ee962e84b7fc94dffe70f523af1b4e18b537a1d66936d0fa80d3112d57e570c3

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
29/08/2024, 17:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee962e84b7fc94dffe70f523af1b4e18b537a1d66936d0fa80d3112d57e570c3.exe
Size

1.1MB
MD5

0eab3d1b3a7ab9cc829f12323dd4717e
SHA1

c3d0a6fce6809f85d2a45c670c27363f1f3e7f6c
SHA256

ee962e84b7fc94dffe70f523af1b4e18b537a1d66936d0fa80d3112d57e570c3
SHA512

2b1c7c76363f50ff3a1a4d2e956f79ac7eed522e8f5788e9aaf38015ee70335ff36ae80c74ae67cf8c0bf351e751b3a5de3555c64e513ca7e0c25df46467f709
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QZ:CcaClSFlG4ZM7QzMK

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2772	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2772	svchcst.exe
2148	svchcst.exe
316	svchcst.exe
2964	svchcst.exe
3012	svchcst.exe
1348	svchcst.exe
1876	svchcst.exe
2096	svchcst.exe
2644	svchcst.exe
2128	svchcst.exe
1268	svchcst.exe
3016	svchcst.exe
992	svchcst.exe
1932	svchcst.exe
1604	svchcst.exe
1740	svchcst.exe
2840	svchcst.exe
2896	svchcst.exe
476	svchcst.exe
768	svchcst.exe
964	svchcst.exe
3012	svchcst.exe
1920	svchcst.exe

Loads dropped DLL 46 IoCs

pid	Process
2100	WScript.exe
2100	WScript.exe
2904	WScript.exe
2904	WScript.exe
2876	WScript.exe
2876	WScript.exe
300	WScript.exe
300	WScript.exe
2196	WScript.exe
2196	WScript.exe
1752	WScript.exe
1752	WScript.exe
3048	WScript.exe
3048	WScript.exe
1448	WScript.exe
1448	WScript.exe
1160	WScript.exe
1160	WScript.exe
2736	WScript.exe
2736	WScript.exe
492	WScript.exe
492	WScript.exe
1544	WScript.exe
1544	WScript.exe
352	WScript.exe
352	WScript.exe
1780	WScript.exe
1780	WScript.exe
1756	WScript.exe
1756	WScript.exe
1732	WScript.exe
1732	WScript.exe
2252	WScript.exe
2252	WScript.exe
876	WScript.exe
876	WScript.exe
2984	WScript.exe
2984	WScript.exe
2128	WScript.exe
2128	WScript.exe
1640	WScript.exe
1640	WScript.exe
448	WScript.exe
448	WScript.exe
1788	WScript.exe
1788	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee962e84b7fc94dffe70f523af1b4e18b537a1d66936d0fa80d3112d57e570c3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2384	ee962e84b7fc94dffe70f523af1b4e18b537a1d66936d0fa80d3112d57e570c3.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2384	ee962e84b7fc94dffe70f523af1b4e18b537a1d66936d0fa80d3112d57e570c3.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2384	ee962e84b7fc94dffe70f523af1b4e18b537a1d66936d0fa80d3112d57e570c3.exe
2384	ee962e84b7fc94dffe70f523af1b4e18b537a1d66936d0fa80d3112d57e570c3.exe
2772	svchcst.exe
2772	svchcst.exe
2148	svchcst.exe
2148	svchcst.exe
316	svchcst.exe
316	svchcst.exe
2964	svchcst.exe
2964	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
1348	svchcst.exe
1348	svchcst.exe
1876	svchcst.exe
1876	svchcst.exe
2096	svchcst.exe
2096	svchcst.exe
2644	svchcst.exe
2644	svchcst.exe
2128	svchcst.exe
2128	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
992	svchcst.exe
992	svchcst.exe
1932	svchcst.exe
1932	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
1740	svchcst.exe
1740	svchcst.exe
2840	svchcst.exe
2840	svchcst.exe
2896	svchcst.exe
2896	svchcst.exe
476	svchcst.exe
476	svchcst.exe
768	svchcst.exe
768	svchcst.exe
964	svchcst.exe
964	svchcst.exe
3012	svchcst.exe
3012	svchcst.exe
1920	svchcst.exe
1920	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2100	2384	ee962e84b7fc94dffe70f523af1b4e18b537a1d66936d0fa80d3112d57e570c3.exe	30
PID 2384 wrote to memory of 2100	2384	ee962e84b7fc94dffe70f523af1b4e18b537a1d66936d0fa80d3112d57e570c3.exe	30
PID 2384 wrote to memory of 2100	2384	ee962e84b7fc94dffe70f523af1b4e18b537a1d66936d0fa80d3112d57e570c3.exe	30
PID 2384 wrote to memory of 2100	2384	ee962e84b7fc94dffe70f523af1b4e18b537a1d66936d0fa80d3112d57e570c3.exe	30
PID 2100 wrote to memory of 2772	2100	WScript.exe	33
PID 2100 wrote to memory of 2772	2100	WScript.exe	33
PID 2100 wrote to memory of 2772	2100	WScript.exe	33
PID 2100 wrote to memory of 2772	2100	WScript.exe	33
PID 2772 wrote to memory of 2904	2772	svchcst.exe	34
PID 2772 wrote to memory of 2904	2772	svchcst.exe	34
PID 2772 wrote to memory of 2904	2772	svchcst.exe	34
PID 2772 wrote to memory of 2904	2772	svchcst.exe	34
PID 2904 wrote to memory of 2148	2904	WScript.exe	35
PID 2904 wrote to memory of 2148	2904	WScript.exe	35
PID 2904 wrote to memory of 2148	2904	WScript.exe	35
PID 2904 wrote to memory of 2148	2904	WScript.exe	35
PID 2148 wrote to memory of 2876	2148	svchcst.exe	36
PID 2148 wrote to memory of 2876	2148	svchcst.exe	36
PID 2148 wrote to memory of 2876	2148	svchcst.exe	36
PID 2148 wrote to memory of 2876	2148	svchcst.exe	36
PID 2876 wrote to memory of 316	2876	WScript.exe	37
PID 2876 wrote to memory of 316	2876	WScript.exe	37
PID 2876 wrote to memory of 316	2876	WScript.exe	37
PID 2876 wrote to memory of 316	2876	WScript.exe	37
PID 316 wrote to memory of 300	316	svchcst.exe	38
PID 316 wrote to memory of 300	316	svchcst.exe	38
PID 316 wrote to memory of 300	316	svchcst.exe	38
PID 316 wrote to memory of 300	316	svchcst.exe	38
PID 300 wrote to memory of 2964	300	WScript.exe	39
PID 300 wrote to memory of 2964	300	WScript.exe	39
PID 300 wrote to memory of 2964	300	WScript.exe	39
PID 300 wrote to memory of 2964	300	WScript.exe	39
PID 2964 wrote to memory of 2196	2964	svchcst.exe	40
PID 2964 wrote to memory of 2196	2964	svchcst.exe	40
PID 2964 wrote to memory of 2196	2964	svchcst.exe	40
PID 2964 wrote to memory of 2196	2964	svchcst.exe	40
PID 2196 wrote to memory of 3012	2196	WScript.exe	41
PID 2196 wrote to memory of 3012	2196	WScript.exe	41
PID 2196 wrote to memory of 3012	2196	WScript.exe	41
PID 2196 wrote to memory of 3012	2196	WScript.exe	41
PID 3012 wrote to memory of 1752	3012	svchcst.exe	42
PID 3012 wrote to memory of 1752	3012	svchcst.exe	42
PID 3012 wrote to memory of 1752	3012	svchcst.exe	42
PID 3012 wrote to memory of 1752	3012	svchcst.exe	42
PID 1752 wrote to memory of 1348	1752	WScript.exe	43
PID 1752 wrote to memory of 1348	1752	WScript.exe	43
PID 1752 wrote to memory of 1348	1752	WScript.exe	43
PID 1752 wrote to memory of 1348	1752	WScript.exe	43
PID 1348 wrote to memory of 3048	1348	svchcst.exe	44
PID 1348 wrote to memory of 3048	1348	svchcst.exe	44
PID 1348 wrote to memory of 3048	1348	svchcst.exe	44
PID 1348 wrote to memory of 3048	1348	svchcst.exe	44
PID 3048 wrote to memory of 1876	3048	WScript.exe	45
PID 3048 wrote to memory of 1876	3048	WScript.exe	45
PID 3048 wrote to memory of 1876	3048	WScript.exe	45
PID 3048 wrote to memory of 1876	3048	WScript.exe	45
PID 1876 wrote to memory of 1448	1876	svchcst.exe	46
PID 1876 wrote to memory of 1448	1876	svchcst.exe	46
PID 1876 wrote to memory of 1448	1876	svchcst.exe	46
PID 1876 wrote to memory of 1448	1876	svchcst.exe	46
PID 1876 wrote to memory of 2252	1876	svchcst.exe	47
PID 1876 wrote to memory of 2252	1876	svchcst.exe	47
PID 1876 wrote to memory of 2252	1876	svchcst.exe	47
PID 1876 wrote to memory of 2252	1876	svchcst.exe	47

C:\Users\Admin\AppData\Local\Temp\ee962e84b7fc94dffe70f523af1b4e18b537a1d66936d0fa80d3112d57e570c3.exe
"C:\Users\Admin\AppData\Local\Temp\ee962e84b7fc94dffe70f523af1b4e18b537a1d66936d0fa80d3112d57e570c3.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2904
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2148
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:316
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:300
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1348
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1448
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2096
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1160
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2644
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2128
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:492
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1268
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1544
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3016
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:352
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:992
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1780
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1932
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1756
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1604
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1732
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1740
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2840
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:876
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2896
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:476
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2128
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:768
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:964
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3012
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1788
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1920
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:884
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
16ac3c3ae8031fb207ee3b384d350c6c

SHA1
ef4bbd656bd6cb1fc4f097102bf94b922e836614

SHA256
c9ff3c69c309bee3ee67a59f6ceb958b46e8f01aec8aa5cbbd256b8630f564db

SHA512
5af664ece8df3956dd6aed0e99e317424ab42a3f7c9ff39966d703ef175123a00f336d2ef07125275f2a50f3505032ba4a250b9d28116cf2849d026d1186f4df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0746413c017663c2889cbadf684741eb

SHA1
6a61f92238e17b83adba719b52d2f3d9cd205b8a

SHA256
5e9eb3cc7e536ea1249b6bdb65b934565018fa760198e2b2c8f5537de84b86bd

SHA512
e222a18584aadd15f5c4706601acc6fa30d6a08325f2679724eba4b2952e56d4d7e1a97c42ae88aefacfa59b87723118d2dd28c1541204715dc1e11b4867b05c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
16b9011648a577741b7fb4a55f1eeaac

SHA1
b0d86d1cf62b882bf28f0897ddb610e41cc6814c

SHA256
7bf3fbb9962c054e651caf4e49fa468d5892cb0bf88f4bbf3fd85b372a7d173c

SHA512
1d8631904aa2df5a90aef858d4369ed53d0075f97b42361a8e05c9a64f8e6a786897b625b1230d20415f3923db8aa5d8f5f619b7b9084202fecf4e7cead4366d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e4e96c55460da5fa5643648177198d56

SHA1
da09b8271cfd09349b8e79bd8856671e6124d6a0

SHA256
6ca56d2034da62f3a82f84935631e9d90430875cfd9b95382fdf1210758ba761

SHA512
23da2c3c87c8e52aab70931c7ca6f0d04f453cff01bda2fe078a060468d9d7b9e544635eb11976541246eaed2e4cac06e0ed7ed86bce775f95ff5d5f40c5d1bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ae63ded87a90f9812749cac189d07a57

SHA1
5a37ba565ce8c2445ff71f7c3d7adc38cb68627f

SHA256
6251cc562aff44a7222fe555019800d44c515c0319748fae595621d92f5d9236

SHA512
293cf9a753b1456071db8840910ec3ee7a0a00342caeb27a3bf7c150b54e51a22673e8262fd4376bad6c29eff3b3a77c1c47c1e10c49abffaba899b9193d9429

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7a01dad1af2b3e0327e1d352436bbcd7

SHA1
10612930777b11e8edeb9bd33c74a6a2404c9d6b

SHA256
185fe22d4d1af7aee3fd8cf94dcfe20c5daf320764d2c96c2ad5f2cff4cd1655

SHA512
1fee128690213b1ffd6c1f95d9894f52c2b0374ca99b16795028fab6b364298c1d678c3f92775c410c0fe7a1a71a33d3db5635e5bb6c71449feb60c9f5316616

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8ff9269f0a87aaf29e707ac354505e61

SHA1
68c900e567a236096ac8c812cb14dec97e3e088c

SHA256
ed84c3ff01194f8f55c30fb4f5685d4f74c186732e01e20d9909fb7a63ebb7d1

SHA512
5980c8ca52c3c047380b9aabced91699a68228bf8e5d545ff3105bdc5c469f30f7e490f459e2e8bc57f088d904ae0fb3e3167dfa0cd84b83b3d8e78402e8ae9d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
251a70f0c55d02e74e34c409c5795274

SHA1
b0eb587b5e8d597ef801848722b790692d804be2

SHA256
f5397f02a6c8c59bc9869c0e5c726c096a69c84ad7f0934608fdbd8bc7e5b9f3

SHA512
023cca65a97265961790183f43605fb3dd47426049f2152e5ed90d2daed98607d1e215cb8cabf54d7d2068f7a86d3b01b1d101823e8ed1acfb09076e69b67c71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f262d0722b88145e786399f42047785d

SHA1
9f4426b6ac52bb0456945b0619fcd355d118a0b7

SHA256
f20592c5d5216a153e7d9fc67c87e2d3346f3781014162462e824a5dbc4c7aef

SHA512
da8aa8fd4f84c224f7c6f3fe483b030e2307f3313c003f17f6b9c943f9ea9d052d9d9297f93fdf49428eedd235ef6d7efe0199e1620e55cb052f2ca3cb492eb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
072a46f071251f08c67b3aba4c983435

SHA1
371837f885eac20c802901026d2e7aa1d4f6cd5c

SHA256
0d0a8daeceed64600e817a5a0437a39048c52e857868a35d9130d42fdfa896ed

SHA512
e3d35d428a29eec047b0cc43c87aa701eed81e9efe921b4ef13fa2e8e24ef11ce602bd67868b7ad1bdbd9f39eb681a8c95c715479238a2f17c17105ea4653c83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b80e64a84f22d05c1da6e47ce54973aa

SHA1
5cad9390328f2c7439c775fabb7a0456663085d9

SHA256
9dd0f5f176d3fad7c0eb3bdd6f14036a878cbce9fd50fb1a47318da147bfd82e

SHA512
983affb7f9189c1eb80982438c288ee607e7ee91675b6a6e854873c476961b39ddec66801e0a09bedd0f133a0132693a5fed5c8ff0f8c3d3aa4f470fdb8c39b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
3d4609152a8b60658d90a492619734c7

SHA1
0dcaa77c57416610e2fe0726263efc233c1000b1

SHA256
e159ee1b05f00bbe1f3f80385aa426e1cbd9b753097a1bf5e4aaf6570d9b2a96

SHA512
0f1f321411a24fe8ddb714857de1f4946f2e6af7e0e73195b31f34848759890efc48df7e5807b78c4fd4025277bec1e6d31648115289e74ea56efb11a536173a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9677c4e83ff22dea2ccb6288dbc77b0b

SHA1
65ce7ac840532e6285faf44e1e0fedf89fabb5d1

SHA256
977aee945af662345fe335f58ac4062e843b592ea8fd7a744abf38f54d7cd60a

SHA512
7a3f0d904627702e5c6b3dcc7ce21cdc07a5eec5844ab8d11d876f4f8e7898b5d55705078cbabad49f0a53f4a1c755e6715948e0a2c5d4e799bfc7ec85e9e42c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0f9b6237d17bc8dbe4332d70d742f821

SHA1
e04baf7c41f03b48abaf3f1439627d4131d7627f

SHA256
d5934497bd885a3565e75a2a326a701da72f7b2c0ce33334b081b241a519a588

SHA512
52c288eede1f7649591e2090bbe331814bbbc914bdf0566a55e9781fe00d1eb4cb07fba995419d3207271c9d4fba9d62bec0844eb448f64ce4f65b689131a5ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
833ed31157ff19a333dbf54450523081

SHA1
8815a6b0d73b07afc19703e6cd54b865bd7596cb

SHA256
78c9cb79820cb8b40d9a07efe6f36b22fb2816462b4be66b63454709b38d8fb6

SHA512
a74c6009c51dd415514a6c66a26cf29b3bbb4a1ab5b3eb690194d747af62381feecffb7ccc73bd3eff70494ed31af0b4cfb14dad3f670dacfefe5df559ea31ee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
25f3eaabbe84b79401ce668f8c1a0e75

SHA1
5aac31a5298dff3d78314a223860a7b2a3bd1380

SHA256
8ed60993aad2cc461808963aca92bb4ae1489898d739432010f9201acabde00b

SHA512
c9c921f4e50dd8e39255390278e1843bfbe4a81f8ae61d4c2c7edd77525a423f3c165a1e0303e1a8c76e133584122fe7db7b1620e5df039a284c07cad8508d8b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
84e0023b873904c8e74c20cb86552b5a

SHA1
04332cdb3d19b379ff4e0c772e9fb92946e151ec

SHA256
ce0283b5c693cb816bd4e946a25f44f7aa833c27a1b8a1e6c8dc4c892d6a6fe2

SHA512
8eb686891750e10a085516d867cefcf9a04e62996f57f1aabab856c2d800bc775bef62f1c7cd7b9aa84cab9e3084b03452f15bfe91ae962def80141581b6063f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
717fd23d449ffdc2ce31855566cf7053

SHA1
13e52de66e51cb592b458043ea90536e8d695fa3

SHA256
21c3ea83cc54eabdd091aac79a788edd174b337308eab43745c19a2eea25bd5e

SHA512
0156c884853d27831de027ae60d55c21d7aa0da6aa6736719b4cf7afe31e9d69f24890566bc56b9a84d1a31229de8f0593898128ea59507f22f24b4bfd6509c6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f703638c539121dea52378630e2e0006

SHA1
200c287978b3d84b2f92adbb4262579b88ed1adc

SHA256
aee19e2056f54ce0325e18401862ebf0d4b844942a2f9c981792195eb0226a66

SHA512
4bc7a1830ffdec7d63cea6d5e004b9fbc44fe5bb861105cebcd7e254cc1694eee751260620bf394da5cfd07bf77c9603b1fd56fa582c797ce062090a011c8ab0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
13c3ef468336ad2809784915c1fdc16b

SHA1
52b99a81a2fd86881e80d901b16fa84d7f27a7df

SHA256
34cc85b396e5836cfe8eaa6a830f3ddb4f45420a25a9e8dee8cb93da6fed24ec

SHA512
c15fb1c2c25fddaa141faf29cebf4c125d1d1023f8651961b0c147e93792ef9900a5d4d982d83fa9328ab02637f0f01f8f733d48a9f46e445357b78fee0f68ce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
4266ee5b63a24315ab995c80b1e5b91d

SHA1
99d544127af7d28ff186c8ac5b6640f034b3fa42

SHA256
2b160ae934f8fd5bdd64066e7e9d429a9409e8ee3da736cd08c3b0a9860e7b86

SHA512
bd7514f1b6828b026b749a25a59508fcedb02d909dab258e2d097f0ba613c28ddb216ba2fbc69a96e3ffc6761dfb02445f35858460e7377c536406ab445fab1c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
079de8180b24437e8b2974769413fbd2

SHA1
9aea39c934502889e730ada10a99d0e6eecfc2d8

SHA256
cd8cbb91e01f653501f423684a4ef16e8d94cd7e89cc152240571757efa98690

SHA512
517233c9a8ca1195eb79ffc27026f39c3166be8ceb2a21bc0c371716db58ce56e5e668420eb85369a4cbeb0abf01c750b51a2fdc4910fb68f5bdffaeca92aaee

Download Submit
memory/2384-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download