31ad1b25c63d0211ffbd6c32e265044edbc2f987b575c8712d33e3be2e1d2ed5

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31ad1b25c63d0211ffbd6c32e265044edbc2f987b575c8712d33e3be2e1d2ed5.exe
Size

1.1MB
MD5

457ab0703a43880417c382e283a9965c
SHA1

d6143419a6f4becc6cb81d193f9f7b0fbf878710
SHA256

31ad1b25c63d0211ffbd6c32e265044edbc2f987b575c8712d33e3be2e1d2ed5
SHA512

46c79266823c5a5dc26d3dc40b06410ebe454aaf68f6ba751763eec55e1a128bf4642b7c27d055d93fb3a857f6268be94a4b3dd69845b5c6dd378e595a14358b
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Q6:CcaClSFlG4ZM7QzM5

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1968	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
1968	svchcst.exe
2344	svchcst.exe
1072	svchcst.exe
2300	svchcst.exe
2992	svchcst.exe
1772	svchcst.exe
304	svchcst.exe
2356	svchcst.exe
2788	svchcst.exe
2628	svchcst.exe
1652	svchcst.exe
2204	svchcst.exe
692	svchcst.exe
276	svchcst.exe
2988	svchcst.exe
2012	svchcst.exe
2676	svchcst.exe
1252	svchcst.exe
868	svchcst.exe
1752	svchcst.exe
1904	svchcst.exe
3000	svchcst.exe
1612	svchcst.exe

Loads dropped DLL 46 IoCs

pid	Process
2264	WScript.exe
2264	WScript.exe
2864	WScript.exe
2864	WScript.exe
2908	WScript.exe
2908	WScript.exe
2136	WScript.exe
2136	WScript.exe
1852	WScript.exe
1852	WScript.exe
1940	WScript.exe
1940	WScript.exe
3024	WScript.exe
3024	WScript.exe
1712	WScript.exe
1712	WScript.exe
2584	WScript.exe
2584	WScript.exe
2840	WScript.exe
2840	WScript.exe
2660	WScript.exe
2660	WScript.exe
1952	WScript.exe
1952	WScript.exe
2368	WScript.exe
2368	WScript.exe
2800	WScript.exe
2800	WScript.exe
2392	WScript.exe
2392	WScript.exe
2120	WScript.exe
2120	WScript.exe
2748	WScript.exe
2748	WScript.exe
2664	WScript.exe
2664	WScript.exe
300	WScript.exe
300	WScript.exe
2840	WScript.exe
2840	WScript.exe
1632	WScript.exe
1632	WScript.exe
2196	WScript.exe
2196	WScript.exe
2504	WScript.exe
2504	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	31ad1b25c63d0211ffbd6c32e265044edbc2f987b575c8712d33e3be2e1d2ed5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2556	31ad1b25c63d0211ffbd6c32e265044edbc2f987b575c8712d33e3be2e1d2ed5.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2556	31ad1b25c63d0211ffbd6c32e265044edbc2f987b575c8712d33e3be2e1d2ed5.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2556	31ad1b25c63d0211ffbd6c32e265044edbc2f987b575c8712d33e3be2e1d2ed5.exe
2556	31ad1b25c63d0211ffbd6c32e265044edbc2f987b575c8712d33e3be2e1d2ed5.exe
1968	svchcst.exe
1968	svchcst.exe
2344	svchcst.exe
2344	svchcst.exe
1072	svchcst.exe
1072	svchcst.exe
2300	svchcst.exe
2300	svchcst.exe
2992	svchcst.exe
2992	svchcst.exe
1772	svchcst.exe
1772	svchcst.exe
304	svchcst.exe
304	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
1652	svchcst.exe
1652	svchcst.exe
2204	svchcst.exe
2204	svchcst.exe
692	svchcst.exe
692	svchcst.exe
276	svchcst.exe
276	svchcst.exe
2988	svchcst.exe
2988	svchcst.exe
2012	svchcst.exe
2012	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
1252	svchcst.exe
1252	svchcst.exe
868	svchcst.exe
868	svchcst.exe
1752	svchcst.exe
1752	svchcst.exe
1904	svchcst.exe
1904	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
1612	svchcst.exe
1612	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 2264	2556	31ad1b25c63d0211ffbd6c32e265044edbc2f987b575c8712d33e3be2e1d2ed5.exe	30
PID 2556 wrote to memory of 2264	2556	31ad1b25c63d0211ffbd6c32e265044edbc2f987b575c8712d33e3be2e1d2ed5.exe	30
PID 2556 wrote to memory of 2264	2556	31ad1b25c63d0211ffbd6c32e265044edbc2f987b575c8712d33e3be2e1d2ed5.exe	30
PID 2556 wrote to memory of 2264	2556	31ad1b25c63d0211ffbd6c32e265044edbc2f987b575c8712d33e3be2e1d2ed5.exe	30
PID 2264 wrote to memory of 1968	2264	WScript.exe	32
PID 2264 wrote to memory of 1968	2264	WScript.exe	32
PID 2264 wrote to memory of 1968	2264	WScript.exe	32
PID 2264 wrote to memory of 1968	2264	WScript.exe	32
PID 1968 wrote to memory of 2864	1968	svchcst.exe	33
PID 1968 wrote to memory of 2864	1968	svchcst.exe	33
PID 1968 wrote to memory of 2864	1968	svchcst.exe	33
PID 1968 wrote to memory of 2864	1968	svchcst.exe	33
PID 2864 wrote to memory of 2344	2864	WScript.exe	35
PID 2864 wrote to memory of 2344	2864	WScript.exe	35
PID 2864 wrote to memory of 2344	2864	WScript.exe	35
PID 2864 wrote to memory of 2344	2864	WScript.exe	35
PID 2344 wrote to memory of 2908	2344	svchcst.exe	36
PID 2344 wrote to memory of 2908	2344	svchcst.exe	36
PID 2344 wrote to memory of 2908	2344	svchcst.exe	36
PID 2344 wrote to memory of 2908	2344	svchcst.exe	36
PID 2908 wrote to memory of 1072	2908	WScript.exe	37
PID 2908 wrote to memory of 1072	2908	WScript.exe	37
PID 2908 wrote to memory of 1072	2908	WScript.exe	37
PID 2908 wrote to memory of 1072	2908	WScript.exe	37
PID 1072 wrote to memory of 2136	1072	svchcst.exe	38
PID 1072 wrote to memory of 2136	1072	svchcst.exe	38
PID 1072 wrote to memory of 2136	1072	svchcst.exe	38
PID 1072 wrote to memory of 2136	1072	svchcst.exe	38
PID 2136 wrote to memory of 2300	2136	WScript.exe	39
PID 2136 wrote to memory of 2300	2136	WScript.exe	39
PID 2136 wrote to memory of 2300	2136	WScript.exe	39
PID 2136 wrote to memory of 2300	2136	WScript.exe	39
PID 2300 wrote to memory of 1852	2300	svchcst.exe	40
PID 2300 wrote to memory of 1852	2300	svchcst.exe	40
PID 2300 wrote to memory of 1852	2300	svchcst.exe	40
PID 2300 wrote to memory of 1852	2300	svchcst.exe	40
PID 1852 wrote to memory of 2992	1852	WScript.exe	41
PID 1852 wrote to memory of 2992	1852	WScript.exe	41
PID 1852 wrote to memory of 2992	1852	WScript.exe	41
PID 1852 wrote to memory of 2992	1852	WScript.exe	41
PID 2992 wrote to memory of 1940	2992	svchcst.exe	42
PID 2992 wrote to memory of 1940	2992	svchcst.exe	42
PID 2992 wrote to memory of 1940	2992	svchcst.exe	42
PID 2992 wrote to memory of 1940	2992	svchcst.exe	42
PID 1940 wrote to memory of 1772	1940	WScript.exe	43
PID 1940 wrote to memory of 1772	1940	WScript.exe	43
PID 1940 wrote to memory of 1772	1940	WScript.exe	43
PID 1940 wrote to memory of 1772	1940	WScript.exe	43
PID 1772 wrote to memory of 3024	1772	svchcst.exe	44
PID 1772 wrote to memory of 3024	1772	svchcst.exe	44
PID 1772 wrote to memory of 3024	1772	svchcst.exe	44
PID 1772 wrote to memory of 3024	1772	svchcst.exe	44
PID 3024 wrote to memory of 304	3024	WScript.exe	45
PID 3024 wrote to memory of 304	3024	WScript.exe	45
PID 3024 wrote to memory of 304	3024	WScript.exe	45
PID 3024 wrote to memory of 304	3024	WScript.exe	45
PID 304 wrote to memory of 1712	304	svchcst.exe	46
PID 304 wrote to memory of 1712	304	svchcst.exe	46
PID 304 wrote to memory of 1712	304	svchcst.exe	46
PID 304 wrote to memory of 1712	304	svchcst.exe	46
PID 1712 wrote to memory of 2356	1712	WScript.exe	47
PID 1712 wrote to memory of 2356	1712	WScript.exe	47
PID 1712 wrote to memory of 2356	1712	WScript.exe	47
PID 1712 wrote to memory of 2356	1712	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\31ad1b25c63d0211ffbd6c32e265044edbc2f987b575c8712d33e3be2e1d2ed5.exe
"C:\Users\Admin\AppData\Local\Temp\31ad1b25c63d0211ffbd6c32e265044edbc2f987b575c8712d33e3be2e1d2ed5.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1968
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2864
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2344
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1852
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:304
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2356
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2788
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2628
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1652
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2204
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:692
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:276
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2392
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2988
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2120
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2012
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2748
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2676
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2664
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1252
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:300
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:868
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1752
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1632
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1904
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3000
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2504
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1612
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:1472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
04804e0bd766927456d60cf1e75add8c

SHA1
7fc29616e6b54d41f9fc74b69ded0d0645e00d1e

SHA256
9ff62b42266713a4787c2218fcab4946f2f554b7ac74c2af948761f41dc36f10

SHA512
42bfb73522d452741ca5a026e8530f198c003e91656e8ca40775165e02640fe062988998d16ea01fedbd5c3f78369821d97bb8c1da992f5eb6ff953702c62910

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
33923002ff087d4e9d20dc9167bf4b6f

SHA1
cd218dc8073081f7329889f96e1159c6d11fb8a1

SHA256
f24781ed9f535b0d29cbef666b2e299ee84ab75c48fd47bfdf0e9c2beaa0796e

SHA512
628c465e3ebed9b3ad689a6fa1fe38d3194c69a7446320408c28667acd49a157b853f734325e828a1577810393d0f9e69b6719bd7c201816ef0f06219a26534c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
38a699d07d8879db6356427ad5568cde

SHA1
a13f87e47243e126c2ea20018877fbeac913a320

SHA256
33039fb8b50833ea2836de980992405e10426ad862007f2fef2a96147dccc7bb

SHA512
b5373577a397c0eb493b1173f0fa5a583fe10b986eced439f39997707622fdb54dad7f39311c0148da02b9f0eda2c097d6d9e98b6a7c7d4aa5996e7cc5f4791d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c94fda6716d92036e02a0e70b433735f

SHA1
eb4e57b1461e03a201dbfd20dd308ca88694e55d

SHA256
ca8d32856a5ad76e2bf41249ee83a498c238f51d9d3addbd5ca456ee6a6108ba

SHA512
bf4b3613a4d6d2854f7750a73f84579a3022c2aaae770c392c3d4b273cbb2b493028f8109856ba66ee4636bcfac53b61b7f9b689002858a040b62b47d097d24f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6a10838e65cf3aedda11230ee7f407b7

SHA1
7878e96feb82d309b74e4fe98ad256d3bfd63d08

SHA256
79b9776ab8d5f525f63ccab50ff6d79e7a7daeb47894ce971b63ab072314009e

SHA512
7fd419656935cef9e30f36f618df90399b015dc281dea6b30f12ba7bf2c07a58e7aa570ea5fd1f04b3643be33eb1d8521787c94384cb7ef0ec8d5459a8c50eaa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1af246ca0660faf0fa7da4b4c9c61316

SHA1
c050b0bd311f2e5240cd7e9df583e41b133e9521

SHA256
2b84bcefb62d7564e2e7d1be8105a26f798b4c73cca142c054da02262f61ede8

SHA512
3fadf6605620aea1f9c9e94d62193fc416af6d5272bc675d399ea1ea96a070b4de69cab61736cea89c744ce3b203f0790d617789d25811a6ca535fc9f6159793

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
052d0351a5a2283ca385805bf30cc37b

SHA1
0f86c2c33b5641b89bcc430a98956447cb8f6f06

SHA256
643f8c0adfd63b72f9419f5b077829fa7f6d454b738cbcaeead63cd1feb4a9af

SHA512
6e4f1c407fa96a3ed03b416fcf4cb300f7ecefd2e67ddc0d45407b0f97f254ffa55cf34fac7c8ed1e69ece8704fae1d483612948dab8fb6d0c9d39e06bbb23ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1ddf68547078713a6bd04e589e87bc2f

SHA1
cdfb5481f8214590744133c77204eff54e733b90

SHA256
a5954677872e02157f5c6921ef883fbc22a4f7940d17403a9a0658931d4971fc

SHA512
194d12570a7d4e8e9341f56d23fda7ff49e131e818b93633b75c6ef05b6972b8428294bb95529af25cf75cbe2d86756dab000be200466a30a64922e764ebfc2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b43cc190210c9c6b2742cc52bd8296bc

SHA1
5476b0b4ca6b80be460b3e183f51d50599750324

SHA256
0081c1fe196153e4e7651f0c4a3888bda7623ba8f76218b8df10dc5147d778c0

SHA512
dee2b38b2222020a8fdf2bb241461b3e58978761cfa4c2099184badfc7a98d4acdd0f75d9417a94928a62da7f7c10e9cc04546636e88004897dd3c73cabeed27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
75b8f60cfe6895a93f2d8f1b5568af94

SHA1
b80485bc82864b4e1bf0bcc44579eaa01776b1fb

SHA256
6ff47f7681e8f497470bd11b2cfd8156c5d8f1b01f48bfd89037cc4bfe0f34cc

SHA512
089e237c5309d36058e036f69d78deb4144749e91b3a8a8383f817af051a3452acfdf42227cc721517e93428cfd5d48b42e9750e9548762609e81917a4de29c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c85adfb789ee03eba0d843b08042e4db

SHA1
263793011d11bd0dd1daf4b55215a8802f9bf6e2

SHA256
8cc7784dcb4efa452913063eacec257cd1b6577c80bb3540f7cfcc48320dbf59

SHA512
b52184fa3c8a36d8e9293921a40820991247bbd203aa991678dafcd5cc96af20bf2df3e0b876b77a0d6a91f5b43aa2768137f88fca28357f883410d3b9f77539

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9f1893a5be5e162fd37d59ad4717a5a0

SHA1
293bb490cae0b2a78d438305809dad1637476012

SHA256
bdcc09c23ae8609dd0cc339d9d6b797c9c53d3aae6a502470cc6c918b49e1bf3

SHA512
d2b05945d94db2792971239ff86e75482ae90dfb8106f9045449671cf51b17929fd4f438721cdfda898f3ace056a045781efdb1b207013f2dc804a6303853130

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
33ab8e4866e30f17f13e03be9ba34e48

SHA1
8002af132fca62cc294178de0c78d0353654b1f8

SHA256
16bcc8274d8805657a43f009c59067c5b4497844a07700d684f48e01d855b9c7

SHA512
4d6bc6c71a4f009bde48cfbdcb7544a7f54f2b6b60386e690c42a62f1fb524ac1107f2662a29def90458fc1837af1ccbbfa809abac0c8485835063986b060b48

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
052a29349ae3c746e79d34e89fe28af3

SHA1
a9e81262b0678ec1b321771f7b5c53e18ff01101

SHA256
7a0aed30ae434d3442b36d53f37f3cf619499717053a350cb5ea7ba65c66b5c0

SHA512
58fd0528dfd40bf1aa639564f3ce3882d932e4cb26f08406d9cca0d6f371a248283a8fba686edddc02fc406dd7369e43ceaed69f384bd5145cefe0f1bdb8d073

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c5c779d71cdc4f376b5fce4a3efc2939

SHA1
8c5dc5ddb975a676f2cf003b7c78172157775539

SHA256
02dca9ed27cf82519ea0b285b3cf2923e322fdba605ea9c908dde18492d3e79d

SHA512
6145df55a553b3d412f46153e07f015a8898d194c5608561e9f42dff547def782466bdcaa74c89d9bb1230954e02bda71b52decf10f90b92637f8cd28cb80403

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
812c9dde9e54f05f4f32cca06f8896b0

SHA1
985cdab9ec50d4b2a81fb1dd00214e360fc678a4

SHA256
2557e8bae35ca5f908f0f9f0177d2b98609fdcc4be96c363486d81077db41362

SHA512
a0107b6bf8fb7278e697a063a85e5ab77ac3e6fc642b3c86c3ef30ed64105bb3f1643bea112d2d182ae65689ed7edfe6493eef7cd75746dc3901c830d962b9d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
fae85e974c9627fc36bcedbc02015846

SHA1
5de63a59bef7cccab436dcab439488b33516bf7e

SHA256
73e9fb7f8d98b49549a95df8e9717bc5e0831e1d2f405cc621c0a33b61584025

SHA512
d03ccef3e1d26a92953ae2df7af093f9e04df5bdda8faeeb14ea81a14bf0980da3d4af191dbbc163bbd1425ea49ed78251eefa533af89513be651d9cad5fc156

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
4a312f09102e2117f2d004d85e49ad4d

SHA1
dd329dd9f577e2b2b18874a34706b6eebc3c18ce

SHA256
1afeeb733b11dba15eafd744dcba8dd0aefced35075a6b9a9bf84ba2f1656b1b

SHA512
f1b89ca394498cf90d1b1060d4dd388bba4a4e4df31f693b9f9d7fe956987722433bbafb9718343ec8fc907c1f9d6673e3b5d7a79349d5a3ba7efa3b08bdb35f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b4675cd46e61c0445baa74928ef2233f

SHA1
1c84772f82d0d7ca834031c1770ee364b3cce15a

SHA256
c80eb77c95c80c5e6f227ceeedf62f1167d57de8eff3de0f92bf5011260f39af

SHA512
4b4456eb49f840175c0a35fe319cd8021ae8a3fa39a16a221f88a37f95a72f2d9920dab889e2ffce1a046bc250bc5e7eed97acd041a9041ad885fe4ae52262ea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d378c05549ce47be04071d518589af21

SHA1
9c105e271e3a0a6cef3419f35f3832f23df2df17

SHA256
a23cebb4693978fc683ddac744580107c39f5287a00acc761bc3452bd39e54c0

SHA512
320ef219f50b954c54c393a7947372e197d939a0aabe450e8c2f2f5a2094b9cf19d4f0dec7c7585aa85cda42fde16a8c225c46550e54aec2064854a355f50e66

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7c98e3f577b073aabbbf4aa93f71ff75

SHA1
fa23d62c2c728d1cbe009a8808905cc077e9c183

SHA256
42ee1ec0ef42bbf7dabc54efac3c0dc3088525accca2a26f3e8c83a5c66e91e2

SHA512
68e6b9d9e5facf40e79842b0fa0619ec4d496faba407f1945e1654569e268dcbacf368ab9ac2f74cf1f2f22dc670302bc7b01e0252b65aa313dce77db63f0b8c

Download Submit
memory/2556-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download