7ab4b697b8c3e2b7a5f3c778a70786513038eebd53aa9f13069f0e96a62c659d

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ab4b697b8c3e2b7a5f3c778a70786513038eebd53aa9f13069f0e96a62c659d.exe
Size

1.1MB
MD5

c0b94fa77fe1e1e02c3c8adcb4117d1f
SHA1

9a1178975822d869e7f11011dda586412dc90841
SHA256

7ab4b697b8c3e2b7a5f3c778a70786513038eebd53aa9f13069f0e96a62c659d
SHA512

440e14d8f5f966f8e78fef4eedefdd474cbd9b1225b44921cd1d71a3637681330ec95f998259b68955a214a11a3b5f90e1f162a306b7b7b079ae599d6a3770cd
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QU:CcaClSFlG4ZM7QzMj

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2016	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2016	svchcst.exe
2932	svchcst.exe
2844	svchcst.exe
2832	svchcst.exe
692	svchcst.exe
1524	svchcst.exe
2448	svchcst.exe
2396	svchcst.exe
2684	svchcst.exe
2656	svchcst.exe
2804	svchcst.exe
1900	svchcst.exe
1832	svchcst.exe
496	svchcst.exe
2104	svchcst.exe
1692	svchcst.exe
2860	svchcst.exe
1556	svchcst.exe
2348	svchcst.exe
2244	svchcst.exe
1464	svchcst.exe
908	svchcst.exe
1992	svchcst.exe

Loads dropped DLL 46 IoCs

pid	Process
2400	WScript.exe
2400	WScript.exe
2772	WScript.exe
2772	WScript.exe
1160	WScript.exe
1160	WScript.exe
1668	WScript.exe
1668	WScript.exe
2256	WScript.exe
2256	WScript.exe
1756	WScript.exe
1756	WScript.exe
2460	WScript.exe
2460	WScript.exe
1560	WScript.exe
1560	WScript.exe
2408	WScript.exe
2408	WScript.exe
2208	WScript.exe
2208	WScript.exe
988	WScript.exe
988	WScript.exe
1504	WScript.exe
1504	WScript.exe
824	WScript.exe
824	WScript.exe
692	WScript.exe
692	WScript.exe
2248	WScript.exe
2248	WScript.exe
2432	WScript.exe
2432	WScript.exe
2744	WScript.exe
2744	WScript.exe
2636	WScript.exe
2636	WScript.exe
2160	WScript.exe
2160	WScript.exe
2764	WScript.exe
2764	WScript.exe
1520	WScript.exe
1520	WScript.exe
1668	WScript.exe
1668	WScript.exe
604	WScript.exe
604	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7ab4b697b8c3e2b7a5f3c778a70786513038eebd53aa9f13069f0e96a62c659d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2388	7ab4b697b8c3e2b7a5f3c778a70786513038eebd53aa9f13069f0e96a62c659d.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2388	7ab4b697b8c3e2b7a5f3c778a70786513038eebd53aa9f13069f0e96a62c659d.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2388	7ab4b697b8c3e2b7a5f3c778a70786513038eebd53aa9f13069f0e96a62c659d.exe
2388	7ab4b697b8c3e2b7a5f3c778a70786513038eebd53aa9f13069f0e96a62c659d.exe
2016	svchcst.exe
2016	svchcst.exe
2932	svchcst.exe
2932	svchcst.exe
2844	svchcst.exe
2844	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
692	svchcst.exe
692	svchcst.exe
1524	svchcst.exe
1524	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2396	svchcst.exe
2396	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2656	svchcst.exe
2656	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1832	svchcst.exe
1832	svchcst.exe
496	svchcst.exe
496	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
1692	svchcst.exe
1692	svchcst.exe
2860	svchcst.exe
2860	svchcst.exe
1556	svchcst.exe
1556	svchcst.exe
2348	svchcst.exe
2348	svchcst.exe
2244	svchcst.exe
2244	svchcst.exe
1464	svchcst.exe
1464	svchcst.exe
908	svchcst.exe
908	svchcst.exe
1992	svchcst.exe
1992	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 2400	2388	7ab4b697b8c3e2b7a5f3c778a70786513038eebd53aa9f13069f0e96a62c659d.exe	30
PID 2388 wrote to memory of 2400	2388	7ab4b697b8c3e2b7a5f3c778a70786513038eebd53aa9f13069f0e96a62c659d.exe	30
PID 2388 wrote to memory of 2400	2388	7ab4b697b8c3e2b7a5f3c778a70786513038eebd53aa9f13069f0e96a62c659d.exe	30
PID 2388 wrote to memory of 2400	2388	7ab4b697b8c3e2b7a5f3c778a70786513038eebd53aa9f13069f0e96a62c659d.exe	30
PID 2400 wrote to memory of 2016	2400	WScript.exe	33
PID 2400 wrote to memory of 2016	2400	WScript.exe	33
PID 2400 wrote to memory of 2016	2400	WScript.exe	33
PID 2400 wrote to memory of 2016	2400	WScript.exe	33
PID 2016 wrote to memory of 2772	2016	svchcst.exe	34
PID 2016 wrote to memory of 2772	2016	svchcst.exe	34
PID 2016 wrote to memory of 2772	2016	svchcst.exe	34
PID 2016 wrote to memory of 2772	2016	svchcst.exe	34
PID 2772 wrote to memory of 2932	2772	WScript.exe	35
PID 2772 wrote to memory of 2932	2772	WScript.exe	35
PID 2772 wrote to memory of 2932	2772	WScript.exe	35
PID 2772 wrote to memory of 2932	2772	WScript.exe	35
PID 2932 wrote to memory of 1160	2932	svchcst.exe	36
PID 2932 wrote to memory of 1160	2932	svchcst.exe	36
PID 2932 wrote to memory of 1160	2932	svchcst.exe	36
PID 2932 wrote to memory of 1160	2932	svchcst.exe	36
PID 1160 wrote to memory of 2844	1160	WScript.exe	37
PID 1160 wrote to memory of 2844	1160	WScript.exe	37
PID 1160 wrote to memory of 2844	1160	WScript.exe	37
PID 1160 wrote to memory of 2844	1160	WScript.exe	37
PID 2844 wrote to memory of 1668	2844	svchcst.exe	38
PID 2844 wrote to memory of 1668	2844	svchcst.exe	38
PID 2844 wrote to memory of 1668	2844	svchcst.exe	38
PID 2844 wrote to memory of 1668	2844	svchcst.exe	38
PID 1668 wrote to memory of 2832	1668	WScript.exe	39
PID 1668 wrote to memory of 2832	1668	WScript.exe	39
PID 1668 wrote to memory of 2832	1668	WScript.exe	39
PID 1668 wrote to memory of 2832	1668	WScript.exe	39
PID 2832 wrote to memory of 2256	2832	svchcst.exe	40
PID 2832 wrote to memory of 2256	2832	svchcst.exe	40
PID 2832 wrote to memory of 2256	2832	svchcst.exe	40
PID 2832 wrote to memory of 2256	2832	svchcst.exe	40
PID 2256 wrote to memory of 692	2256	WScript.exe	41
PID 2256 wrote to memory of 692	2256	WScript.exe	41
PID 2256 wrote to memory of 692	2256	WScript.exe	41
PID 2256 wrote to memory of 692	2256	WScript.exe	41
PID 692 wrote to memory of 1756	692	svchcst.exe	42
PID 692 wrote to memory of 1756	692	svchcst.exe	42
PID 692 wrote to memory of 1756	692	svchcst.exe	42
PID 692 wrote to memory of 1756	692	svchcst.exe	42
PID 1756 wrote to memory of 1524	1756	WScript.exe	43
PID 1756 wrote to memory of 1524	1756	WScript.exe	43
PID 1756 wrote to memory of 1524	1756	WScript.exe	43
PID 1756 wrote to memory of 1524	1756	WScript.exe	43
PID 1524 wrote to memory of 2460	1524	svchcst.exe	44
PID 1524 wrote to memory of 2460	1524	svchcst.exe	44
PID 1524 wrote to memory of 2460	1524	svchcst.exe	44
PID 1524 wrote to memory of 2460	1524	svchcst.exe	44
PID 2460 wrote to memory of 2448	2460	WScript.exe	45
PID 2460 wrote to memory of 2448	2460	WScript.exe	45
PID 2460 wrote to memory of 2448	2460	WScript.exe	45
PID 2460 wrote to memory of 2448	2460	WScript.exe	45
PID 2448 wrote to memory of 1560	2448	svchcst.exe	46
PID 2448 wrote to memory of 1560	2448	svchcst.exe	46
PID 2448 wrote to memory of 1560	2448	svchcst.exe	46
PID 2448 wrote to memory of 1560	2448	svchcst.exe	46
PID 1560 wrote to memory of 2396	1560	WScript.exe	47
PID 1560 wrote to memory of 2396	1560	WScript.exe	47
PID 1560 wrote to memory of 2396	1560	WScript.exe	47
PID 1560 wrote to memory of 2396	1560	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\7ab4b697b8c3e2b7a5f3c778a70786513038eebd53aa9f13069f0e96a62c659d.exe
"C:\Users\Admin\AppData\Local\Temp\7ab4b697b8c3e2b7a5f3c778a70786513038eebd53aa9f13069f0e96a62c659d.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2016
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2772
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2932
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:692
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2396
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2684
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2656
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:988
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2804
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1504
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1900
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:824
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1832
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:692
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:496
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2248
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2104
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1692
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2860
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1556
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2348
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2244
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1520
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1464
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1668
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:908
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:604
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1992
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6d7f7c489889b75561316023d3e8b801

SHA1
222906d8a273e49d99b9107d388856ba8e6a5400

SHA256
3c01dd72d85883db4a345c0092b799f8deb31d43fde226e7df011c64d95202a7

SHA512
7238e65f9b93ee3be8828f01b54fbb6acaeaaf31e2b62af398356b02fa80d615acc3f41139fb001b9c1e8855e5cfa467f2883acda663a08194955cadb409a24a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
92786a7a20fae2208d7c0c45a86bbd8a

SHA1
c46ef5e0c56983b3ce16b1be32d147f767a8385b

SHA256
81a4831a401bb0b32ec60a04fa2c61c654588e1225332c8bcd295cca3e4685f9

SHA512
331fc23a0e94cd611fbe2d798e1e66ba8673c3f26783708a52316a4688725014a43a83870a91c1113d89761f4f3c98035ccfb9595bc6ed8e578c573037349c0d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8e2ae053ceb7062fca84af2a4b776842

SHA1
e0efd0b54009a60e3682ed38deaddd833c8652b6

SHA256
58391f462883b293fdb398c52afb015698a4aa455fde921d706159ccccc6375f

SHA512
71b28f16bbcd83fd3cd69c985cc7482ddb167f287f6f331fc6c2f71b5b9759d6692ad93eb45e3a4039e5234f795076cd090e46c80b2661a00327a19b0ceab7b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
80ebf5d44551af5680e6faa0b57e8c8b

SHA1
2e17219fbf9ac0ffaf25efb6a11dfe6e9e404798

SHA256
ca82157de4bf3edea1ce728fea480f64259153ea391b2be7b5f59864c0ae7a53

SHA512
a96c9d64087a4b9eccb235e9e1b19da6adfa1adc40ea11eca5cca69cc7b57eb4c3a299eb2103768398d99aee534c3eced7e76099917c52d1499ea9af07ba2ca8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
02bec440e11bdc76b5de3232abd91f03

SHA1
2118a1f2249848ea084c7d98709f7ba7906e43a3

SHA256
4382e8d6fd98aeb7c574b195019c1687ac6628e8f97485614ad743ae5a0616b0

SHA512
f86e900e6bd38151fad12b160c0489823bd18d15609346172ca1f815593e69f9269cb28a0eaea6a588a29d41343f3b9d4c6489cc3c50e2b24a31720de26e0411

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
052d0351a5a2283ca385805bf30cc37b

SHA1
0f86c2c33b5641b89bcc430a98956447cb8f6f06

SHA256
643f8c0adfd63b72f9419f5b077829fa7f6d454b738cbcaeead63cd1feb4a9af

SHA512
6e4f1c407fa96a3ed03b416fcf4cb300f7ecefd2e67ddc0d45407b0f97f254ffa55cf34fac7c8ed1e69ece8704fae1d483612948dab8fb6d0c9d39e06bbb23ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
98328aa8ad181fbf0b87edfc21155dce

SHA1
3ca100ca64d5f62a5dceef47f414c0953fd4f559

SHA256
a6928cf27564f6f983d8f62358463a2dee471715b220de03db8b72ebf105f20c

SHA512
75f298c982eeebf184fdd0612436583a863beba740bd55053539dc1b1c20103a1c6f5da46b41621eb00d601cdfc86c1705080a0da08fef7756637805dcb588ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3be529c48598ce74c5871846d63ca15c

SHA1
93bb8e6882b776b47589ffa48116e17c98071383

SHA256
f9f80c033a3cb1e2e9a8aa108427d6985dd2a08c2bea70e4dda2309f03ab7b2a

SHA512
e848a532aa9acfddfb754e081353660af23f3d0ee7720f6162fc5e8a2104d98b7be8aa461ea274a311634ae3b5b0bd219731da7d6b43c3b381de56d03bb43608

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
9627e3850f4f7495f6d36ebae56aa594

SHA1
001694633bc632a7ae2812ed74828335bec77531

SHA256
0aeaf02fb74a0799c8eccaa37e1586435318608e7945b8084fe87f956822cb25

SHA512
03986ee3b4faf96fdb2bdeb1c41e216c81e1c0f7d4403b69c7e7e39baa45e2806d57fad32904bdf04728eb9db7570d94341e73bf8a1f6ba1964072a65de4e894

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7e30bbf5f589f6ae6e5daf322f9f4c63

SHA1
4078c36ab68538c4d3aa3996b3a218fa786e5813

SHA256
9ed68f0cb63b2fca99956af2a550eb26ac99a883afef4ea6dc1236c14593266b

SHA512
63bb07bfbef6c96b50bbcb60d7f805930aaeefd6eadaa39dcb3e591c84636c670257a7f544bb0565174578a517d06de29a6c086812ef5cfb3039aea1917fb4b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3f88ed4a802ff96db44e34ad53ac06c2

SHA1
446fe4e265af02ea012b5a8d5d0e7a0c9867f1ed

SHA256
04a5abb92c689fa7b9d768a067b1d9bd16c0a5d856c67c7f7881d62662ae0911

SHA512
f1afaf53ee96969d58902836b841ca7feed9769c81d9b2d63b72db5d7cf04d6a659b50869f8dba0d650aa6833d892261c0c3dd918e8bfbed13237e6333c47fdf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d44632a3e4cce7689f6de0096ea7b712

SHA1
62726ae2641d71b6a218793f1ca8c00c81443eda

SHA256
013ba01f27689a865f4497bdab298b8914e8c235beac2311020fa928649a7603

SHA512
ed9934194e0211fca3d30bb16802ae080086a71d4b8b065afecea339f06f4d5dc43f51786059d6ccaf7718a54dde8b050268068ed6a416dacfa6c79a8ba0881a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7a93434b24a05819a792595e93943a37

SHA1
c715a777d5998290acbad85b49375bc0527d6e59

SHA256
67ad22084d146b5467315f63985c5f5833d3b5296d369cbf6f3934522bb3b763

SHA512
195b0b41feb822abd26e34daa7e4482aa027d65b6b076a6e01b6b70bc795ff4a22f00a48d9c291112b1c06bf6aa344c4e02aee36256cd9a3882aa4c816864e7e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
5223ced8cac4000ee2ae507c37a12059

SHA1
9e7d114936b223868d8e33f51565cbd20cf3d349

SHA256
31333163fdd7f60a4bb5448eb5f6e38b765a892901b8097abc764843360d3195

SHA512
61ba6fc07325b9b9e338dcb9bc285c343951ad3356ecb0aa9ab88fd4f69e31e8d3a63d6f94bd35226d800a6ccb469ca644729257c5116acf8350c6c77f3bd353

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a01bd113963ee553b05de7a37edf7fe5

SHA1
f0f49a62902a25e15fb47aada1d186100bbf798f

SHA256
02d5060d690498e1f9a8830453e68ceccd95cf64226f1740d6d3ddbb4e9f6f71

SHA512
fa59cf62bda1b782101c7888ad7d8f6228adf5605fdc96bf7923446759ac6dbb7a3708dbb9c019634ca78c6c9830da47b5c8f79a791946bd887844fb8707b8f7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d1cdfe4af5bdd1d60f1b830716b46542

SHA1
e43046ab7d016bab440939b79640d291fad8bbf0

SHA256
ce848e1674060add4317dbc531886708a593136f00b1ff29c68c688a03acb426

SHA512
ad27a44ec405e2c986e86915c9d7fb61aab7ab13c5045806b0cba07bc42851415319048d4e163587bb47636a74832bb1f375c8b211e011b96aa00edaf7e9319c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7ca3f32c121a16b6bcd7fef9e0b47763

SHA1
7ec185dbf8d8f4ff947e859b5b59064b8707a63d

SHA256
3b62fe1a5cd22ab59ff46fd7c3c360fbdca3be43c3e9a3513f7aabf6bde837e5

SHA512
b29d55e5e945762c434e7294026976571aaceff252ceff698c53cc28e59ec35f1df103c16757cd574a0271a495fc6ce2a480420224aca1292db08d2700313f30

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7b832ebbf9093a1672889e14dc224ed0

SHA1
81e813dcc3243f45a1cd70c5eec01edcdc000753

SHA256
318494bb7951c2a65cb61c8cdba8cf3679df5954604a63b4476617a1af652706

SHA512
e34cd81eaafbdfc89c9c87de1b5e7e2dacaefcc47ee9d26a7786df99d500ab62869ae4c74e30159a03d4221168ae2773c0668041d2f841f21e0677912a9a9b11

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
86240a2568d27a0fa6490b449e36adc9

SHA1
de4921dec9f6a5ace87f9ca9dbe813fac1c46e5b

SHA256
4eed3cfe2f79de5fd96d85a817b6674d07b6bc1e0c03ab6257fb003203db6eac

SHA512
94cc9ac007fabfc945a52e49acd96099fc62ddbb65ba64186e7d05fbd94ab8fe0e63127e9050d7c368244e637e624b0ff8b3394d4d8aea5ea8f2ea93291d42bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
144e611f7e1cc88d6e2e799afb4cb53c

SHA1
9f77c46a128a15e7be734edfa990ff106bc9b146

SHA256
b03a026d6e471b4a912e73533b12a7122aadcbb0d3a716f8186b84af6584e540

SHA512
9dc419a5601c1c81be7650f781bcaeeaa6b9e09e7e6a01e546c120f8b5534e512b2d8dbb895a6d88840f1ec7f118e75110bdd21aef0e094d45364c407e04f411

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ab77d4cd286de0466ceb741515cefca7

SHA1
5ff888fd9f1f052659fbabb6a5394db2f846b0ae

SHA256
9551010c09a48d5af7577a2d027793facf987fb1187c332cdb74bca4eabc0a13

SHA512
528d19b5eb903de6b7d530816a40d1579b80809f5c3cf70b236d226fd5109c4513971b377439bb52ec160b115e6dbca7f4a2d0f455d65dbf6b21a6a6c210275b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c5890751cdfc74215f4457bc56ced7af

SHA1
4db7fa21a7e349ca6d3261e0d84ede4c21d3a6d2

SHA256
ac4fae1574b97664ec511a3785c9cdff243dc6a9ebfdb69b37a50061ff24d7a8

SHA512
62cacb55ce8c8df93d753365e473d95ceceb9c51c8a1e0ce1180595ac46b3d89d3eb03b791b2c7b283ea198c340257f7390f6b381e58b76b58a44bf933742bea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7b007c7aef11a0a39adf810bd40a6b1a

SHA1
ef028eb9ef09324ed564497bb2edcf03ff36180e

SHA256
5d945a7e24e1d4b73b0242ddc7f5ca1b17888d4f2c68c104536955e2eb644779

SHA512
a48479d083526de0616f37909bacc22e1b9f4abfa659757914fcf206335979562efcc062153e72d41d64070119e435ae268ec8f795eb829f660e7724f8720d3f

Download Submit
memory/2388-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download