a6c9d29276ff9cf86428802550c50b6e9ce143d778499b1ab47644e7d3cdd56e

Analysis

max time kernel
150s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11/09/2024, 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6c9d29276ff9cf86428802550c50b6e9ce143d778499b1ab47644e7d3cdd56e.exe
Size

1.1MB
MD5

6297c3de0730252b708a2d9fde42f102
SHA1

f61cce9942435ca5f0ae0eb108f857786274973d
SHA256

a6c9d29276ff9cf86428802550c50b6e9ce143d778499b1ab47644e7d3cdd56e
SHA512

1700ce13589ef9112ebdfa788551a07d43830296ba5bfd0efe7f71c13229dac05df265b83bb1c5222560cd0c504dd9149c6cf41e40726d2d87b525badec43ee5
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QO:CcaClSFlG4ZM7QzMF

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2988	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2988	svchcst.exe
1536	svchcst.exe
2784	svchcst.exe
3044	svchcst.exe
2408	svchcst.exe
264	svchcst.exe
2128	svchcst.exe
324	svchcst.exe
2648	svchcst.exe
2196	svchcst.exe
1220	svchcst.exe
2332	svchcst.exe
1008	svchcst.exe
1732	svchcst.exe
1532	svchcst.exe
2352	svchcst.exe
2324	svchcst.exe
2576	svchcst.exe
3068	svchcst.exe
1560	svchcst.exe
2136	svchcst.exe
2156	svchcst.exe
1268	svchcst.exe

Loads dropped DLL 46 IoCs

pid	Process
1352	WScript.exe
1352	WScript.exe
2620	WScript.exe
2620	WScript.exe
2404	WScript.exe
2404	WScript.exe
2692	WScript.exe
2692	WScript.exe
1268	WScript.exe
1268	WScript.exe
2380	WScript.exe
2380	WScript.exe
1512	WScript.exe
1512	WScript.exe
2508	WScript.exe
2508	WScript.exe
2892	WScript.exe
2892	WScript.exe
2264	WScript.exe
2264	WScript.exe
3056	WScript.exe
3056	WScript.exe
2780	WScript.exe
2780	WScript.exe
480	WScript.exe
480	WScript.exe
1936	WScript.exe
1936	WScript.exe
776	WScript.exe
776	WScript.exe
2528	WScript.exe
2528	WScript.exe
2856	WScript.exe
2856	WScript.exe
2960	WScript.exe
2960	WScript.exe
2592	WScript.exe
2592	WScript.exe
1944	WScript.exe
1944	WScript.exe
2100	WScript.exe
2100	WScript.exe
1640	WScript.exe
1640	WScript.exe
272	WScript.exe
272	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a6c9d29276ff9cf86428802550c50b6e9ce143d778499b1ab47644e7d3cdd56e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2904	a6c9d29276ff9cf86428802550c50b6e9ce143d778499b1ab47644e7d3cdd56e.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
1536	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2904	a6c9d29276ff9cf86428802550c50b6e9ce143d778499b1ab47644e7d3cdd56e.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2904	a6c9d29276ff9cf86428802550c50b6e9ce143d778499b1ab47644e7d3cdd56e.exe
2904	a6c9d29276ff9cf86428802550c50b6e9ce143d778499b1ab47644e7d3cdd56e.exe
2988	svchcst.exe
2988	svchcst.exe
1536	svchcst.exe
1536	svchcst.exe
2784	svchcst.exe
2784	svchcst.exe
3044	svchcst.exe
3044	svchcst.exe
2408	svchcst.exe
2408	svchcst.exe
264	svchcst.exe
264	svchcst.exe
2128	svchcst.exe
2128	svchcst.exe
324	svchcst.exe
324	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2196	svchcst.exe
2196	svchcst.exe
1220	svchcst.exe
1220	svchcst.exe
2332	svchcst.exe
2332	svchcst.exe
1008	svchcst.exe
1008	svchcst.exe
1732	svchcst.exe
1732	svchcst.exe
1532	svchcst.exe
1532	svchcst.exe
2352	svchcst.exe
2352	svchcst.exe
2324	svchcst.exe
2324	svchcst.exe
2576	svchcst.exe
2576	svchcst.exe
3068	svchcst.exe
3068	svchcst.exe
1560	svchcst.exe
1560	svchcst.exe
2136	svchcst.exe
2136	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
1268	svchcst.exe
1268	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 1352	2904	a6c9d29276ff9cf86428802550c50b6e9ce143d778499b1ab47644e7d3cdd56e.exe	29
PID 2904 wrote to memory of 1352	2904	a6c9d29276ff9cf86428802550c50b6e9ce143d778499b1ab47644e7d3cdd56e.exe	29
PID 2904 wrote to memory of 1352	2904	a6c9d29276ff9cf86428802550c50b6e9ce143d778499b1ab47644e7d3cdd56e.exe	29
PID 2904 wrote to memory of 1352	2904	a6c9d29276ff9cf86428802550c50b6e9ce143d778499b1ab47644e7d3cdd56e.exe	29
PID 1352 wrote to memory of 2988	1352	WScript.exe	31
PID 1352 wrote to memory of 2988	1352	WScript.exe	31
PID 1352 wrote to memory of 2988	1352	WScript.exe	31
PID 1352 wrote to memory of 2988	1352	WScript.exe	31
PID 2988 wrote to memory of 2620	2988	svchcst.exe	32
PID 2988 wrote to memory of 2620	2988	svchcst.exe	32
PID 2988 wrote to memory of 2620	2988	svchcst.exe	32
PID 2988 wrote to memory of 2620	2988	svchcst.exe	32
PID 2620 wrote to memory of 1536	2620	WScript.exe	33
PID 2620 wrote to memory of 1536	2620	WScript.exe	33
PID 2620 wrote to memory of 1536	2620	WScript.exe	33
PID 2620 wrote to memory of 1536	2620	WScript.exe	33
PID 1536 wrote to memory of 2404	1536	svchcst.exe	34
PID 1536 wrote to memory of 2404	1536	svchcst.exe	34
PID 1536 wrote to memory of 2404	1536	svchcst.exe	34
PID 1536 wrote to memory of 2404	1536	svchcst.exe	34
PID 2404 wrote to memory of 2784	2404	WScript.exe	35
PID 2404 wrote to memory of 2784	2404	WScript.exe	35
PID 2404 wrote to memory of 2784	2404	WScript.exe	35
PID 2404 wrote to memory of 2784	2404	WScript.exe	35
PID 2784 wrote to memory of 2692	2784	svchcst.exe	36
PID 2784 wrote to memory of 2692	2784	svchcst.exe	36
PID 2784 wrote to memory of 2692	2784	svchcst.exe	36
PID 2784 wrote to memory of 2692	2784	svchcst.exe	36
PID 2692 wrote to memory of 3044	2692	WScript.exe	37
PID 2692 wrote to memory of 3044	2692	WScript.exe	37
PID 2692 wrote to memory of 3044	2692	WScript.exe	37
PID 2692 wrote to memory of 3044	2692	WScript.exe	37
PID 3044 wrote to memory of 1268	3044	svchcst.exe	38
PID 3044 wrote to memory of 1268	3044	svchcst.exe	38
PID 3044 wrote to memory of 1268	3044	svchcst.exe	38
PID 3044 wrote to memory of 1268	3044	svchcst.exe	38
PID 1268 wrote to memory of 2408	1268	WScript.exe	39
PID 1268 wrote to memory of 2408	1268	WScript.exe	39
PID 1268 wrote to memory of 2408	1268	WScript.exe	39
PID 1268 wrote to memory of 2408	1268	WScript.exe	39
PID 2408 wrote to memory of 2380	2408	svchcst.exe	40
PID 2408 wrote to memory of 2380	2408	svchcst.exe	40
PID 2408 wrote to memory of 2380	2408	svchcst.exe	40
PID 2408 wrote to memory of 2380	2408	svchcst.exe	40
PID 2380 wrote to memory of 264	2380	WScript.exe	41
PID 2380 wrote to memory of 264	2380	WScript.exe	41
PID 2380 wrote to memory of 264	2380	WScript.exe	41
PID 2380 wrote to memory of 264	2380	WScript.exe	41
PID 264 wrote to memory of 1512	264	svchcst.exe	42
PID 264 wrote to memory of 1512	264	svchcst.exe	42
PID 264 wrote to memory of 1512	264	svchcst.exe	42
PID 264 wrote to memory of 1512	264	svchcst.exe	42
PID 1512 wrote to memory of 2128	1512	WScript.exe	43
PID 1512 wrote to memory of 2128	1512	WScript.exe	43
PID 1512 wrote to memory of 2128	1512	WScript.exe	43
PID 1512 wrote to memory of 2128	1512	WScript.exe	43
PID 2128 wrote to memory of 2508	2128	svchcst.exe	44
PID 2128 wrote to memory of 2508	2128	svchcst.exe	44
PID 2128 wrote to memory of 2508	2128	svchcst.exe	44
PID 2128 wrote to memory of 2508	2128	svchcst.exe	44
PID 2508 wrote to memory of 324	2508	WScript.exe	45
PID 2508 wrote to memory of 324	2508	WScript.exe	45
PID 2508 wrote to memory of 324	2508	WScript.exe	45
PID 2508 wrote to memory of 324	2508	WScript.exe	45

C:\Users\Admin\AppData\Local\Temp\a6c9d29276ff9cf86428802550c50b6e9ce143d778499b1ab47644e7d3cdd56e.exe
"C:\Users\Admin\AppData\Local\Temp\a6c9d29276ff9cf86428802550c50b6e9ce143d778499b1ab47644e7d3cdd56e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2620
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1536
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:264
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:324
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2648
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2196
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1220
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2780
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2332
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:480
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1008
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1936
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1732
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:776
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1532
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2352
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2324
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2576
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3068
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1560
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2100
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2136
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2156
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:272
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1268
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
7757db937effa9dc57b945ddab0d843c

SHA1
4ed36b35cb2c46c38d40da5ad83c44bd9fea9fd6

SHA256
9ccf1b9d728602aab2d47f9a59f4f7574eed80d7e83d1123bd4db127b826b2ce

SHA512
08d7dfcabfc9a64af15614ba3382f610c9875a39e2569b2e538011d4e6977f26ebc3a2ec92926d79934f85fa995de3ddd0b90ccbf483ccdcb1c59aba5dcb80f0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f9749c13b20bc60748c3f72c2cf20740

SHA1
227698fcf7919e5c66d91e4e0fd51a5d54ffcd6e

SHA256
2ea51d4fb5a6022d3cf66550189fa271c025d8fabd55cc24025d12e600b70594

SHA512
541c5d5e8187257adb03505430c87bd364bec53487b373ecf4f91aee21dcecc746a4855ca0ee72fbfddcf34e52fe2453770ae66183b308d6b45a0f37342e44d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a7abbe21bd06224da6044ceefc079882

SHA1
45948d51fb8d65cd1032448311043927dcfa0d2f

SHA256
5f4905388f1de9cd98bc931f1f041dd2543394219661a271c11fff5b0d8222b2

SHA512
3371b7d36aadb7aa31617ba0d8cb23e2ccd36c8268946e8ec526e98e61d0312622b089331f05a36775fd59174fa8a68595e664a665feeb9afce17c906a8b1bd5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
24e4a44b907089d788280d647e33c77e

SHA1
ac5a4e397dea243c0022c55319e7c7035d013905

SHA256
7fcd076a55f0b7c8e9407217aee7e68893461d15cb8d2946ac5250af35137211

SHA512
c4a8dac1c1d5dfa976cc3e8fd299e423ab620463983b8c602be8a83ecc6598eb3f1d60a7370806e1f85a52dd91e4f1337a6dff2e99459f9a1e429a1ffb65a00b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3612d3ea6472851cf27d0650f30a8461

SHA1
6deb8050a9d5911a2bcaa1dff30442b243389423

SHA256
2952c41a53b0569f4005c91e142940e5e96ab915146591fd27e380826de74370

SHA512
274ea073a41fbb585172d72f0f3c37132154378212b24cf3609f2bb450d631741c438035f81046ec36f08e62f287949079776d359cd42602ad097cfc0689f49c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d0a7594dbfff2934bae6e22de9f233fe

SHA1
b2a276918a0f5fb2da4440d77ec65c3c644dcf74

SHA256
b5ba466f75e4b160d164ce3886c42fe86c339961f2f303cfdba40d2c711bc61d

SHA512
3d0c5b27841efaa0286d2b58d1749c1efe45ce115cbcb2af1473e29ec3791501a278c90f087e995279518b3c3aec687edca8937f77ff2520ed6b8d3dff6c0a63

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
632419f9e97777f0bcd1af67443cadae

SHA1
52edb2e30a2b1156ff9f77c0fe7435bc1a616ac8

SHA256
50e39163065b39c8cac4f381ff35c00972adde6c6fcd6d9cf555d1b0b8b68554

SHA512
b9b188d33cab5023dd410c0d6c01b5b200c003b432d44fe47da9b6ca1d4a5fa6fd3e869baeac6c8f5d7fae063e6128ee9c96b9258e10e550093e199cccaca2b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6a10838e65cf3aedda11230ee7f407b7

SHA1
7878e96feb82d309b74e4fe98ad256d3bfd63d08

SHA256
79b9776ab8d5f525f63ccab50ff6d79e7a7daeb47894ce971b63ab072314009e

SHA512
7fd419656935cef9e30f36f618df90399b015dc281dea6b30f12ba7bf2c07a58e7aa570ea5fd1f04b3643be33eb1d8521787c94384cb7ef0ec8d5459a8c50eaa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7a01dad1af2b3e0327e1d352436bbcd7

SHA1
10612930777b11e8edeb9bd33c74a6a2404c9d6b

SHA256
185fe22d4d1af7aee3fd8cf94dcfe20c5daf320764d2c96c2ad5f2cff4cd1655

SHA512
1fee128690213b1ffd6c1f95d9894f52c2b0374ca99b16795028fab6b364298c1d678c3f92775c410c0fe7a1a71a33d3db5635e5bb6c71449feb60c9f5316616

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5d0d203da02edb604545d3d826c88b42

SHA1
9be0cfd40b48d4e6041e00827047a8b0d877d4a1

SHA256
5f341c2f1ff381eecedbf6fcbe549724323c30c05728132a98ea55f607bc3e81

SHA512
a3e01552a9576ba8dd9aa9f65211f74a69588a316d984b8887e740c6c174e19df2056dc0138d5af26bd927e192ec2c7d355fc8b4092e30d55de910e932fbd49f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
853ab17735e86615d05dfda85b7fe33b

SHA1
984969a4b0cdf5bf8663a00d1283bf4fb4a106bb

SHA256
cfc30f00b23c7811765f12f10ff44b05dece0f2dc2c783c0a5cd71955cce27fb

SHA512
9b90135c83e511ffa2b8bb36636ef45a3d1dc03bee0a42b7f580ca323efebb68e79b51829d0ecd7d07f4982a4b8778b0f40ff2bbe2dfc9ad7ff0c209292b9d59

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
3c1db12c5dc6b7231cbb6b0c9e60718e

SHA1
b97bcbffe367bf31b790aba9fe7b763a0eac87a0

SHA256
7cd8feca4b2e4e55cef85511b443ed282c781b1961a70dd43bbb7717cad6decc

SHA512
86fd6e01bfb7230030cc76478782933651139cf58cb2b4815bce754a18b787b6b3cf6e1b4b6425edab1719d67315cf5e2b38ac90c2d5e08b6f4471cbc75a6350

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f6b5f91c4ed8c63bd7a58c68011e5bd5

SHA1
3e57e659c6b9784b730a939169b643c31e0bde1d

SHA256
047e08ff7de195224bac5ae55c216a5c9fe2ce2cfc165430f2c894cc88e51492

SHA512
dfc9512baf5a62caffe0b1c9caca882a4eb12d305a4a8e404d2f12736dd55507d61efa52cee5f0336a2db475cf5c4ca6b454d4430a1605e330207bc230c4f732

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c34921446b4e59e0d4e6c4e3b1e87b1c

SHA1
c33c29dac40849014360d878063cc7e22a827ff4

SHA256
1ada845da5a79747d642d7a532bc5797037fed5757fdc7a89b0c9914899f7a6c

SHA512
a7890619943ece24accfc284ecae9ca8b55782268c0ff49761a20ae8b84b1e536104cd658164044ef019fd9aa1c2d7ca372f93b42a5a2bd028f6bb0d86d21a03

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
af00362e08ecff656ad099a9604ee268

SHA1
8b550c0ea2e282cd3190e3e0ea88c67a144d51c1

SHA256
14570643660f6dd785a52af43eda768cb03e141f63cbea08616b002ecfa8fae5

SHA512
28b3384947ac4869c338f58b619b44874bf9b10bbe9f917606c8861fb02fb978416802a15d00bb772775f803f0dab1448c162f30fb7d2cf3f4827febc8ec5a20

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
5fbeacc3daa856de3dbcfdd9c61b0912

SHA1
c9629d3e41d19a74da163b98de04c4f95c1cad68

SHA256
70e9a035fc6d902f96896e883f2d8afe61d7e1b20747c185717905f5d2555d40

SHA512
a9ef6bd8bc9fe747d66f3ed5db531f522f47cac8ad05abea9d62cb2be0187815a349370a7b4f44284502673816ad4f83da947be90daf19721cf54688f7ab26b7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
edaf6666c30c047d00f9b6bd47456cd8

SHA1
eb60e66b7aea14aa1c54b2214245a945a4a76ecd

SHA256
03cde0d9d1771e8d1812f6696ba4515291f23faa459d2aa243302c91ab98a75f

SHA512
847f844c4a94b7bf4d062613f054c5a751e4911652fa3d9bc88418ecc077a388b72153a432b24b2d521b43145a1d6b6d63f2af960bec951a05135a16512d2626

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
edc6646cf28e2c89a044a48ecb030894

SHA1
31c56d3ecae2d6e4583287fd53c1d547483b9d82

SHA256
495ef01765582416f48f15063d1c0632a6b0b1b1fcfc09bcedddce409c329120

SHA512
548b5b6e049b28997e711177e268df5896cec72e5f16f92cf4457e5a2fca62c85ba72459445e1ef225a723513db55e40bf58fe71dbac60d75bd2c31a2f08a0b4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
95f075d1e43ad18f3afe91b2cc40a042

SHA1
ca8e8cfb4e1ca28a8dd1dd54d7bad6a2f15e6ef4

SHA256
8948e1d316449e271a27ffa538779f0a79ab2e76c08bd1583b22f8d8fedf80d1

SHA512
71706525e554f7c96cece3afda141f25adaadd5aa13c346617f13790c94854b71e870bcb772b3e4614c3ddbac08486b2e8759f9ba997e9180495fc2f74bea5d2

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
80d451820cff71c47de35780fdfe4430

SHA1
0a691121e8b6a8b45bb1ecb041c148b0eb0e1906

SHA256
9937a523384381e6930baf811493ea22d043e7490ee2233ba3468a1426c14fa0

SHA512
4e58901234ac173f68e329b7871988a5940e7247e5ee940fa74ff41bb5331f7f660d969a70551d892caaae9d39cc34d87792a784e7de01e6476e4f7151cc4c51

Download Submit
memory/2904-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download