d88a0fdab84782a1c5b5398b92e78d155ff7f065af221693ee3.exe	30
PID 2108 wrote to memory of 2192	2108	WScript.exe	32
PID 2108 wrote to memory of 2192	2108	WScript.exe	32
PID 2108 wrote to memory of 2192	2108	WScript.exe	32
PID 2108 wrote to memory of 2192	2108	WScript.exe	32
PID 2192 wrote to memory of 1928	2192	svchcst.exe	33
PID 2192 wrote to memory of 1928	2192	svchcst.exe	33
PID 2192 wrote to memory of 1928	2192	svchcst.exe	33
PID 2192 wrote to memory of 1928	2192	svchcst.exe	33
PID 1928 wrote to memory of 2200	1928	WScript.exe	34
PID 1928 wrote to memory of 2200	1928	WScript.exe	34
PID 1928 wrote to memory of 2200	1928	WScript.exe	34
PID 1928 wrote to memory of 2200	1928	WScript.exe	34
PID 2200 wrote to memory of 1648	2200	svchcst.exe	35
PID 2200 wrote to memory of 1648	2200	svchcst.exe	35
PID 2200 wrote to memory of 1648	2200	svchcst.exe	35
PID 2200 wrote to memory of 1648	2200	svchcst.exe	35
PID 1648 wrote to memory of 2024	1648	WScript.exe	36
PID 1648 wrote to memory of 2024	1648	WScript.exe	36
PID 1648 wrote to memory of 2024	1648	WScript.exe	36
PID 1648 wrote to memory of 2024	1648	WScript.exe	36
PID 2024 wrote to memory of 2128	2024	svchcst.exe	37
PID 2024 wrote to memory of 2128	2024	svchcst.exe	37
PID 2024 wrote to memory of 2128	2024	svchcst.exe	37
PID 2024 wrote to memory of 2128	2024	svchcst.exe	37
PID 1648 wrote to memory of 1472	1648	WScript.exe	38
PID 1648 wrote to memory of 1472	1648	WScript.exe	38
PID 1648 wrote to memory of 1472	1648	WScript.exe	38
PID 1648 wrote to memory of 1472	1648	WScript.exe	38
PID 1472 wrote to memory of 3056	1472	svchcst.exe	39
PID 1472 wrote to memory of 3056	1472	svchcst.exe	39
PID 1472 wrote to memory of 3056	1472	svchcst.exe	39
PID 1472 wrote to memory of 3056	1472	svchcst.exe	39
PID 3056 wrote to memory of 1344	3056	WScript.exe	40
PID 3056 wrote to memory of 1344	3056	WScript.exe	40
PID 3056 wrote to memory of 1344	3056	WScript.exe	40
PID 3056 wrote to memory of 1344	3056	WScript.exe	40
PID 1344 wrote to memory of 1932	1344	svchcst.exe	41
PID 1344 wrote to memory of 1932	1344	svchcst.exe	41
PID 1344 wrote to memory of 1932	1344	svchcst.exe	41
PID 1344 wrote to memory of 1932	1344	svchcst.exe	41
PID 1932 wrote to memory of 1728	1932	WScript.exe	42
PID 1932 wrote to memory of 1728	1932	WScript.exe	42
PID 1932 wrote to memory of 1728	1932	WScript.exe	42
PID 1932 wrote to memory of 1728	1932	WScript.exe	42
PID 1728 wrote to memory of 620	1728	svchcst.exe	43
PID 1728 wrote to memory of 620	1728	svchcst.exe	43
PID 1728 wrote to memory of 620	1728	svchcst.exe	43
PID 1728 wrote to memory of 620	1728	svchcst.exe	43
PID 620 wrote to memory of 2096	620	WScript.exe	44
PID 620 wrote to memory of 2096	620	WScript.exe	44
PID 620 wrote to memory of 2096	620	WScript.exe	44
PID 620 wrote to memory of 2096	620	WScript.exe	44
PID 2096 wrote to memory of 2052	2096	svchcst.exe	45
PID 2096 wrote to memory of 2052	2096	svchcst.exe	45
PID 2096 wrote to memory of 2052	2096	svchcst.exe	45
PID 2096 wrote to memory of 2052	2096	svchcst.exe	45
PID 2052 wrote to memory of 2712	2052	WScript.exe	46
PID 2052 wrote to memory of 2712	2052	WScript.exe	46
PID 2052 wrote to memory of 2712	2052	WScript.exe	46
PID 2052 wrote to memory of 2712	2052	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\2394137e6d309d88a0fdab84782a1c5b5398b92e78d155ff7f065af221693ee3.exe
"C:\Users\Admin\AppData\Local\Temp\2394137e6d309d88a0fdab84782a1c5b5398b92e78d155ff7f065af221693ee3.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2192
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1928
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2200
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2128
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2712
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2576
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2972
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1320
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1828
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:556
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2124
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3052
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:700
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2984
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:824
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2932
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2536
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3068
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1080
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2008
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:300
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1864
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2312
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1828
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:624
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2248
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2128
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3064
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1716
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
a4c5b438c118a0bce8b9dc398b0a8723

SHA1
076848d497b18820b636f5bff5e2b2db07281178

SHA256
c5d24c49980ad27cc376c09ec29a674825c8dc7ffd4749a77db81c620eccc64e

SHA512
f237868357de2f6bf0d6ca2bf2bfc8c87c34a864f8614e462177e4bc9368b30c38f04454710d5e575321885189c2c88edce79897d9ae253a6197ee330c444ea9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
95cbcc068b61f14455af7f3daea5c57f

SHA1
7121bec25241666a150cd1a58eb7efb0b26eab96

SHA256
205412cd3d890bd070295ebf41e4a831de855a2b755c1a583b4dd2df66d5bc81

SHA512
5ae57031bb2ce71bf93c683f07f82b521918ef8a145a80f8e488e403d7ca97079cb305bb3f9ad93f2b3a99f44954063447a5f9a2c0f6f276a2ef84beff5674a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
56b642f742552f48c6b8b9c099412a21

SHA1
c3cf968546d550feddcded0747d331305147e1e3

SHA256
a91e4afb0d2f495e9c4fd5031514174673505464922192f9d87832fc21ef119b

SHA512
43edab26c4c27b9458d393f139895b68ce6b230685fd112658b4046094beac5479329f63c9c836dace1e76984fc22b96aecdf0c0252cf656e6d1fe639abf403a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
33923002ff087d4e9d20dc9167bf4b6f

SHA1
cd218dc8073081f7329889f96e1159c6d11fb8a1

SHA256
f24781ed9f535b0d29cbef666b2e299ee84ab75c48fd47bfdf0e9c2beaa0796e

SHA512
628c465e3ebed9b3ad689a6fa1fe38d3194c69a7446320408c28667acd49a157b853f734325e828a1577810393d0f9e69b6719bd7c201816ef0f06219a26534c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1a94fff9bade36e4d067e0fcefb1a8f5

SHA1
1713c3fc499a56cd97035e44405e0b5e1a0a586b

SHA256
1977a5ac15e88252efdd11b9aace6de92383e71132a94273b0e890e92ae91048

SHA512
89a7dd6811f9491a14bf49f1cbce3e869107d2e0d410fa3d3c867ce68d573d6f8e6ada98ac3635fc620c96c61676b5cef2563b5fbea14f617c1fa61bce4f3ac7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7c7211c6ab078878929bb3683f705560

SHA1
5a52049f54692294392837b5922d865e9c407022

SHA256
bb9e2a89c0fc9574eac35f2b2c4bc696f3642fc96ff2fd1f6a2d3467784fbeff

SHA512
4d9b5d0053b0f57651c08084c87416d2ae8613b9ea74651e51f251e5d806f36c194735e4f6f3152d7c72592f60f2a7e971ee82c60410762472942823b1956c38

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
780c5b88f55c3463a252f361d53f98db

SHA1
244e739c7401ce41027d7786f4a48f4806a9939b

SHA256
d8b383df125f83a39c299a3134c88e981cf47755ddd6b44310f70231305c6bb0

SHA512
b12e3266edea4f9dff105ed8617c81a29f9873d646b6b326c5c29c0c590049dd85458b8ff7541957f9ab995896e7bfd08b171959e592ccc6edbedf998fdf1045

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
619955d43a58558c766025119a5a66cb

SHA1
cfb43d2b9cb68699667ca8d4929e71b25ed115ab

SHA256
a129bff17a859b7b2d6681f519c985c661797dd508ac249d30f02a0a78858cee

SHA512
20f9499cddf2fb824365830736255a1dce689da0e94fa8e999ee4e28883e65637410710ea01204b5f3d48213f697461288da2b7a535511da87f848b1e6e83bc6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
067a3458406fce1e0caec803b21a2c58

SHA1
1277d2a3236100a0758d4f4f279cd02d537e626b

SHA256
35c0d5d7757b50c61a708107c8e2ab5df872fdc25516f8003d9d58d3ae5ec9e3

SHA512
99918a35f93140231d63a17c97bb9ef66a5744dc044c7e48034c3d2fcc49c3b97fe0d37a32ae6307a7b7e772b8016a6727672d2844b5ed7dcf20c31dd01724e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3612d3ea6472851cf27d0650f30a8461

SHA1
6deb8050a9d5911a2bcaa1dff30442b243389423

SHA256
2952c41a53b0569f4005c91e142940e5e96ab915146591fd27e380826de74370

SHA512
274ea073a41fbb585172d72f0f3c37132154378212b24cf3609f2bb450d631741c438035f81046ec36f08e62f287949079776d359cd42602ad097cfc0689f49c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f262d0722b88145e786399f42047785d

SHA1
9f4426b6ac52bb0456945b0619fcd355d118a0b7

SHA256
f20592c5d5216a153e7d9fc67c87e2d3346f3781014162462e824a5dbc4c7aef

SHA512
da8aa8fd4f84c224f7c6f3fe483b030e2307f3313c003f17f6b9c943f9ea9d052d9d9297f93fdf49428eedd235ef6d7efe0199e1620e55cb052f2ca3cb492eb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
298f56408ef5bfe14b938d85e57c843d

SHA1
691d78c4c4887333b4679d3e340a7a04caad13a3

SHA256
b5738b726b24c9d220bd7256e4abb2e97215d50416bf67983cc82dc83b46298a

SHA512
227bf6d7e70568144112dc142ef60fa38f2b5f39196e3d3377a120b78fa86382726021f024bf5413548df0ce1734bb905d28e56de4dd80c6f21c05ab2a5ef83e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
be85ce7bb02d959078db568ee3a8905d

SHA1
e3598468f1db49d961a98da4deda91a619b56985

SHA256
4d76969f7a746574f6be0eca7b1939230ca7607610f12f82b670f4b7bf829806

SHA512
8ffd0d9432c57b2a445afb0701de88903bee1df5295b7ec14042623bfd5d72d0d3cdf198bbdce55be06439c8ac594ddc9bcf53f425bf9e9c9ebb299f6d8150cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2bf2689d8dd54050c745ab5b2a8cd569

SHA1
8bbf5151205121d035297d923f9a317090819cae

SHA256
315ff427706d9a12ae529acceefa8bd96f01fc5242d1367304e2a8cc0d85ebd7

SHA512
fa2ae4e95005763a79ea66abb7a0e392850d1ea03f3c33be4d924b15aec86048750fbd3e6a5f6439fe0f713d00fd90268e1a0203479e77638e3a88a419587073

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
5984d21f639e538a7452fd4bd4dd2f0c

SHA1
1f0c752e2998298a0e5861fe07707a6835ae17d5

SHA256
6fa8987db76a78fec33a73480a97587edefa4d85215f79e2275e714162e62bfa

SHA512
c3b7d7b8cdd510704869d690378f9518a03a9d9a287e6820f1614e261652748a2ec1024f757b814160035ef0e9f8a0a0720379b2a131aaf2aae3f2d3233c6380

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2fe2c01c9983f9f1330d566c73a37556

SHA1
bd6d605a48130c16bd40acd027d95fd131c615f7

SHA256
693a414e9e784567f12931655fef1845f13cddddde74f711d8ceec81044f6c54

SHA512
2cce9e42b300003c4df6638e3b6de01ba4d17f868068d69a8bbb0ea3649d5d3cf255c4044c6ecaae33ec8097823d6195a7253f435de64dbcb5a86a1a02a89319

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
91c57f43e027a355c6fab1ab194bf30c

SHA1
ac0694a702dc8097c2effca0a4ae1563b1d4de51

SHA256
5c896379035c3e4e995a9dce56ce4ccf04a1cb9b1218a0bdae423a879212825a

SHA512
5a188a96e8903856f65744ac47b53a9ba987f4d49ef8882e2b9c51ddddb5255de305f4a240119816b8996932859c3cfb967a132c48d4f8a9736b7bb465561d32

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
42001c9166ddbd632d6fc1b7f1f45de5

SHA1
fdf9c9884e168465a8eb6e0e107671db225001e9

SHA256
a5c24b6bec916a018a3662d1a358412dc37c43a21927cba382bed2a7d2f212c0

SHA512
82e800a47130527c3d9f194472dad896295b42cf11a42c89cf5cf247a08286ac3cdfcd0f924cc4a19c7bee67750f105fd8a7922b3b1ea253c5100cee8e51c381

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1ceacfd81c47f0f052f6d5f2896d31fe

SHA1
ef3dc002f25bc17093f8be1e61cc636eb84990b2

SHA256
1d130309ae8151165117aaf62ea0461741fe72584a29282c0dd7500a062c9d67

SHA512
63bec231d809bd7701e9bec33384cce001965568074a43a116d387eaf1c2ef328aa1346e77caf88a1f2d1667f81ce5c316ada7c421db45a710310190a6a7287d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7db79412e32c1423c8fcc899a325b9f1

SHA1
bf7fb64d0d9645f35a561e357bbbd3f64d3e8dca

SHA256
6fbd06d885dc704a532bd062e171ec6beb80b1e8b7de61d01691f91449dbe7f6

SHA512
e984112ae4af87f90c9a21beeeaa5b827dd7e0225dffd238c96fc2cec8dbe1d194cdfffceb138cfb2d2d8b261081c9155c95a42090fee0c1049adf20b4aae8a3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e470d9a281732455293c0a8760f630d2

SHA1
5bcc2c96527e15b809ab0785ceef6d27deb85c22

SHA256
723d878d42b8a73d984c261b25981c76b91693a16aadbe5d76e111271bf0250c

SHA512
3ccbcff07150d17549b0c9e04f41b5d7e80e1280357df88f4ade4548444e54a83a1fb3d1ebcef4ce585f4447e5397fdcc92051c66b67e8367031cb41893e0db5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c3524a9a6d3a5057fc895accc4eeebec

SHA1
43b6424c00d8f4da83b3f4dae843f9361d722549

SHA256
142df62036edaab84fb7f7d76bfffb64d550004525d94e85780f7d1066d8506c

SHA512
7217c493f089a2979cc9e74c2316aefc4f8c83112651fb57a3943aeeaac751139bebee94260d0bb0deaa3f7c03a0b70a40fbb2baff18aed0d6774ffe4bbd158d

Download Submit
memory/2740-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download