7fe864e2c72cfde0ff5228408dcc7286d0a5c15aa4bf23a57297db1a88d5c83a

Analysis

max time kernel
149s
max time network
18s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
24-08-2024 07:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7fe864e2c72cfde0ff5228408dcc7286d0a5c15aa4bf23a57297db1a88d5c83a.exe
Size

1.1MB
MD5

020b64731738ae8db8476623695a59fe
SHA1

8b2f091cea62b94f94cc8653844561f9477dc92b
SHA256

7fe864e2c72cfde0ff5228408dcc7286d0a5c15aa4bf23a57297db1a88d5c83a
SHA512

68dbfe544b9c375a3eda39a5fcc194f8e76c655c05d7f13c437fa17f529a76f6cc0ff0ae9d06930377abee2bfefc30a37f4cb86e333da82a0b3e8a7a29e163cd
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QQ:CcaClSFlG4ZM7QzMH

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2940	svchcst.exe

Executes dropped EXE 26 IoCs

pid	Process
2940	svchcst.exe
2404	svchcst.exe
2996	svchcst.exe
2260	svchcst.exe
1436	svchcst.exe
892	svchcst.exe
2184	svchcst.exe
1700	svchcst.exe
2228	svchcst.exe
1472	svchcst.exe
2680	svchcst.exe
1480	svchcst.exe
1140	svchcst.exe
2980	svchcst.exe
792	svchcst.exe
816	svchcst.exe
1736	svchcst.exe
1536	svchcst.exe
2820	svchcst.exe
788	svchcst.exe
1704	svchcst.exe
2292	svchcst.exe
692	svchcst.exe
2052	svchcst.exe
940	svchcst.exe
620	svchcst.exe

Loads dropped DLL 50 IoCs

pid	Process
588	WScript.exe
588	WScript.exe
2240	WScript.exe
2528	WScript.exe
2240	WScript.exe
2528	WScript.exe
2240	WScript.exe
2240	WScript.exe
2240	WScript.exe
2036	WScript.exe
2640	WScript.exe
2640	WScript.exe
2000	WScript.exe
2000	WScript.exe
2504	WScript.exe
2504	WScript.exe
1420	WScript.exe
1420	WScript.exe
2908	WScript.exe
2908	WScript.exe
2656	WScript.exe
2656	WScript.exe
2224	WScript.exe
2224	WScript.exe
1692	WScript.exe
1692	WScript.exe
2384	WScript.exe
2384	WScript.exe
2112	WScript.exe
2112	WScript.exe
636	WScript.exe
636	WScript.exe
848	WScript.exe
848	WScript.exe
2288	WScript.exe
2288	WScript.exe
2776	WScript.exe
2776	WScript.exe
2032	WScript.exe
2032	WScript.exe
2948	WScript.exe
2948	WScript.exe
1428	WScript.exe
1428	WScript.exe
1092	WScript.exe
1092	WScript.exe
1280	WScript.exe
1280	WScript.exe
2140	WScript.exe
2140	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 53 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7fe864e2c72cfde0ff5228408dcc7286d0a5c15aa4bf23a57297db1a88d5c83a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2908	7fe864e2c72cfde0ff5228408dcc7286d0a5c15aa4bf23a57297db1a88d5c83a.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe
2940	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2908	7fe864e2c72cfde0ff5228408dcc7286d0a5c15aa4bf23a57297db1a88d5c83a.exe

Suspicious use of SetWindowsHookEx 54 IoCs

pid	Process
2908	7fe864e2c72cfde0ff5228408dcc7286d0a5c15aa4bf23a57297db1a88d5c83a.exe
2908	7fe864e2c72cfde0ff5228408dcc7286d0a5c15aa4bf23a57297db1a88d5c83a.exe
2940	svchcst.exe
2940	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2260	svchcst.exe
2260	svchcst.exe
1436	svchcst.exe
1436	svchcst.exe
892	svchcst.exe
892	svchcst.exe
2184	svchcst.exe
2184	svchcst.exe
1700	svchcst.exe
1700	svchcst.exe
2228	svchcst.exe
2228	svchcst.exe
1472	svchcst.exe
1472	svchcst.exe
2680	svchcst.exe
2680	svchcst.exe
1480	svchcst.exe
1480	svchcst.exe
1140	svchcst.exe
1140	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
792	svchcst.exe
792	svchcst.exe
816	svchcst.exe
816	svchcst.exe
1736	svchcst.exe
1736	svchcst.exe
1536	svchcst.exe
1536	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
788	svchcst.exe
788	svchcst.exe
1704	svchcst.exe
1704	svchcst.exe
2292	svchcst.exe
2292	svchcst.exe
692	svchcst.exe
692	svchcst.exe
2052	svchcst.exe
2052	svchcst.exe
940	svchcst.exe
940	svchcst.exe
620	svchcst.exe
620	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 588	2908	7fe864e2c72cfde0ff5228408dcc7286d0a5c15aa4bf23a57297db1a88d5c83a.exe	30
PID 2908 wrote to memory of 588	2908	7fe864e2c72cfde0ff5228408dcc7286d0a5c15aa4bf23a57297db1a88d5c83a.exe	30
PID 2908 wrote to memory of 588	2908	7fe864e2c72cfde0ff5228408dcc7286d0a5c15aa4bf23a57297db1a88d5c83a.exe	30
PID 2908 wrote to memory of 588	2908	7fe864e2c72cfde0ff5228408dcc7286d0a5c15aa4bf23a57297db1a88d5c83a.exe	30
PID 588 wrote to memory of 2940	588	WScript.exe	32
PID 588 wrote to memory of 2940	588	WScript.exe	32
PID 588 wrote to memory of 2940	588	WScript.exe	32
PID 588 wrote to memory of 2940	588	WScript.exe	32
PID 2940 wrote to memory of 2528	2940	svchcst.exe	33
PID 2940 wrote to memory of 2528	2940	svchcst.exe	33
PID 2940 wrote to memory of 2528	2940	svchcst.exe	33
PID 2940 wrote to memory of 2528	2940	svchcst.exe	33
PID 2940 wrote to memory of 2240	2940	svchcst.exe	34
PID 2940 wrote to memory of 2240	2940	svchcst.exe	34
PID 2940 wrote to memory of 2240	2940	svchcst.exe	34
PID 2940 wrote to memory of 2240	2940	svchcst.exe	34
PID 2240 wrote to memory of 2404	2240	WScript.exe	35
PID 2240 wrote to memory of 2404	2240	WScript.exe	35
PID 2240 wrote to memory of 2404	2240	WScript.exe	35
PID 2240 wrote to memory of 2404	2240	WScript.exe	35
PID 2528 wrote to memory of 2996	2528	WScript.exe	36
PID 2528 wrote to memory of 2996	2528	WScript.exe	36
PID 2528 wrote to memory of 2996	2528	WScript.exe	36
PID 2528 wrote to memory of 2996	2528	WScript.exe	36
PID 2240 wrote to memory of 2260	2240	WScript.exe	37
PID 2240 wrote to memory of 2260	2240	WScript.exe	37
PID 2240 wrote to memory of 2260	2240	WScript.exe	37
PID 2240 wrote to memory of 2260	2240	WScript.exe	37
PID 2260 wrote to memory of 2036	2260	svchcst.exe	38
PID 2260 wrote to memory of 2036	2260	svchcst.exe	38
PID 2260 wrote to memory of 2036	2260	svchcst.exe	38
PID 2260 wrote to memory of 2036	2260	svchcst.exe	38
PID 2240 wrote to memory of 1436	2240	WScript.exe	39
PID 2240 wrote to memory of 1436	2240	WScript.exe	39
PID 2240 wrote to memory of 1436	2240	WScript.exe	39
PID 2240 wrote to memory of 1436	2240	WScript.exe	39
PID 2036 wrote to memory of 892	2036	WScript.exe	40
PID 2036 wrote to memory of 892	2036	WScript.exe	40
PID 2036 wrote to memory of 892	2036	WScript.exe	40
PID 2036 wrote to memory of 892	2036	WScript.exe	40
PID 892 wrote to memory of 2640	892	svchcst.exe	41
PID 892 wrote to memory of 2640	892	svchcst.exe	41
PID 892 wrote to memory of 2640	892	svchcst.exe	41
PID 892 wrote to memory of 2640	892	svchcst.exe	41
PID 2640 wrote to memory of 2184	2640	WScript.exe	42
PID 2640 wrote to memory of 2184	2640	WScript.exe	42
PID 2640 wrote to memory of 2184	2640	WScript.exe	42
PID 2640 wrote to memory of 2184	2640	WScript.exe	42
PID 2184 wrote to memory of 2000	2184	svchcst.exe	43
PID 2184 wrote to memory of 2000	2184	svchcst.exe	43
PID 2184 wrote to memory of 2000	2184	svchcst.exe	43
PID 2184 wrote to memory of 2000	2184	svchcst.exe	43
PID 2000 wrote to memory of 1700	2000	WScript.exe	44
PID 2000 wrote to memory of 1700	2000	WScript.exe	44
PID 2000 wrote to memory of 1700	2000	WScript.exe	44
PID 2000 wrote to memory of 1700	2000	WScript.exe	44
PID 1700 wrote to memory of 2504	1700	svchcst.exe	45
PID 1700 wrote to memory of 2504	1700	svchcst.exe	45
PID 1700 wrote to memory of 2504	1700	svchcst.exe	45
PID 1700 wrote to memory of 2504	1700	svchcst.exe	45
PID 2504 wrote to memory of 2228	2504	WScript.exe	46
PID 2504 wrote to memory of 2228	2504	WScript.exe	46
PID 2504 wrote to memory of 2228	2504	WScript.exe	46
PID 2504 wrote to memory of 2228	2504	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\7fe864e2c72cfde0ff5228408dcc7286d0a5c15aa4bf23a57297db1a88d5c83a.exe
"C:\Users\Admin\AppData\Local\Temp\7fe864e2c72cfde0ff5228408dcc7286d0a5c15aa4bf23a57297db1a88d5c83a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:588
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2940
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2528
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2996
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2240
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2404
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2260
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:892
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2228
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1420
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1472
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2680
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1480
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2224
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1140
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1692
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2980
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:792
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:816
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:636
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1736
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:848
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1536
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2820
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:788
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2032
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1704
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2292
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1428
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:692
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1092
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2052
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1280
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:940
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:620
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:2492
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:3012
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
1a81715fd00a57cd73123177bad666cf

SHA1
2287e185ecc39529d0653642acfca754c31d7ece

SHA256
df743e38780217a134616c8c20da88d9aec3ccbaee2ad58dd8b403c741ff6734

SHA512
63b53c711ea306ea9cdf5961446428de4c2e36d30ce4315de53b2900dabfa03bca9e28a4cd6eb0d3c83f01c66475e99f2567cb92296b6f906f29f3612625afab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7c7211c6ab078878929bb3683f705560

SHA1
5a52049f54692294392837b5922d865e9c407022

SHA256
bb9e2a89c0fc9574eac35f2b2c4bc696f3642fc96ff2fd1f6a2d3467784fbeff

SHA512
4d9b5d0053b0f57651c08084c87416d2ae8613b9ea74651e51f251e5d806f36c194735e4f6f3152d7c72592f60f2a7e971ee82c60410762472942823b1956c38

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e4e96c55460da5fa5643648177198d56

SHA1
da09b8271cfd09349b8e79bd8856671e6124d6a0

SHA256
6ca56d2034da62f3a82f84935631e9d90430875cfd9b95382fdf1210758ba761

SHA512
23da2c3c87c8e52aab70931c7ca6f0d04f453cff01bda2fe078a060468d9d7b9e544635eb11976541246eaed2e4cac06e0ed7ed86bce775f95ff5d5f40c5d1bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
03f68343f5906993640e0b9e3f9c7964

SHA1
699e9c3fda1aa89e7a47ac8b77b41178c99cc8e2

SHA256
dd2d5bf380874e81adc5e05b667047dcf1b6c8a8953068fb177053e20c35f727

SHA512
76de9e035c0ad6ee3237006749fd28ee93a6fcd09700e265aaea432f7d2292aac87f0799221559caacd6dd58ff72af17d67627aace77bd2a36a802bbdc88b99c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d5a26bd3b4366107ffbb4663050f6576

SHA1
09a5b81e452620340fcc2343a146ac5469576d44

SHA256
6e6abc76efb5447d4e9b20d07396db93d0368e6f81f558217f81a4dedc437eef

SHA512
527fe34594e983df77843639208f832c63f24a23e6e72fabc3e27eb1cce2e08e4306f3a5ebd288142f9684c6730431fe09f2c60f699a0825dc8270e961abbb10

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d32955f30e8aad52247ece470e41d5ad

SHA1
ac6775ee1d2cccafe3baeb722ca57bf16953f173

SHA256
bbd8749995b7f218975a3955fac72a16d1f5a3fd3826f7bb98d0b4fe537d6697

SHA512
1a00595cdfca51c9c95101a1d04a15089aded3fc687de721d882c6ef57697a943c0a99d917167e76d55040c5d8607e01fe5a206054112635a642f6364d3fdcaf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f9d25791d9949ef33ed0c208f3d11851

SHA1
1cdf525209a1d7ade65168011e4de530de7bdc5a

SHA256
d3592a18c2a195dba2db76e25fb1516b2a9ef5297e9d72716e232d3540bc4481

SHA512
efb6f3882b9c75aa5193cf1bfeeb430b0a963681bf5367f535e3eb9c4e7c796c0aa1d0e3df9803c635ba6d863dc129a9ab30c954c6d4af27803036859d3d3113

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
28167c064311357a30cc6de51b34120d

SHA1
cd6e8343bf5fa014ded5905fd8c6037eda277818

SHA256
e1a76a59c230fb740b85443e95d9db97f660e6d57f8f79060c51d3fb21f7af2a

SHA512
a8ca9a0804c9cb2c87148d82b2ffb169d766b6ea91b4106363b24d555c9a58594915364b6cb61a1757723e96f7095f06859ab83a6e1055d43c8e78e9b52c8b57

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b42266100fb9f5e0b7be593aac3c37cf

SHA1
7cd55f31fd2871d09de73a6f62e3a7e1a53327b2

SHA256
1a6710caaf3886be368f3205ee8c9905e10f8ed754d80598c80f1455a700d846

SHA512
d3e5a4f7395d6196403e60214239043b2da6e546cbe080f74c3a680a6f4a7fe1374988df0a1aa84dbc0e41199efd8fb11050d1d1295f3b45811935d740a5108b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
70e226fbd8b4b3f2ddf8a8753a77586a

SHA1
a81a39d08f77479d0ee65599dd2749031c32fc19

SHA256
3eb2bfca11e83ada63c9e426764e07267c058964f959ca5e0c3f0f8933e40026

SHA512
f8c3f2f4172e8cabb856cbc2527dae48cba6d740a8ad9844bb32013ccba200b4c03dfdbe3713d9caa5f7416b8729cba4d516a73989b388c952ab08205b3cd4b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e5bba46683440caa1508061b6e638120

SHA1
538ff5b7cb3ca90cee3e60bae0b487f4b78912de

SHA256
9b324dbd185a14c0ebfd2cd2731f6bb32c501dfefa7aef4f65b137357502c65d

SHA512
466f00fee10e323273e5d1151062e9fcc36f5657a404c6dd3c0c9ecb56e5205930087e612b13a9c6d1a56df7e05a2bd9c14e95debd5e5aed96ad2ef867e8de4d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a776a1c349a5693243f92207fda64caf

SHA1
7ccf2972c10f6768df30b09341c469a73fe1e1c9

SHA256
0a0def741d52a25f3c17c47c68b604ddb4e1eb1c201db6dd4c8844b5fb2ab287

SHA512
87381bac1a8e5fd9670bb8912a2146dddebbf5e75dd33c2b274bd5999f77260624960cc5a097b52af211194243144c621814fa241be512edabfb6010f867e22f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b989a9303ad9410322f1ca7f55d18402

SHA1
ab946ebc451bc19fca44d1ee77872f98b2283adc

SHA256
bb1d85ce04f0c086549a3332ae80385087d32264d17bc2271878ab41d9eab68c

SHA512
3b017edb587e234b30cb8fcfa36fd80310f4ff0d8ada0b773c496eb75650f284c81e769d87395395ecb53b1270acf272274821748d1cccd3db18afc75be250d0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
4819543a5b8138cb37d4d7294f2a8c40

SHA1
ced0466b711925ebb32a6840e4e3b8b1a0eb682a

SHA256
462fed2da2e2b97e0ee63c91879c4e03bb04eccb7c043e433167075e8b66d2ac

SHA512
d7242e7a77f9836d2483c0769f55808444164303d6baae3852f2773718b4cad893abb3d1c730267ce0113a959dd69c077e95f20ba3692fe588fae6d638b25fbe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e933eca77b504672f90e761577f3a822

SHA1
b32572fca182a9e78c3844dd1f8b4b984b27c9ad

SHA256
49b0bc0e8f643977d1be92cf15b599dae1ac7bb95e4797474841bcaa75459620

SHA512
b6be665b827e98d1c334c9f16b8af43de41e8424cb438bd9616e873309e057de72806e24b3b87950c0c3721bfb76ca800ba3fecb526d1e955306c6e2f444de38

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9f3b27ff75ae2d52b0d1e443e40048cb

SHA1
8d4bc5a5a07e1a1430712c22d7fb8a9174b9ae12

SHA256
cbb28147b3fa73e24b36650a907a7e23eedc34059f9d8747d5ae72784f8a5e25

SHA512
c5843e24cb20431562b0e299c0ea4ca5f91f48b32bcc213008a7e8435d8db2c1d19d355d48999361cd82677dcda7e1eb8cabcff9b9dd4aa976026e880039d7b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ac48a1f351745e05b18e73c8b30df802

SHA1
89712e11935789e88b31389f535185a4a8ac44ec

SHA256
41913fb573cd860d07a7668d4b130844732a40028d8d515a02635954a7ece878

SHA512
4e0d2cbd66e4318f3d7e9f1e2ad689cd26678e4d4bf4c82fbce968e56d9416e857e66a5998b2c1fb4bffa0df8daabae6d00d05d10ba3823f07e60231985f4ef0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
6701662c3f555cef84e65fffb777934c

SHA1
50a90ac7cd18e5e7e5b80eea757b2a53d4ba17bd

SHA256
47cb0703c2068e4b4aa0a14ca72123b1091983a17e51b8c30291227bcb72f99d

SHA512
4ece5b2ca6335ab1af3cda7f52f4b653df10162d4ac7ef6d373ffeaf8c660816ac07c820db25b9fb66c3c8f7478c6c0effb8ef69299e995caec4b72554246ba0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
3680b48cc3ad28543fc23def8cd8646c

SHA1
2bd984b02afe5342cfa92b79e360c935399ad98c

SHA256
f38cc80edaa75ce26100622a499b4242f58fca48654dcdd9c19e294feaa93253

SHA512
0556914aed5db2240d686c2e68f40648fea53655d6b1478d89ea081934fc311aca1eb95ffd5d4cc5815501b3fa530fac27b6e856ac481b843d2031da7e9a268c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
6990f4dfd132c17f3e83241f49817c6e

SHA1
f28b1d69e2b3eae97b975cc445e6c0098e376139

SHA256
0f164dbecdf0cddf4d2e8d8dfc571c767acaaa3f9fe38d8db1ffb341563469cf

SHA512
085d778bb06d371773b7d56cfc37941ee85b0480b4105421b6082feccebd720c0c81efb07406abd1643abfb8ec73e349b2ba8ada1949649f50a706781044dd0c

Download Submit
memory/2908-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download