c5086f06762457866dcfd774c0a25366820f708ddf0a9df8b6985bee7dd9c190

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 21:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c5086f06762457866dcfd774c0a25366820f708ddf0a9df8b6985bee7dd9c190.exe
Size

1.1MB
MD5

cfd4a50cb8d9fff4a80a797b7f202f72
SHA1

2ab1519461ea9e659be413b0d1f7ad2dab645f75
SHA256

c5086f06762457866dcfd774c0a25366820f708ddf0a9df8b6985bee7dd9c190
SHA512

04ae62d7233908354582921c66734701b1a9f129979821e648c79967f33d288e9939f203adec6c2efc84374fec7a3ed7ade1983aa526e8df1c098f965231a585
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qy:CcaClSFlG4ZM7QzMx

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2280	svchcst.exe

Executes dropped EXE 16 IoCs

pid	Process
2280	svchcst.exe
2248	svchcst.exe
2820	svchcst.exe
1384	svchcst.exe
2616	svchcst.exe
1532	svchcst.exe
1988	svchcst.exe
892	svchcst.exe
2084	svchcst.exe
2684	svchcst.exe
1484	svchcst.exe
3024	svchcst.exe
1228	svchcst.exe
1756	svchcst.exe
2052	svchcst.exe
1936	svchcst.exe

Loads dropped DLL 25 IoCs

pid	Process
1480	WScript.exe
1480	WScript.exe
2680	WScript.exe
2680	WScript.exe
1928	WScript.exe
1928	WScript.exe
2880	WScript.exe
2880	WScript.exe
2416	WScript.exe
776	WScript.exe
776	WScript.exe
776	WScript.exe
2464	WScript.exe
1000	WScript.exe
1648	WScript.exe
1648	WScript.exe
2700	WScript.exe
2700	WScript.exe
2680	WScript.exe
1164	WScript.exe
1164	WScript.exe
1164	WScript.exe
2580	WScript.exe
2580	WScript.exe
2612	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c5086f06762457866dcfd774c0a25366820f708ddf0a9df8b6985bee7dd9c190.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2716	c5086f06762457866dcfd774c0a25366820f708ddf0a9df8b6985bee7dd9c190.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2716	c5086f06762457866dcfd774c0a25366820f708ddf0a9df8b6985bee7dd9c190.exe

Suspicious use of SetWindowsHookEx 34 IoCs

pid	Process
2716	c5086f06762457866dcfd774c0a25366820f708ddf0a9df8b6985bee7dd9c190.exe
2716	c5086f06762457866dcfd774c0a25366820f708ddf0a9df8b6985bee7dd9c190.exe
2280	svchcst.exe
2280	svchcst.exe
2248	svchcst.exe
2248	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
1384	svchcst.exe
1384	svchcst.exe
2616	svchcst.exe
2616	svchcst.exe
1532	svchcst.exe
1532	svchcst.exe
892	svchcst.exe
892	svchcst.exe
1988	svchcst.exe
1988	svchcst.exe
2084	svchcst.exe
2084	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
1228	svchcst.exe
1228	svchcst.exe
1756	svchcst.exe
1756	svchcst.exe
2052	svchcst.exe
2052	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 1480	2716	c5086f06762457866dcfd774c0a25366820f708ddf0a9df8b6985bee7dd9c190.exe	30
PID 2716 wrote to memory of 1480	2716	c5086f06762457866dcfd774c0a25366820f708ddf0a9df8b6985bee7dd9c190.exe	30
PID 2716 wrote to memory of 1480	2716	c5086f06762457866dcfd774c0a25366820f708ddf0a9df8b6985bee7dd9c190.exe	30
PID 2716 wrote to memory of 1480	2716	c5086f06762457866dcfd774c0a25366820f708ddf0a9df8b6985bee7dd9c190.exe	30
PID 1480 wrote to memory of 2280	1480	WScript.exe	33
PID 1480 wrote to memory of 2280	1480	WScript.exe	33
PID 1480 wrote to memory of 2280	1480	WScript.exe	33
PID 1480 wrote to memory of 2280	1480	WScript.exe	33
PID 2280 wrote to memory of 2680	2280	svchcst.exe	34
PID 2280 wrote to memory of 2680	2280	svchcst.exe	34
PID 2280 wrote to memory of 2680	2280	svchcst.exe	34
PID 2280 wrote to memory of 2680	2280	svchcst.exe	34
PID 2680 wrote to memory of 2248	2680	WScript.exe	35
PID 2680 wrote to memory of 2248	2680	WScript.exe	35
PID 2680 wrote to memory of 2248	2680	WScript.exe	35
PID 2680 wrote to memory of 2248	2680	WScript.exe	35
PID 2248 wrote to memory of 1928	2248	svchcst.exe	36
PID 2248 wrote to memory of 1928	2248	svchcst.exe	36
PID 2248 wrote to memory of 1928	2248	svchcst.exe	36
PID 2248 wrote to memory of 1928	2248	svchcst.exe	36
PID 1928 wrote to memory of 2820	1928	WScript.exe	37
PID 1928 wrote to memory of 2820	1928	WScript.exe	37
PID 1928 wrote to memory of 2820	1928	WScript.exe	37
PID 1928 wrote to memory of 2820	1928	WScript.exe	37
PID 2820 wrote to memory of 2880	2820	svchcst.exe	38
PID 2820 wrote to memory of 2880	2820	svchcst.exe	38
PID 2820 wrote to memory of 2880	2820	svchcst.exe	38
PID 2820 wrote to memory of 2880	2820	svchcst.exe	38
PID 2880 wrote to memory of 1384	2880	WScript.exe	39
PID 2880 wrote to memory of 1384	2880	WScript.exe	39
PID 2880 wrote to memory of 1384	2880	WScript.exe	39
PID 2880 wrote to memory of 1384	2880	WScript.exe	39
PID 1384 wrote to memory of 2416	1384	svchcst.exe	40
PID 1384 wrote to memory of 2416	1384	svchcst.exe	40
PID 1384 wrote to memory of 2416	1384	svchcst.exe	40
PID 1384 wrote to memory of 2416	1384	svchcst.exe	40
PID 2416 wrote to memory of 2616	2416	WScript.exe	41
PID 2416 wrote to memory of 2616	2416	WScript.exe	41
PID 2416 wrote to memory of 2616	2416	WScript.exe	41
PID 2416 wrote to memory of 2616	2416	WScript.exe	41
PID 2616 wrote to memory of 776	2616	svchcst.exe	42
PID 2616 wrote to memory of 776	2616	svchcst.exe	42
PID 2616 wrote to memory of 776	2616	svchcst.exe	42
PID 2616 wrote to memory of 776	2616	svchcst.exe	42
PID 776 wrote to memory of 1532	776	WScript.exe	43
PID 776 wrote to memory of 1532	776	WScript.exe	43
PID 776 wrote to memory of 1532	776	WScript.exe	43
PID 776 wrote to memory of 1532	776	WScript.exe	43
PID 1532 wrote to memory of 2464	1532	svchcst.exe	44
PID 1532 wrote to memory of 2464	1532	svchcst.exe	44
PID 1532 wrote to memory of 2464	1532	svchcst.exe	44
PID 1532 wrote to memory of 2464	1532	svchcst.exe	44
PID 776 wrote to memory of 1988	776	WScript.exe	45
PID 776 wrote to memory of 1988	776	WScript.exe	45
PID 776 wrote to memory of 1988	776	WScript.exe	45
PID 776 wrote to memory of 1988	776	WScript.exe	45
PID 2464 wrote to memory of 892	2464	WScript.exe	46
PID 2464 wrote to memory of 892	2464	WScript.exe	46
PID 2464 wrote to memory of 892	2464	WScript.exe	46
PID 2464 wrote to memory of 892	2464	WScript.exe	46
PID 1988 wrote to memory of 1000	1988	svchcst.exe	47
PID 1988 wrote to memory of 1000	1988	svchcst.exe	47
PID 1988 wrote to memory of 1000	1988	svchcst.exe	47
PID 1988 wrote to memory of 1000	1988	svchcst.exe	47

C:\Users\Admin\AppData\Local\Temp\c5086f06762457866dcfd774c0a25366820f708ddf0a9df8b6985bee7dd9c190.exe
"C:\Users\Admin\AppData\Local\Temp\c5086f06762457866dcfd774c0a25366820f708ddf0a9df8b6985bee7dd9c190.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2280
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2680
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2248
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:776
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:892
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1000
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2084
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2684
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3024
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2052
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1164
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1228
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2612
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1936
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1756
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:752
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7c7211c6ab078878929bb3683f705560

SHA1
5a52049f54692294392837b5922d865e9c407022

SHA256
bb9e2a89c0fc9574eac35f2b2c4bc696f3642fc96ff2fd1f6a2d3467784fbeff

SHA512
4d9b5d0053b0f57651c08084c87416d2ae8613b9ea74651e51f251e5d806f36c194735e4f6f3152d7c72592f60f2a7e971ee82c60410762472942823b1956c38

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
baa229cc6a98c5954a30b54cda18e40d

SHA1
e00e0dcd3266098f2946c6b0dc4565efcf5ce5d0

SHA256
494e38f56b3eafd4b11f49f99490bc8ac3f62723136af8fc408aa2b3c7be37cd

SHA512
a996134dcc3dcf5a31b334d063e3997e92d00ca19599f4d320707d5e8e5e1a4baea572bc7ccfa7dae460ddd16e4abe5438bd7c95b83080b379345eab80fdc316

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3fe126921f6537cf36cd507b1649ffbb

SHA1
445c8796d072bb5829f0af8421e3eb7da34add70

SHA256
b4af7c7ab452f12e0ea38532d00cfa19cf99247ef169e5e698acd882e72750a6

SHA512
5d8527210f01cc30bda93521cdbd9828d03f2af3e2810996ad8c60cf62a35e415c0e54a34e00847ae30bf2718e8c431b65ed4f509c11986a8eb54ed6ed64ac94

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b42266100fb9f5e0b7be593aac3c37cf

SHA1
7cd55f31fd2871d09de73a6f62e3a7e1a53327b2

SHA256
1a6710caaf3886be368f3205ee8c9905e10f8ed754d80598c80f1455a700d846

SHA512
d3e5a4f7395d6196403e60214239043b2da6e546cbe080f74c3a680a6f4a7fe1374988df0a1aa84dbc0e41199efd8fb11050d1d1295f3b45811935d740a5108b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
80ebf5d44551af5680e6faa0b57e8c8b

SHA1
2e17219fbf9ac0ffaf25efb6a11dfe6e9e404798

SHA256
ca82157de4bf3edea1ce728fea480f64259153ea391b2be7b5f59864c0ae7a53

SHA512
a96c9d64087a4b9eccb235e9e1b19da6adfa1adc40ea11eca5cca69cc7b57eb4c3a299eb2103768398d99aee534c3eced7e76099917c52d1499ea9af07ba2ca8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1c0ff223574a58a062d6e26c4b0bb7cd

SHA1
b61341ae86f6fd2a2e76592a2fc693479b62f37c

SHA256
b9baaa35fb2544dd650a875b31c12ae5393b345528009fc8c438296ac71da48b

SHA512
b89b388955e99d95ea0a6be87df42a49823ca71ab65505e19689b8ecc56484246bc36abaac9b7b76874b8c287a33645932573b90786886e0289dff05a6874cc5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a3b1a2435db9006df38c9e78df96e2f2

SHA1
a8a6d302d102686610f54547bdf0245b177a752f

SHA256
8ca1784265581709551e81326c9733c10ac943c899070bee9b799f88dad7870e

SHA512
fe8a0d2a67e28fcf1b31e640132a669186ddb33302b135d11c0706a5c9e98548d53d51be0d2ecc9d20c43efbe393d7865c57ca9b6c651deca93f67aff0968210

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
fb757130836576e5f952cb011021776c

SHA1
68f6351ef6dd363f67e76b91e7d8150050948698

SHA256
2d8143967be00cc4d6f3a1b8671885498b80e57ec52a84e19eaf136e64980e5b

SHA512
6f7311c6964be509733152377344d37f311021a6638946d275d282aa1b0212d8d790175b8c4e61fba6f5f4299c0e5da3307b69b03f619273462edd5c3cfce0d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
321085c6e57a8455a3e915906a6c160b

SHA1
9cd284183cd00b8ed9766cf5ba4433bd041c381e

SHA256
0d5abb9f989e8b184b17b159987cacb4be04d476a85a3c684e797cdbded810cb

SHA512
030c762c6548c28805fb3f9d97ed98ff958a379fb5142b7ba6c4cb2a8dd7a59051135e649abd6c16320361b10c374e4a1003c802560fcc244849089255fb7722

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
9f87870aabac31b89e8f641cc4796a67

SHA1
0e7c4d9fa14eb4afe07e0ded564229685c3cbe4b

SHA256
c5ccc91ebc3838b354e5ae05c7b3efa01813e004b427f843ba23e78ff272e695

SHA512
28c7fe3049354286831a5c2b52ea96583bef30c4a294d07bfb10c11bb9e3469b944d8029d58f73611daa616a279e280d0c14fa037d390ab34a5daa2f5a25c4f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
33923002ff087d4e9d20dc9167bf4b6f

SHA1
cd218dc8073081f7329889f96e1159c6d11fb8a1

SHA256
f24781ed9f535b0d29cbef666b2e299ee84ab75c48fd47bfdf0e9c2beaa0796e

SHA512
628c465e3ebed9b3ad689a6fa1fe38d3194c69a7446320408c28667acd49a157b853f734325e828a1577810393d0f9e69b6719bd7c201816ef0f06219a26534c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
bff6791551dbe304dfd05d47d6914ec7

SHA1
5f02fb8f31876fd6815175b036583a1d29cd0313

SHA256
6bc93d44fe9c48164f7ba8d3c77842c471b8c3ddfeb175f414578ad5e500c5a5

SHA512
a5f660414f72aab55b78cb75a2f6169852e6457742ef370602120dd27d2a983c3691250ea3889869fe513452b442c42f6a319149339c63dc95e3ec1de54067cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d48cce6efdd9b4a4d242d41c11fb0998

SHA1
89272447f9537a5dc05279d0589b3772a3cb06ba

SHA256
6c9d8ea201528c26599386f3d74e16633ee3db2f1a3135eb97eeaaa3574bcb15

SHA512
a9b523837a3e427d3b0ba3501bdb0b1783c0146f4379f3def100031f019621a95e86a7c3c40332509a2f2ffd4ee4da88b657c9d312dec8e5862e27df7c1679a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
6953821369b36f0b4b3e03e7fae62ebc

SHA1
cf4702431cf313936aa3fc1c8ab44f3085c7d43d

SHA256
0767862f9cf78596d02198c2aa1f39a07bb2d966cafca5950bdf98bd7f26696e

SHA512
fc2ce2638be7c988657b371d81924083542a11ae36a0f9d3ad2d1a630c78eb53aec60ed5f6d6e4d97ebd18b038d353ec2c8867d30e43155937d33ffc42f857dc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e2eb8abddce07e0e0335962de4d290d4

SHA1
20de177c06a17f3747a69f3b188271509d414dfe

SHA256
71f4b1ac284397d55f4f94659edc972c792c19b6e81dd01720acead5f2ad255f

SHA512
f215d5c902e3844e41945150d0748f609c1e8cf566c28e9661dd504a44013dfb7a7afa75aecd43f388a24494ced7ae0a6b0db30b047df7a5fb1e9ebce7c5c07d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
93397960478f5f35d360e56606eeb27e

SHA1
88e1bbe189bd324ecaa46747cec166cc4353c6f7

SHA256
d446a37ca661c6e845bd8b5d5ba7831ec2f0e42ff772be5048520ea22818df54

SHA512
1b2fe31518cba122c785810ca2eb252c06153e3a646260cd44dfa9c4a06cfb947f350ff7682884b8e99c6f337f7f35cef528ae8ce5f53c8cce57879c75d86607

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
37340ee81ea1eadc349f38abb8e4f1f4

SHA1
85e329d85c879e73f4191119fba27790117e2804

SHA256
8de52fbf203113e84624956ca7cefac3d55606f92da413fed899f36a7c077938

SHA512
a57ddcd5891c05791bad7f0d4bbffe1f6b37580852261d396f90c1495790da38d908d020fb3313b9c9c4152905a7ba7c0349c07d658da5a02b55b834363c37f9

Download Submit
memory/2716-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download