85ea58d7541f2c3d242a392c6512c76a6f93f51424c3514e6c8a0c423768a76b

Analysis

max time kernel
138s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-09-2024 04:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85ea58d7541f2c3d242a392c6512c76a6f93f51424c3514e6c8a0c423768a76b.exe
Size

1.1MB
MD5

0fecbee9db43020501daa323ded7ce4e
SHA1

8ea52da7be008a8f3307b55225692b2dd2082cfc
SHA256

85ea58d7541f2c3d242a392c6512c76a6f93f51424c3514e6c8a0c423768a76b
SHA512

2427a8fe86b8a706d0722e86b748ada83fd15ca2909430c3bcd53ab65464f13875ccd86c05227ee1f2162c137c0a1e4a69cca86746b17cdab635fbb906dd8838
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qa:CcaClSFlG4ZM7QzM5

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2140	svchcst.exe

Executes dropped EXE 21 IoCs

pid	Process
2140	svchcst.exe
2208	svchcst.exe
2448	svchcst.exe
920	svchcst.exe
1040	svchcst.exe
2308	svchcst.exe
2164	svchcst.exe
1680	svchcst.exe
552	svchcst.exe
2208	svchcst.exe
2412	svchcst.exe
1496	svchcst.exe
2000	svchcst.exe
652	svchcst.exe
2700	svchcst.exe
2288	svchcst.exe
1184	svchcst.exe
1476	svchcst.exe
2532	svchcst.exe
1840	svchcst.exe
1600	svchcst.exe

Loads dropped DLL 42 IoCs

pid	Process
2384	WScript.exe
2384	WScript.exe
984	WScript.exe
984	WScript.exe
2200	WScript.exe
2200	WScript.exe
2372	WScript.exe
2372	WScript.exe
952	WScript.exe
952	WScript.exe
1792	WScript.exe
1792	WScript.exe
908	WScript.exe
908	WScript.exe
2680	WScript.exe
2680	WScript.exe
1968	WScript.exe
1968	WScript.exe
1692	WScript.exe
1692	WScript.exe
2124	WScript.exe
2124	WScript.exe
2496	WScript.exe
2496	WScript.exe
592	WScript.exe
592	WScript.exe
2928	WScript.exe
2928	WScript.exe
1180	WScript.exe
1180	WScript.exe
2600	WScript.exe
2600	WScript.exe
1660	WScript.exe
1660	WScript.exe
1632	WScript.exe
1632	WScript.exe
1452	WScript.exe
1452	WScript.exe
1692	WScript.exe
1692	WScript.exe
1328	WScript.exe
1328	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 46 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	85ea58d7541f2c3d242a392c6512c76a6f93f51424c3514e6c8a0c423768a76b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1364	85ea58d7541f2c3d242a392c6512c76a6f93f51424c3514e6c8a0c423768a76b.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1364	85ea58d7541f2c3d242a392c6512c76a6f93f51424c3514e6c8a0c423768a76b.exe

Suspicious use of SetWindowsHookEx 44 IoCs

pid	Process
1364	85ea58d7541f2c3d242a392c6512c76a6f93f51424c3514e6c8a0c423768a76b.exe
1364	85ea58d7541f2c3d242a392c6512c76a6f93f51424c3514e6c8a0c423768a76b.exe
2140	svchcst.exe
2140	svchcst.exe
2208	svchcst.exe
2208	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
920	svchcst.exe
920	svchcst.exe
1040	svchcst.exe
1040	svchcst.exe
2308	svchcst.exe
2308	svchcst.exe
2164	svchcst.exe
2164	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
552	svchcst.exe
552	svchcst.exe
2208	svchcst.exe
2208	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
1496	svchcst.exe
1496	svchcst.exe
2000	svchcst.exe
2000	svchcst.exe
652	svchcst.exe
652	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2288	svchcst.exe
2288	svchcst.exe
1184	svchcst.exe
1184	svchcst.exe
1476	svchcst.exe
1476	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
1840	svchcst.exe
1840	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 2384	1364	85ea58d7541f2c3d242a392c6512c76a6f93f51424c3514e6c8a0c423768a76b.exe	30
PID 1364 wrote to memory of 2384	1364	85ea58d7541f2c3d242a392c6512c76a6f93f51424c3514e6c8a0c423768a76b.exe	30
PID 1364 wrote to memory of 2384	1364	85ea58d7541f2c3d242a392c6512c76a6f93f51424c3514e6c8a0c423768a76b.exe	30
PID 1364 wrote to memory of 2384	1364	85ea58d7541f2c3d242a392c6512c76a6f93f51424c3514e6c8a0c423768a76b.exe	30
PID 2384 wrote to memory of 2140	2384	WScript.exe	32
PID 2384 wrote to memory of 2140	2384	WScript.exe	32
PID 2384 wrote to memory of 2140	2384	WScript.exe	32
PID 2384 wrote to memory of 2140	2384	WScript.exe	32
PID 2140 wrote to memory of 340	2140	svchcst.exe	34
PID 2140 wrote to memory of 340	2140	svchcst.exe	34
PID 2140 wrote to memory of 340	2140	svchcst.exe	34
PID 2140 wrote to memory of 340	2140	svchcst.exe	34
PID 2140 wrote to memory of 984	2140	svchcst.exe	33
PID 2140 wrote to memory of 984	2140	svchcst.exe	33
PID 2140 wrote to memory of 984	2140	svchcst.exe	33
PID 2140 wrote to memory of 984	2140	svchcst.exe	33
PID 984 wrote to memory of 2208	984	WScript.exe	35
PID 984 wrote to memory of 2208	984	WScript.exe	35
PID 984 wrote to memory of 2208	984	WScript.exe	35
PID 984 wrote to memory of 2208	984	WScript.exe	35
PID 2208 wrote to memory of 2200	2208	svchcst.exe	36
PID 2208 wrote to memory of 2200	2208	svchcst.exe	36
PID 2208 wrote to memory of 2200	2208	svchcst.exe	36
PID 2208 wrote to memory of 2200	2208	svchcst.exe	36
PID 2200 wrote to memory of 2448	2200	WScript.exe	37
PID 2200 wrote to memory of 2448	2200	WScript.exe	37
PID 2200 wrote to memory of 2448	2200	WScript.exe	37
PID 2200 wrote to memory of 2448	2200	WScript.exe	37
PID 2448 wrote to memory of 2372	2448	svchcst.exe	38
PID 2448 wrote to memory of 2372	2448	svchcst.exe	38
PID 2448 wrote to memory of 2372	2448	svchcst.exe	38
PID 2448 wrote to memory of 2372	2448	svchcst.exe	38
PID 2372 wrote to memory of 920	2372	WScript.exe	39
PID 2372 wrote to memory of 920	2372	WScript.exe	39
PID 2372 wrote to memory of 920	2372	WScript.exe	39
PID 2372 wrote to memory of 920	2372	WScript.exe	39
PID 920 wrote to memory of 952	920	svchcst.exe	40
PID 920 wrote to memory of 952	920	svchcst.exe	40
PID 920 wrote to memory of 952	920	svchcst.exe	40
PID 920 wrote to memory of 952	920	svchcst.exe	40
PID 952 wrote to memory of 1040	952	WScript.exe	41
PID 952 wrote to memory of 1040	952	WScript.exe	41
PID 952 wrote to memory of 1040	952	WScript.exe	41
PID 952 wrote to memory of 1040	952	WScript.exe	41
PID 1040 wrote to memory of 1792	1040	svchcst.exe	42
PID 1040 wrote to memory of 1792	1040	svchcst.exe	42
PID 1040 wrote to memory of 1792	1040	svchcst.exe	42
PID 1040 wrote to memory of 1792	1040	svchcst.exe	42
PID 1792 wrote to memory of 2308	1792	WScript.exe	43
PID 1792 wrote to memory of 2308	1792	WScript.exe	43
PID 1792 wrote to memory of 2308	1792	WScript.exe	43
PID 1792 wrote to memory of 2308	1792	WScript.exe	43
PID 2308 wrote to memory of 908	2308	svchcst.exe	44
PID 2308 wrote to memory of 908	2308	svchcst.exe	44
PID 2308 wrote to memory of 908	2308	svchcst.exe	44
PID 2308 wrote to memory of 908	2308	svchcst.exe	44
PID 908 wrote to memory of 2164	908	WScript.exe	45
PID 908 wrote to memory of 2164	908	WScript.exe	45
PID 908 wrote to memory of 2164	908	WScript.exe	45
PID 908 wrote to memory of 2164	908	WScript.exe	45
PID 2164 wrote to memory of 2680	2164	svchcst.exe	46
PID 2164 wrote to memory of 2680	2164	svchcst.exe	46
PID 2164 wrote to memory of 2680	2164	svchcst.exe	46
PID 2164 wrote to memory of 2680	2164	svchcst.exe	46

C:\Users\Admin\AppData\Local\Temp\85ea58d7541f2c3d242a392c6512c76a6f93f51424c3514e6c8a0c423768a76b.exe
"C:\Users\Admin\AppData\Local\Temp\85ea58d7541f2c3d242a392c6512c76a6f93f51424c3514e6c8a0c423768a76b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2140
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:984
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2208
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:908
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1680
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:552
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1692
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2208
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2412
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2496
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1496
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:592
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2000
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:652
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1180
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2700
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2600
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2288
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1660
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1184
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1632
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1476
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1452
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2532
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1692
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1840
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1328
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1600
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:1788
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        
        PID:564
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:2400
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      PID:340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
619955d43a58558c766025119a5a66cb

SHA1
cfb43d2b9cb68699667ca8d4929e71b25ed115ab

SHA256
a129bff17a859b7b2d6681f519c985c661797dd508ac249d30f02a0a78858cee

SHA512
20f9499cddf2fb824365830736255a1dce689da0e94fa8e999ee4e28883e65637410710ea01204b5f3d48213f697461288da2b7a535511da87f848b1e6e83bc6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
024be950e07002e527b8dd1efbb0e4b4

SHA1
1a56034c6366027442be28a75bce7cdea55a8a98

SHA256
51f47375c2a87dc9fe8cc958432adcc166d0faf75f7d1da1322e238fb5d72893

SHA512
96864be4661feeef155d1816192852146e5d2aa3266ce5b732ec203d43a6098a5fa456a7decb9ab1bd66bc959ed85b485de32c11cea6ee6d1a48d0bea2349b6f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c85adfb789ee03eba0d843b08042e4db

SHA1
263793011d11bd0dd1daf4b55215a8802f9bf6e2

SHA256
8cc7784dcb4efa452913063eacec257cd1b6577c80bb3540f7cfcc48320dbf59

SHA512
b52184fa3c8a36d8e9293921a40820991247bbd203aa991678dafcd5cc96af20bf2df3e0b876b77a0d6a91f5b43aa2768137f88fca28357f883410d3b9f77539

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
48e04b8c794b661550560f9e02af5bb4

SHA1
973d939e48bc7713c0338e95966219616bd415d0

SHA256
f3bfe9c6c363e0ef4e22d9990175cb4c1c5d7d087aa5a2cff9f912d5ac6676da

SHA512
23ca46c09e1c2c320c7c79e71056dc6cb78d1dbaa75f4cee92e63626fe1eef268d91c519a8a0219f816049d2babd0276d27471ccc57a05825ce339ea88eea778

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1af246ca0660faf0fa7da4b4c9c61316

SHA1
c050b0bd311f2e5240cd7e9df583e41b133e9521

SHA256
2b84bcefb62d7564e2e7d1be8105a26f798b4c73cca142c054da02262f61ede8

SHA512
3fadf6605620aea1f9c9e94d62193fc416af6d5272bc675d399ea1ea96a070b4de69cab61736cea89c744ce3b203f0790d617789d25811a6ca535fc9f6159793

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5ba8c208c5700f7f25c2e24e00d50ac8

SHA1
9838a0ab093ed94bc85a80b1feee14b68e4df8d1

SHA256
213371c33e19f6f9e28f089e3206fe50c39b190548b0500f7ba8aff869a68cd6

SHA512
065e45ebe4197cdf7e13b799928dfb29e17d4a1741e3e103000b147288b34f16300b72874ec85aefa2c04cc939df115a9fb383d5c95982c1371e75605d1a9b17

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ed546bb522a06b2fe1964359d1c00489

SHA1
f645b56f6b42e6e187d97e90006e64493e168dfd

SHA256
770b107915197c74e581cfd8ea4047ad94180a81a2e6422eb5a8139839645257

SHA512
bc0172ea605aeb832088b2e5d3cd3c4ba9f052a1f4afaa3696e8672f3e6a5776537472d56805f0dea9d8474ffca77d9b574331c9dc57bc7a6e029e01169de0b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5771c014296ebb077452c34a3ea54708

SHA1
6e6ff6d4e62db0f7295883fcdf1b10a4f69b2b58

SHA256
8abb3ec990928dfb09f067bb1f8b7e99a9487f039c9a5f80ab5306006c746859

SHA512
642db2534af82e398285770d5b6564603b457e1e4e0853cb46322aa24f7a880223a839875e7022d5c21f5eb01730df4e4dffdb426ef6e6c81defeb5f5f774ac5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
4e9605159361f93230fef3cc5ad4301c

SHA1
64e6d5673487e049cc4e96650b507641062ca1bf

SHA256
2abd0c0ae088f6c911f23add50e985c447f1c62c8a45f848698b08d6e6dd20e7

SHA512
5cf02982826cc6e08ea33c4ce5d186ad4277493480cf08c2df56a7deea87e58a6df3a95097c96409a89317528933e0999d4ccddc2403024bd04b6e1c312f42fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5c256ba320c7487a2c3cdb62bea97bb5

SHA1
2a28e5d7bd4483a40fb6035f1ec6fcf1d66cb2fc

SHA256
854aeaf6ba44537fc01088f8c336552a1aab4c6df84938d241c8616b6f0802e4

SHA512
bb55f293471dda9b074664d4cf2dad094f8f0c2479c1fd754dd85199d1d1b1012cfa3b050711ac0b59368d6bf1756cfcadcaff1e47d4f103a093a0b77782fdc0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
156c7c0657edefb23a9c08553946f689

SHA1
91ccdf4c31209219142a55772bff6acdcc130a83

SHA256
f6a547fab7b11ff48388c8470405213cad924bdf071452935758058b24161ef1

SHA512
5e90f2e350989a40ca19a5a2371ec5e03e890c6c5448e3c7679bc85de7b48c776613d1bd5353c0822bc90216a52647025920834b5cdb1f3ab29e0d77bfb4f298

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d1494498f473dce621056d7fe7790314

SHA1
ef74861aaf0b0328741cb4142e1f652cb40a533e

SHA256
790028317b29f85f0044792ab78b324116d8bc4abe14ee6aefb563f2f80e0481

SHA512
b9d52c9806f3eac82e7750384efd6a46db99f62199456804febbbb723ae2700212c38efdaa5e53cce9681bb876f07f2cc5e3c9c697709fd9804f10ae8705d406

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b6edafb08e9744b05b9574c45e010d05

SHA1
65855f3696af56ee0cf924423659e17ac33be828

SHA256
a5b5308530f6a4679f09ea193b37574a97182f863d488d40bc704bab118241b9

SHA512
10623d94d9da4f36ad67088c7449a799785d1d279d555f4a3b95221c038b7ac46a84e6040a11d528c09c13245befbcd4ad8edfb8bccfe61d1ff343d0e8269e8a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
387f903a86312075f8e2e2bbb771acfd

SHA1
15011ac28a8d3c531139649146b656db22b52eec

SHA256
362253ce28ed948712b665d838504d55aac4c0d53a14856afc9d1da516121083

SHA512
87d7cf43c71ee23e7901f3b76883179eed4038d96852ee91676a1c69ea2cab9615f89c6b7d5c0de76eefe604795d156e34df29c1ff5f6a108d230acc0b6c6226

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
69150298e75985a634790d683d49f5ca

SHA1
e4c4ccf5e4d9811a14dc6f825d166b5c96ecc0c0

SHA256
fd375b9ffb48659ee2ec553550ee78d5fef16b0d4ba2e38f56c8833da2884e97

SHA512
d8dcfaa105dd1373cee55ab7b997ee8e3e632d9c340fd8b7ceab8ae4c1479fae33373e57492507168da0eb710cbae9c6bd34a5f8e1626718076e63f68556043e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1bd141000f9c923e72346ddcf2c40ee6

SHA1
80212778839834c89946c299c34c5e9baee3b767

SHA256
909bd64b7754648a8331258268558b3dc0eba3de52b42efac8753c56f3c4afc1

SHA512
a5f431507e630e1a1a60a2ef7321177a5a19d18810607bdd6e6e9481df4dd66d0db43424976dba50e63f1be3b3d314e6f25fc4a3fb8eee90a27ccad4f8336d16

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a55f212ed8df69fd7d18c865102639b4

SHA1
603a5914ef4c96733fa43cb334591a3de477c590

SHA256
a5faccf1435aef2960e01951c9a4a7041a98bd6dabc0c58b0acd19cad785ca80

SHA512
153cd2310df33da5f8eb1bf4fe0bd903b4546328a3116eaa1f5f3ccf20dd3b002f7e257d24b98bb14fff34271d67b9a5e5269aad49d4a7490a8a49626051d7f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
3401962db87702d3d63fd021b9be5d9e

SHA1
e51c5de3d40c3f275573d82927f255abc1af32c6

SHA256
7e119282ccf751d3af726badb521121d00bfa9d48c6ab84a626cd1a7a4a49c1e

SHA512
42ca328ee377fde74c0bcb39d4e5d81ec5da1f19b5aaedb416c75aa26a89b42e9e7994a9d7b70fe4ab226f1a67952294b2b0f5ce3b9a9971860525127da3ef68

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
19d37fc00623edb2165cb8ad6dbcd123

SHA1
fc7f07c754d1da2842dcf9fc680334ecb9221a95

SHA256
40a7b2925315d8dae08c9fe30686403e6b2eb40c09df86e04df55b2688d874cb

SHA512
b5ac4313371b9fd998a35463f650e3cadce1a1cd26deeb99e73bfd190f101a8c5d537f55bb34b67d9867250645b05fd82053af3217a5a2ed19eed318bb1376d9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
32525612388883729f4ba3c58edff58d

SHA1
13d9d7054d012d43d90b3dc0db73d9040f782a51

SHA256
6190e97f828dad8f9a08bc29f297d72416918fa1b1a0476b1a2b685cad082645

SHA512
ef18447bf31f0b2e07ce18222ed1d2bad4882665a1319fa18f0f4797b1e9ec1eba9bce22ea6058d2d7edb36596eb0c0c7ccc2c3ea1c55c8c2069e40912891b0e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
62de3d5891cc693bf625e1797447e62a

SHA1
64cd214797567adddb778fdada3044a8d16915c5

SHA256
c57becc790e0dc7a3f3e60e675f270ec27183b0b5e8dab5cc16f4802c612f760

SHA512
dc770867448fc1a3e97bdf773afeb52bdf7bea40df0b79dd350ecdfb9ef0f8bfaf65f51925710047e5e9e2b47dd19cc6533ff50a61b5aa18dc489ac9fe445359

Download Submit
memory/1364-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download