586c1f24f96f63498730d0c29fc0d13e0d2ddf5e6f8899cf1fa4d9d7456bc425

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

586c1f24f96f63498730d0c29fc0d13e0d2ddf5e6f8899cf1fa4d9d7456bc425.exe
Size

1.1MB
MD5

be1078338f65694c7b9f15554b5b3c73
SHA1

a627e86bc006a95e51457c28efd0dcbb1d08a996
SHA256

586c1f24f96f63498730d0c29fc0d13e0d2ddf5e6f8899cf1fa4d9d7456bc425
SHA512

b1c8024708301261e9a70949ef33348b349380e8abc5bd280e71860bfbc4d52eb9551d8290d78669312f15ea987cef3a9d7b0c35929ba5ca7436411ddf2bb8d7
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QH:CcaClSFlG4ZM7QzMA

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2748	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2748	svchcst.exe
2992	svchcst.exe
860	svchcst.exe
2996	svchcst.exe
1716	svchcst.exe
1288	svchcst.exe
1968	svchcst.exe
2092	svchcst.exe
2628	svchcst.exe
1928	svchcst.exe
468	svchcst.exe
2428	svchcst.exe
2888	svchcst.exe
1960	svchcst.exe
1744	svchcst.exe
3024	svchcst.exe
2972	svchcst.exe
776	svchcst.exe
1064	svchcst.exe
2664	svchcst.exe
2536	svchcst.exe
2416	svchcst.exe
1384	svchcst.exe

Loads dropped DLL 44 IoCs

pid	Process
2828	WScript.exe
2828	WScript.exe
2604	WScript.exe
2604	WScript.exe
1900	WScript.exe
1900	WScript.exe
1620	WScript.exe
1620	WScript.exe
2588	WScript.exe
2588	WScript.exe
1636	WScript.exe
1636	WScript.exe
572	WScript.exe
572	WScript.exe
2188	WScript.exe
2188	WScript.exe
2808	WScript.exe
576	WScript.exe
2988	WScript.exe
2988	WScript.exe
2736	WScript.exe
2736	WScript.exe
2104	WScript.exe
2104	WScript.exe
1748	WScript.exe
1748	WScript.exe
372	WScript.exe
372	WScript.exe
2336	WScript.exe
2336	WScript.exe
2824	WScript.exe
2824	WScript.exe
2348	WScript.exe
2348	WScript.exe
2584	WScript.exe
2584	WScript.exe
2800	WScript.exe
2800	WScript.exe
1692	WScript.exe
1692	WScript.exe
2844	WScript.exe
2844	WScript.exe
1600	WScript.exe
1600	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	586c1f24f96f63498730d0c29fc0d13e0d2ddf5e6f8899cf1fa4d9d7456bc425.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2972	586c1f24f96f63498730d0c29fc0d13e0d2ddf5e6f8899cf1fa4d9d7456bc425.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2972	586c1f24f96f63498730d0c29fc0d13e0d2ddf5e6f8899cf1fa4d9d7456bc425.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2972	586c1f24f96f63498730d0c29fc0d13e0d2ddf5e6f8899cf1fa4d9d7456bc425.exe
2972	586c1f24f96f63498730d0c29fc0d13e0d2ddf5e6f8899cf1fa4d9d7456bc425.exe
2748	svchcst.exe
2748	svchcst.exe
2992	svchcst.exe
2992	svchcst.exe
860	svchcst.exe
860	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
1716	svchcst.exe
1716	svchcst.exe
1288	svchcst.exe
1288	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
2092	svchcst.exe
2092	svchcst.exe
2628	svchcst.exe
2628	svchcst.exe
1928	svchcst.exe
1928	svchcst.exe
468	svchcst.exe
468	svchcst.exe
2428	svchcst.exe
2428	svchcst.exe
2888	svchcst.exe
2888	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1744	svchcst.exe
1744	svchcst.exe
3024	svchcst.exe
3024	svchcst.exe
2972	svchcst.exe
2972	svchcst.exe
776	svchcst.exe
776	svchcst.exe
1064	svchcst.exe
1064	svchcst.exe
2664	svchcst.exe
2664	svchcst.exe
2536	svchcst.exe
2536	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
1384	svchcst.exe
1384	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2828	2972	586c1f24f96f63498730d0c29fc0d13e0d2ddf5e6f8899cf1fa4d9d7456bc425.exe	31
PID 2972 wrote to memory of 2828	2972	586c1f24f96f63498730d0c29fc0d13e0d2ddf5e6f8899cf1fa4d9d7456bc425.exe	31
PID 2972 wrote to memory of 2828	2972	586c1f24f96f63498730d0c29fc0d13e0d2ddf5e6f8899cf1fa4d9d7456bc425.exe	31
PID 2972 wrote to memory of 2828	2972	586c1f24f96f63498730d0c29fc0d13e0d2ddf5e6f8899cf1fa4d9d7456bc425.exe	31
PID 2828 wrote to memory of 2748	2828	WScript.exe	33
PID 2828 wrote to memory of 2748	2828	WScript.exe	33
PID 2828 wrote to memory of 2748	2828	WScript.exe	33
PID 2828 wrote to memory of 2748	2828	WScript.exe	33
PID 2748 wrote to memory of 2604	2748	svchcst.exe	34
PID 2748 wrote to memory of 2604	2748	svchcst.exe	34
PID 2748 wrote to memory of 2604	2748	svchcst.exe	34
PID 2748 wrote to memory of 2604	2748	svchcst.exe	34
PID 2604 wrote to memory of 2992	2604	WScript.exe	35
PID 2604 wrote to memory of 2992	2604	WScript.exe	35
PID 2604 wrote to memory of 2992	2604	WScript.exe	35
PID 2604 wrote to memory of 2992	2604	WScript.exe	35
PID 2992 wrote to memory of 1900	2992	svchcst.exe	36
PID 2992 wrote to memory of 1900	2992	svchcst.exe	36
PID 2992 wrote to memory of 1900	2992	svchcst.exe	36
PID 2992 wrote to memory of 1900	2992	svchcst.exe	36
PID 1900 wrote to memory of 860	1900	WScript.exe	37
PID 1900 wrote to memory of 860	1900	WScript.exe	37
PID 1900 wrote to memory of 860	1900	WScript.exe	37
PID 1900 wrote to memory of 860	1900	WScript.exe	37
PID 860 wrote to memory of 1620	860	svchcst.exe	38
PID 860 wrote to memory of 1620	860	svchcst.exe	38
PID 860 wrote to memory of 1620	860	svchcst.exe	38
PID 860 wrote to memory of 1620	860	svchcst.exe	38
PID 1620 wrote to memory of 2996	1620	WScript.exe	39
PID 1620 wrote to memory of 2996	1620	WScript.exe	39
PID 1620 wrote to memory of 2996	1620	WScript.exe	39
PID 1620 wrote to memory of 2996	1620	WScript.exe	39
PID 2996 wrote to memory of 2588	2996	svchcst.exe	40
PID 2996 wrote to memory of 2588	2996	svchcst.exe	40
PID 2996 wrote to memory of 2588	2996	svchcst.exe	40
PID 2996 wrote to memory of 2588	2996	svchcst.exe	40
PID 2588 wrote to memory of 1716	2588	WScript.exe	41
PID 2588 wrote to memory of 1716	2588	WScript.exe	41
PID 2588 wrote to memory of 1716	2588	WScript.exe	41
PID 2588 wrote to memory of 1716	2588	WScript.exe	41
PID 1716 wrote to memory of 1636	1716	svchcst.exe	42
PID 1716 wrote to memory of 1636	1716	svchcst.exe	42
PID 1716 wrote to memory of 1636	1716	svchcst.exe	42
PID 1716 wrote to memory of 1636	1716	svchcst.exe	42
PID 1636 wrote to memory of 1288	1636	WScript.exe	43
PID 1636 wrote to memory of 1288	1636	WScript.exe	43
PID 1636 wrote to memory of 1288	1636	WScript.exe	43
PID 1636 wrote to memory of 1288	1636	WScript.exe	43
PID 1288 wrote to memory of 572	1288	svchcst.exe	44
PID 1288 wrote to memory of 572	1288	svchcst.exe	44
PID 1288 wrote to memory of 572	1288	svchcst.exe	44
PID 1288 wrote to memory of 572	1288	svchcst.exe	44
PID 572 wrote to memory of 1968	572	WScript.exe	45
PID 572 wrote to memory of 1968	572	WScript.exe	45
PID 572 wrote to memory of 1968	572	WScript.exe	45
PID 572 wrote to memory of 1968	572	WScript.exe	45
PID 1968 wrote to memory of 2188	1968	svchcst.exe	46
PID 1968 wrote to memory of 2188	1968	svchcst.exe	46
PID 1968 wrote to memory of 2188	1968	svchcst.exe	46
PID 1968 wrote to memory of 2188	1968	svchcst.exe	46
PID 2188 wrote to memory of 2092	2188	WScript.exe	47
PID 2188 wrote to memory of 2092	2188	WScript.exe	47
PID 2188 wrote to memory of 2092	2188	WScript.exe	47
PID 2188 wrote to memory of 2092	2188	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\586c1f24f96f63498730d0c29fc0d13e0d2ddf5e6f8899cf1fa4d9d7456bc425.exe
"C:\Users\Admin\AppData\Local\Temp\586c1f24f96f63498730d0c29fc0d13e0d2ddf5e6f8899cf1fa4d9d7456bc425.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2604
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2992
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:572
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2092
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2628
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:576
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1928
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2988
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:468
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2428
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2104
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2888
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1748
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1960
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:372
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1744
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3024
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2972
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:776
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1064
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2664
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1692
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2536
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2844
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2416
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1384
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
9307d491be0135bbd320d215300370ad

SHA1
f795c499b06c77b224b0eee31e15d43a79c13899

SHA256
4bed5b4f5633a7266e366afea957ea33cfc0c1dc2666ca446bce576f0e2461e3

SHA512
356943d04df8675d2a7467087af2cf6f7540ef5de1b714e6c7702819915bf4671885c9568249cab0d896b90506f189b103402534a89de8ca04a845bb98fe6332

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
bd0cc8385e2c94da465451e7bd8d4303

SHA1
6866d3d8d4bc37bbd976b44b74d4cef9b018da66

SHA256
099ad392a60ee09509cf2982deb126acb373115124e33c1c9d18931fa32af630

SHA512
5212403107457416b6b8e3c033c9521f744845edbf0c9bba5c962bea5946c2a24e1081cf472e907b3e16fb593b98c119802e3162e5260b30574f2c086af3d6b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ebf405e49dade13da94f737cdc03dba1

SHA1
8a0c39e59beed0deb4e726566b235c42c70942bb

SHA256
d15af3885670c4fea9dd97da21025faa5fd2b42bddc310bad2893e23a3ed2bef

SHA512
bbdef781757a387898665650d8f951e7fc495770d34595d9badbe5a39d46ec49a06ec00cbe28ed5e2677e5eeea518241fb638580668baca8d7728c44f2069ea2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
53586000e76ee6942df430b8716b4616

SHA1
97afd48071b6043c0a04b823875956b98a8d33bd

SHA256
486e66f5aafdb179f41e1d1f39c8fb5662bfad43d5d53dfa89405a04b0d42d69

SHA512
3a9a94289a667899d5ba7db41486854b9234929ecaa9d9aaff3188740cc084c0a633702be218f4b1a8afbfbd8a4e1a892eebbdfde1a7d3fb9c27c3482aa03bd7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3be529c48598ce74c5871846d63ca15c

SHA1
93bb8e6882b776b47589ffa48116e17c98071383

SHA256
f9f80c033a3cb1e2e9a8aa108427d6985dd2a08c2bea70e4dda2309f03ab7b2a

SHA512
e848a532aa9acfddfb754e081353660af23f3d0ee7720f6162fc5e8a2104d98b7be8aa461ea274a311634ae3b5b0bd219731da7d6b43c3b381de56d03bb43608

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ad7007ed9542468662553e405df66821

SHA1
757c5ee287a113d689f2d370176fcf9c9e1223a3

SHA256
12967e637928b853b708430671e1b72f6ca847a2af2680f8f15da98efb31161e

SHA512
812220b05239ebb0e14f3cd738e58274deb60624eacc360d2b3be6c5010dc418f2587f5f6736a1d80a3a5f52ae9887a492e8934e64af66c89b45a9b47d3069c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
aa6578debd9e5045ad239d59ebeb6d15

SHA1
2a25e6293914cd6ada6649f34506c8bcf35494aa

SHA256
7acb095ca5298eb1d1e2ba7f02c1b876d7d28684762a9d180ae2ed8c9e68beb2

SHA512
150796c7aad73d1732103e41bd01d3c181b4a0afd37b673d184d5c6c643622704e7692b668e231a319549c2bb378f4d83c7ede82caf81dd15c934b81936e22b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3353d1633bca569636039038a518d927

SHA1
780e7b0504ce0c3eb7a2d5ab9cc18b9d0596bd34

SHA256
6f9daffcca457b49869f9b22fe00e63b4c232c9e13998ab908b91909aa446b8d

SHA512
66a8b0877d6c6f196b85b4e8bf7d67da20fd3749543d65b54599233fc68f476445e70f9ad8e54cb3a71676c6b8a51957f11df2442883f1283c6d526884ec0c18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b5e11596fa3b5ec67af0232750a3cadb

SHA1
80cb25f5250390b6b2130c8b4eefc9872cc4939d

SHA256
d6429bbb3e3d5c86f30efdb3aa599d47eb8f130c1d0f2a6345e3e9387f7670b3

SHA512
06c71dd481c8936cb5c8a259111986a31b94e7bf73267a081e2162e16b3bffc633a257b5dcf2fd64c7bcc95a20ee841d5d07ca2ea5a16b7f862aec9cde5f17f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3f88ed4a802ff96db44e34ad53ac06c2

SHA1
446fe4e265af02ea012b5a8d5d0e7a0c9867f1ed

SHA256
04a5abb92c689fa7b9d768a067b1d9bd16c0a5d856c67c7f7881d62662ae0911

SHA512
f1afaf53ee96969d58902836b841ca7feed9769c81d9b2d63b72db5d7cf04d6a659b50869f8dba0d650aa6833d892261c0c3dd918e8bfbed13237e6333c47fdf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6a10838e65cf3aedda11230ee7f407b7

SHA1
7878e96feb82d309b74e4fe98ad256d3bfd63d08

SHA256
79b9776ab8d5f525f63ccab50ff6d79e7a7daeb47894ce971b63ab072314009e

SHA512
7fd419656935cef9e30f36f618df90399b015dc281dea6b30f12ba7bf2c07a58e7aa570ea5fd1f04b3643be33eb1d8521787c94384cb7ef0ec8d5459a8c50eaa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
3fe9341e962b48d985bbb65c0776ba45

SHA1
ce0b8fcb4bbf956c5181afbcd2f76a72cd53e720

SHA256
0f7b980e4c16d2fbdde0982f250faf29332af8f564e9e570a5e658904631b37d

SHA512
24f594229f1078b477e21bfd715072b4d15a6e922e47e04557374c368a38f1c2825396c58e90fb8e2021ebf422e89027e84d4b4a1972705938c9d2ffb56fcdd9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d2e9256880f1c457be70c8475ff76024

SHA1
447e5db0562c940216ac79ef2a250569f0829988

SHA256
3c0e9f4c4f44503bcf45fa0e6668d66f125368c580311de6e4e72cc8861b61f8

SHA512
cb8ae653afb0b01df8d06dd7751c3ebd54bdba1ae7b355afa19a52b6d9c250cc2f8b7de7eff05c16f75f88867d94599cd1cbd0d5d4ff744f40b60ff55e4f086e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
681bf84399b630c7940d352fee579949

SHA1
f90b38e8b070ebc257d5e40ee2d4ed54fa6adc56

SHA256
ea82b4e030af4e69c808e157ab9262391a215f6e377b7699ee3b016995728933

SHA512
6ec0fac095dee0385b8e76d6c9a8ab5163c2ec7070e5973ae46a33bce78b668b8d5a5dabb6f8362cb0514f3e121c7c7c9343d7992eaa40efb1f992fb5c5e5e95

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
8b43b1609bfe45918f829185a2fd275d

SHA1
61476cfa5c856d749bbafa3cfeec4b756dfa70c8

SHA256
be75c64f68732b3fa4089d09f7f90aa65b96436c35e31ff8e3b0a2ef0243b631

SHA512
e4a284ad3f1cf7822a53c6545c39d143c0324fcd25e283778b3757a4cffc4b039b2fe5c3e5de2a078e5ec5d5bbd04fa052bd921bc66b701305945a2970f6eb84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
754af1e490caa30cf9f05691dc0b25e2

SHA1
5f1fe5506a981db3624dced4b40a2b406ce3e1a8

SHA256
cb30c47c8f7d5c616c97d6b589d9f669888d98b2a18b04f8dd49130b3150e4cb

SHA512
11b6b96d9de222c52e9eedd871cffb15ebfd196f947087ad781019401e2a105e92e3676f6f26e123f8feec1174b92bb81a2f2b71b8bfea42c92ee28d3efeff3b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
10c5d9cfdf6bf9917c4c564f896352df

SHA1
c1fe1b55bd2a6344d38703977978b41f9624962c

SHA256
abfe91d4561bdca6c5202df28e4d01e7ae4523772683d7cf50587674798f2931

SHA512
54fa90e826f6d59a7ee351bba51f3238b7c58aecf74a935a993fdab059d0f1bef14fec49ba546c343c8bf867a9ddc768686c5421f7fa4375f68ce0cb1278091b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
4a5833c6a310d10037d2f2d5c145a57f

SHA1
468e05d7858118fa87ae7cc7715d91d4e4be18e8

SHA256
41f27bf59368e2d3007813e749df8a7be94e4956d76de9cfd52051baee076936

SHA512
b4066b6ef33b507c2fb3f5128faa2556afb11459702ba77e008e5f9b9cadd207c4fc78e7243e71f719ab3bdb85b66206e81380998adfa330f63e433e84c2bf9e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0c18561f2d88fcf165b8f1f823713f82

SHA1
b6b66ee00d5d2373b508408e2ec5510115860f33

SHA256
87db50257e9ad20dfff6f8857fe0b2f2b8d87a150adb3738cf5906f4d211ae91

SHA512
f2eeba10b89a1c6b691ccf9bebec6268f4a240769041311d5ad4cc28b6ced9cc7610dccaa629d51a96d6f2aa71aeb68a4ea0c5425da315be5f20a9b9c6ff66c8

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c2a8caa6a28a1fc34e6b706368a19745

SHA1
24963bc2c90d66f1d550a40dc00991ea132ec42a

SHA256
375f64c6ecc9042b21df2fdb2d204f1831d59339577919709b9dcef8644570a7

SHA512
3c4f20b01742c0fc731e8076defc1017103eef6354c6f381e8a5b0c060f8143b9e15750044f1fd0230c5067826866bb24fd9fd538d8c6cc09004ccfb10c8a8c6

Download Submit
memory/2972-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download