840ec715673dfec31d0db4a240e77ec0885eadc5d8225fae29b43e7eedcb0b9d

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-09-2024 23:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

840ec715673dfec31d0db4a240e77ec0885eadc5d8225fae29b43e7eedcb0b9d.exe
Size

1.1MB
MD5

f6b442beb4dd9fabcc8432a2c9d48546
SHA1

ea03754ef2a4568ac64269190f8b4f307386aa6d
SHA256

840ec715673dfec31d0db4a240e77ec0885eadc5d8225fae29b43e7eedcb0b9d
SHA512

e77e7f8af9b307a3418f76a563e6d3d2fe986e97e741cce7d1ace9cb78634370c40533ee8ade3c6cb8f8ebc156dfb3456961469ddd04ad73042e4242d03e7bed
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qz:CcaClSFlG4ZM7QzMk

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2852	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2852	svchcst.exe
3044	svchcst.exe
2776	svchcst.exe
3064	svchcst.exe
1032	svchcst.exe
2544	svchcst.exe
592	svchcst.exe
2296	svchcst.exe
2612	svchcst.exe
868	svchcst.exe
2252	svchcst.exe
2124	svchcst.exe
2032	svchcst.exe
344	svchcst.exe
2512	svchcst.exe
2116	svchcst.exe
1984	svchcst.exe
2000	svchcst.exe
948	svchcst.exe
1608	svchcst.exe
2452	svchcst.exe
2028	svchcst.exe
2564	svchcst.exe

Loads dropped DLL 44 IoCs

pid	Process
2420	WScript.exe
2420	WScript.exe
2012	WScript.exe
2656	WScript.exe
1628	WScript.exe
1628	WScript.exe
2204	WScript.exe
2204	WScript.exe
1356	WScript.exe
1356	WScript.exe
1784	WScript.exe
1784	WScript.exe
1564	WScript.exe
1564	WScript.exe
2832	WScript.exe
2832	WScript.exe
3040	WScript.exe
3040	WScript.exe
840	WScript.exe
840	WScript.exe
2144	WScript.exe
2144	WScript.exe
2136	WScript.exe
2136	WScript.exe
956	WScript.exe
956	WScript.exe
2024	WScript.exe
2024	WScript.exe
1364	WScript.exe
1364	WScript.exe
2908	WScript.exe
2908	WScript.exe
2812	WScript.exe
2812	WScript.exe
1684	WScript.exe
1684	WScript.exe
3040	WScript.exe
3040	WScript.exe
2552	WScript.exe
2552	WScript.exe
1008	WScript.exe
1008	WScript.exe
1944	WScript.exe
1944	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	840ec715673dfec31d0db4a240e77ec0885eadc5d8225fae29b43e7eedcb0b9d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3008	840ec715673dfec31d0db4a240e77ec0885eadc5d8225fae29b43e7eedcb0b9d.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3008	840ec715673dfec31d0db4a240e77ec0885eadc5d8225fae29b43e7eedcb0b9d.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
3008	840ec715673dfec31d0db4a240e77ec0885eadc5d8225fae29b43e7eedcb0b9d.exe
3008	840ec715673dfec31d0db4a240e77ec0885eadc5d8225fae29b43e7eedcb0b9d.exe
2852	svchcst.exe
2852	svchcst.exe
3044	svchcst.exe
3044	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
3064	svchcst.exe
3064	svchcst.exe
1032	svchcst.exe
1032	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
592	svchcst.exe
592	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
2612	svchcst.exe
2612	svchcst.exe
868	svchcst.exe
868	svchcst.exe
2252	svchcst.exe
2252	svchcst.exe
2124	svchcst.exe
2124	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
344	svchcst.exe
344	svchcst.exe
2512	svchcst.exe
2512	svchcst.exe
2116	svchcst.exe
2116	svchcst.exe
1984	svchcst.exe
1984	svchcst.exe
2000	svchcst.exe
2000	svchcst.exe
948	svchcst.exe
948	svchcst.exe
1608	svchcst.exe
1608	svchcst.exe
2452	svchcst.exe
2452	svchcst.exe
2028	svchcst.exe
2028	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 2420	3008	840ec715673dfec31d0db4a240e77ec0885eadc5d8225fae29b43e7eedcb0b9d.exe	30
PID 3008 wrote to memory of 2420	3008	840ec715673dfec31d0db4a240e77ec0885eadc5d8225fae29b43e7eedcb0b9d.exe	30
PID 3008 wrote to memory of 2420	3008	840ec715673dfec31d0db4a240e77ec0885eadc5d8225fae29b43e7eedcb0b9d.exe	30
PID 3008 wrote to memory of 2420	3008	840ec715673dfec31d0db4a240e77ec0885eadc5d8225fae29b43e7eedcb0b9d.exe	30
PID 2420 wrote to memory of 2852	2420	WScript.exe	33
PID 2420 wrote to memory of 2852	2420	WScript.exe	33
PID 2420 wrote to memory of 2852	2420	WScript.exe	33
PID 2420 wrote to memory of 2852	2420	WScript.exe	33
PID 2852 wrote to memory of 2012	2852	svchcst.exe	34
PID 2852 wrote to memory of 2012	2852	svchcst.exe	34
PID 2852 wrote to memory of 2012	2852	svchcst.exe	34
PID 2852 wrote to memory of 2012	2852	svchcst.exe	34
PID 2012 wrote to memory of 3044	2012	WScript.exe	35
PID 2012 wrote to memory of 3044	2012	WScript.exe	35
PID 2012 wrote to memory of 3044	2012	WScript.exe	35
PID 2012 wrote to memory of 3044	2012	WScript.exe	35
PID 3044 wrote to memory of 2656	3044	svchcst.exe	36
PID 3044 wrote to memory of 2656	3044	svchcst.exe	36
PID 3044 wrote to memory of 2656	3044	svchcst.exe	36
PID 3044 wrote to memory of 2656	3044	svchcst.exe	36
PID 2656 wrote to memory of 2776	2656	WScript.exe	37
PID 2656 wrote to memory of 2776	2656	WScript.exe	37
PID 2656 wrote to memory of 2776	2656	WScript.exe	37
PID 2656 wrote to memory of 2776	2656	WScript.exe	37
PID 2776 wrote to memory of 1628	2776	svchcst.exe	38
PID 2776 wrote to memory of 1628	2776	svchcst.exe	38
PID 2776 wrote to memory of 1628	2776	svchcst.exe	38
PID 2776 wrote to memory of 1628	2776	svchcst.exe	38
PID 1628 wrote to memory of 3064	1628	WScript.exe	39
PID 1628 wrote to memory of 3064	1628	WScript.exe	39
PID 1628 wrote to memory of 3064	1628	WScript.exe	39
PID 1628 wrote to memory of 3064	1628	WScript.exe	39
PID 3064 wrote to memory of 2204	3064	svchcst.exe	40
PID 3064 wrote to memory of 2204	3064	svchcst.exe	40
PID 3064 wrote to memory of 2204	3064	svchcst.exe	40
PID 3064 wrote to memory of 2204	3064	svchcst.exe	40
PID 2204 wrote to memory of 1032	2204	WScript.exe	41
PID 2204 wrote to memory of 1032	2204	WScript.exe	41
PID 2204 wrote to memory of 1032	2204	WScript.exe	41
PID 2204 wrote to memory of 1032	2204	WScript.exe	41
PID 1032 wrote to memory of 1356	1032	svchcst.exe	42
PID 1032 wrote to memory of 1356	1032	svchcst.exe	42
PID 1032 wrote to memory of 1356	1032	svchcst.exe	42
PID 1032 wrote to memory of 1356	1032	svchcst.exe	42
PID 1356 wrote to memory of 2544	1356	WScript.exe	43
PID 1356 wrote to memory of 2544	1356	WScript.exe	43
PID 1356 wrote to memory of 2544	1356	WScript.exe	43
PID 1356 wrote to memory of 2544	1356	WScript.exe	43
PID 2544 wrote to memory of 1784	2544	svchcst.exe	44
PID 2544 wrote to memory of 1784	2544	svchcst.exe	44
PID 2544 wrote to memory of 1784	2544	svchcst.exe	44
PID 2544 wrote to memory of 1784	2544	svchcst.exe	44
PID 1784 wrote to memory of 592	1784	WScript.exe	45
PID 1784 wrote to memory of 592	1784	WScript.exe	45
PID 1784 wrote to memory of 592	1784	WScript.exe	45
PID 1784 wrote to memory of 592	1784	WScript.exe	45
PID 592 wrote to memory of 1564	592	svchcst.exe	46
PID 592 wrote to memory of 1564	592	svchcst.exe	46
PID 592 wrote to memory of 1564	592	svchcst.exe	46
PID 592 wrote to memory of 1564	592	svchcst.exe	46
PID 1564 wrote to memory of 2296	1564	WScript.exe	47
PID 1564 wrote to memory of 2296	1564	WScript.exe	47
PID 1564 wrote to memory of 2296	1564	WScript.exe	47
PID 1564 wrote to memory of 2296	1564	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\840ec715673dfec31d0db4a240e77ec0885eadc5d8225fae29b43e7eedcb0b9d.exe
"C:\Users\Admin\AppData\Local\Temp\840ec715673dfec31d0db4a240e77ec0885eadc5d8225fae29b43e7eedcb0b9d.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2012
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3044
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:592
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2296
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2612
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:868
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:840
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2252
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2124
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2032
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:956
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:344
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2512
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1364
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2116
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1984
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2812
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2000
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1684
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:948
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1608
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2552
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2452
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1008
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2028
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2564
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:1532
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:1064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
dabf4e9d32908d961aaffdd1c77d4879

SHA1
e41572d98b7452016fb004c843236377364ab1d3

SHA256
3488c64a6d2da3c00e50e954c495ac354ee504e54f3ed6dda6a991c5b9d33e19

SHA512
911d46aca8005857c86eddbb3cbbc4301ee5e173b2358a717053cf12727c06cc3b2d757ddf513f969dafe61c6b88d03b1478d8c483495f153e30bf64585195aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
eca62092110a9dcdf0cac4a93a4b2429

SHA1
707380a242c7e67de83367416321990db376fdab

SHA256
06629c90935ac65b4bbb9ed42306c3c3712b0b270fcafb52be85e333b39d3af8

SHA512
16fb9138ea2a2ca6d59c175f6ceeb765d3c6238acd147a67c45719c7f71c47e787d00dbe9422bd5810680e5e3f3c061e4a4bd782657548b2d9bfe34296b3795b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
cd34ba54e0dd84bc94990092afc183a9

SHA1
938feedabe63e3e7c6cbb6a405512e21a7ebe449

SHA256
44358f1aedf540acf9e56069e4cc6d4e6a2445ccba362dad9ec4e2f59e0178ab

SHA512
1c261ac13591d4d1cd3692dae12de7fb393134b014dbc766b2946b6ea983e74cef7984bb7003241d5221dea9df78e5f5fe31a839ad7d8453a79db887c8d09958

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
379619305716718fbeeab2f364946c39

SHA1
b663cf106c4673549692fa39d25e9e8f4561cd64

SHA256
c844bc25686320e65c1b5259a6d0d6d47f61709f46e2c8eb2ad3f9c3b9333d84

SHA512
b2c91d0f1cbc9e253bb3bb339acbab0e31eef31188cc00132c423fee2a85c7a91132c9259b99b23a149f6ba1172b8522e2d8350f88dbb735ad8d7a32f71e2ed8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
dcda7be7bee467e770890045f8b7ae2a

SHA1
c2d1c9669b5115473dd2fcb27bb76aed83afdcd1

SHA256
5818c70269cba768813218e1a65265488b4c36ebee593535af98a52bf1eeed33

SHA512
5a69286101d6a3f52a919910584f2618e2e7adcf8b77806b5e4ecd8b881a86693df968818cec771b93b50d05849e165da0d66c5cfb121297f56cf7bef804a408

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3ed43de1cee96aaf1d64189d4482a672

SHA1
a346f6b3eca7b8442021d9878288d91084d00d79

SHA256
b2905e040a668759a3fbdc7f07ff57b3e197bbeec24099b65734e884c1e0bd98

SHA512
8f8536a36603c14a567034f0119212a6b3bf9dd52afcbe213b4e26c737394fe838baf0743440f62cd5d61d8d9c694279679e155920a9af3c2cac1549d43040dc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1af246ca0660faf0fa7da4b4c9c61316

SHA1
c050b0bd311f2e5240cd7e9df583e41b133e9521

SHA256
2b84bcefb62d7564e2e7d1be8105a26f798b4c73cca142c054da02262f61ede8

SHA512
3fadf6605620aea1f9c9e94d62193fc416af6d5272bc675d399ea1ea96a070b4de69cab61736cea89c744ce3b203f0790d617789d25811a6ca535fc9f6159793

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
24e4a44b907089d788280d647e33c77e

SHA1
ac5a4e397dea243c0022c55319e7c7035d013905

SHA256
7fcd076a55f0b7c8e9407217aee7e68893461d15cb8d2946ac5250af35137211

SHA512
c4a8dac1c1d5dfa976cc3e8fd299e423ab620463983b8c602be8a83ecc6598eb3f1d60a7370806e1f85a52dd91e4f1337a6dff2e99459f9a1e429a1ffb65a00b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
9f87870aabac31b89e8f641cc4796a67

SHA1
0e7c4d9fa14eb4afe07e0ded564229685c3cbe4b

SHA256
c5ccc91ebc3838b354e5ae05c7b3efa01813e004b427f843ba23e78ff272e695

SHA512
28c7fe3049354286831a5c2b52ea96583bef30c4a294d07bfb10c11bb9e3469b944d8029d58f73611daa616a279e280d0c14fa037d390ab34a5daa2f5a25c4f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
298f56408ef5bfe14b938d85e57c843d

SHA1
691d78c4c4887333b4679d3e340a7a04caad13a3

SHA256
b5738b726b24c9d220bd7256e4abb2e97215d50416bf67983cc82dc83b46298a

SHA512
227bf6d7e70568144112dc142ef60fa38f2b5f39196e3d3377a120b78fa86382726021f024bf5413548df0ce1734bb905d28e56de4dd80c6f21c05ab2a5ef83e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7d2c3f227d42fae4a5b7fbcb491b74e3

SHA1
c1271bbd86747cc709b694ba9579a68b5e75a17c

SHA256
9353a2f27a61e571c5bc92ccc1046c1059c5fad8e1e2cafe63a9cc73e1169c33

SHA512
50330ad733975966b32fbedffb99a25cd13004d685e5788ef11f1f0fedfc62658e3e8f5ed0030fe60ecb02ba95ffa7d440c067a1e164cc3bc02ac5008b6a27d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5ef4272f4d6f345fc8cc1b2f059c81b4

SHA1
78bcb559f775d70e10396e1d6d7b95c28d2645d1

SHA256
19f8d5209b4a5789cdfd5b67cb0b9f6c3546c62912bcb1ef1c69a15602beb652

SHA512
002693255c600456d965b5a7e36f780deec4d80cd9fe56f7f974b8762e2b140002a1dabf4b059d6163c9cc00a0e1e9da71899e13347fb4bb2985bbc7058469cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
59be592ef5784bfc2ef2597050abc19e

SHA1
278bc5ac5e7f88976d0f6763a93dc488b0de0998

SHA256
88d78ef2de9616e51929cd6389044b326d30a87b6a458877b102608df53db561

SHA512
eb9fcedcae5de7c7eb14398f2f6fb0234c86824a06e1c486a72e5fbe4fb220d5549e9c49a9b8b2c472fe283338db5cbcaa52774a230acd08505e4302dfff8c1b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2262aedee79537a2cc647b4b2dff8a68

SHA1
9b89061f7518bf156b4735eef2d610a78e8bb3a5

SHA256
b84c789be7205f8541df3142def3f616fd81217443f2be89212313f1bbd0b870

SHA512
2d17caa8a190f0b3c1669956213f43b1e93d9de775a837ee52bea9ffcca351b58c0b05e641f40343f1bc264aa70c33add108d61108ce825ca32b1481dfe70497

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
cdc96f5897ce215e53258e1d168b4a1f

SHA1
9fc66547225b179f177033c470ab3edea97e2b4a

SHA256
7a605b8cb77ec4ca904d6c45440ac15a13c2376eaf4a8364b16a954b1061ef1b

SHA512
34a1bf591fe4556d8dc1406aeff671e5d3eabdd9c9133fd494f114aed5e025d94af2d4c27941e537e5ea12767489f83d552d54ed79b03d349f30296807dc3a81

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
3d6690ac4ba7833d965cb265b923ddcd

SHA1
7a1af9c3eff5e400d359cbb03f9b9dab6b009f3e

SHA256
05ab7f4d08e4a5b3837456c97d3da5085cebe383c6ed9801341f2ac97b66ae6a

SHA512
b84d0a8c8c17614ae8d17ef1818b39422ae0933dbf194b397dbd0dc9bdd15752560d4c8ad4f611e360873ece93a672b5df8c86e75ed28253f6bb8843bd0c060e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
17c7d7172717e9d77783823fad0c0cb6

SHA1
caccd0b8ac2452441034ad51be07ef2042f5fd87

SHA256
2128929adb106f26821100235391e25a5680aedcb6c0efac676c9f8eeff2e95f

SHA512
5066e1d45f025f80d0c1065639faedb9194e3c851a4ab9e0281a5cf2ea72e6c2b646bfe80aaa01569e159b9aee086e4eaebb926c273f23ed736431583c4988ea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
10d31ade86aff2439c787a52eb17ac6c

SHA1
ec7c386ff1fc36ff94772b7aba4dc12d6ea90b60

SHA256
a4d0af723cf0c0bbd595c8b895b5d117200f913ac2e694c8362eaf9f4844ce6a

SHA512
0edf9ffe906decaba5660b94efeed537c2c95394b59914d6897468959961bbec5755cb5d6b89483633c3611a66f2721309fbfbffc921e21cbd4ca680bcaa19c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
beff0de5b6388557557ee489fefc3527

SHA1
b27f3bc3662f7b22c5dd342c70b53409a355886d

SHA256
97d28636643e85db8c0d893862fb159466a4b32547a3feb5367921c240640466

SHA512
5f8123934dc256db85d6215aabb6e4f3318abb6c2a3403a5b0800527d95a3ec37a522eb44626b022612704f839f4d4bff7ff1c07a14602f08f86ce594ee9ab4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
84235b7c19a852e8c2932738b4592fd0

SHA1
31945e0fa4cb9f57b7f637d57439dec8e6bbe101

SHA256
2f5b512745b9e430463063f899d0b638d6694dabba7420545fb4fecb493a7a90

SHA512
63594e85ac2dd4a01cd823aef24e5c3d3e76d9e8541180e4974dc682a49d36e86da9f2093682ccd05d264658189a75ebf45040549f5c289b391aa0ec71e8f65d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f2fee11e2ebd09c5cacfcd7519370a86

SHA1
21374714172754583640f9e000e856d06ff7aa1e

SHA256
27fb00b8335cfebd09170f0658262635c598a8f69b252019d5ea0344403c40e7

SHA512
57383bd50b5cf123bb9693e8307ce28a701edf80a47754c00c3a17f70915c8eded565dac00c354a4a62daea4ec791121362ac9fe2b6f5e86e9afe63fa1323d3c

Download Submit
memory/3008-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download