632409420865b0fd19b94907022fb7cbcb800ecdd9b202628fe4bd43e1a070cd

Analysis

max time kernel
150s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

632409420865b0fd19b94907022fb7cbcb800ecdd9b202628fe4bd43e1a070cd.exe
Size

1.1MB
MD5

52304c8d31077c775b8007b2db2d7328
SHA1

94174a12fb9eb299428f169c428ab128ddb31518
SHA256

632409420865b0fd19b94907022fb7cbcb800ecdd9b202628fe4bd43e1a070cd
SHA512

8d22c47f47dfa604480599a5e47d9d170801000a02b4b9c7c931581a2a53fedb24f2a159e1367e3a00628662788827df2728c1c9c36f5db4ea99d2f5917783d4
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QF:CcaClSFlG4ZM7QzMe

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2772	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2772	svchcst.exe
1996	svchcst.exe
1784	svchcst.exe
2308	svchcst.exe
1084	svchcst.exe
2224	svchcst.exe
352	svchcst.exe
2852	svchcst.exe
2108	svchcst.exe
2176	svchcst.exe
2404	svchcst.exe
924	svchcst.exe
1936	svchcst.exe
3004	svchcst.exe
1920	svchcst.exe
1908	svchcst.exe
2652	svchcst.exe
2108	svchcst.exe
2892	svchcst.exe
820	svchcst.exe
2848	svchcst.exe
324	svchcst.exe
2524	svchcst.exe

Loads dropped DLL 46 IoCs

pid	Process
2748	WScript.exe
2748	WScript.exe
3044	WScript.exe
3044	WScript.exe
2932	WScript.exe
2932	WScript.exe
2412	WScript.exe
2412	WScript.exe
2076	WScript.exe
2076	WScript.exe
2504	WScript.exe
2504	WScript.exe
2536	WScript.exe
2536	WScript.exe
2792	WScript.exe
2792	WScript.exe
2752	WScript.exe
2752	WScript.exe
320	WScript.exe
320	WScript.exe
2860	WScript.exe
2860	WScript.exe
2848	WScript.exe
2848	WScript.exe
2308	WScript.exe
2308	WScript.exe
1504	WScript.exe
1504	WScript.exe
2012	WScript.exe
2012	WScript.exe
2264	WScript.exe
2264	WScript.exe
2096	WScript.exe
2096	WScript.exe
2024	WScript.exe
2024	WScript.exe
892	WScript.exe
892	WScript.exe
2996	WScript.exe
2996	WScript.exe
2484	WScript.exe
2484	WScript.exe
2484	WScript.exe
2484	WScript.exe
2076	WScript.exe
2076	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	632409420865b0fd19b94907022fb7cbcb800ecdd9b202628fe4bd43e1a070cd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1656	632409420865b0fd19b94907022fb7cbcb800ecdd9b202628fe4bd43e1a070cd.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1656	632409420865b0fd19b94907022fb7cbcb800ecdd9b202628fe4bd43e1a070cd.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
1656	632409420865b0fd19b94907022fb7cbcb800ecdd9b202628fe4bd43e1a070cd.exe
1656	632409420865b0fd19b94907022fb7cbcb800ecdd9b202628fe4bd43e1a070cd.exe
2772	svchcst.exe
2772	svchcst.exe
1996	svchcst.exe
1996	svchcst.exe
1784	svchcst.exe
1784	svchcst.exe
2308	svchcst.exe
2308	svchcst.exe
1084	svchcst.exe
1084	svchcst.exe
2224	svchcst.exe
2224	svchcst.exe
352	svchcst.exe
352	svchcst.exe
2852	svchcst.exe
2852	svchcst.exe
2108	svchcst.exe
2108	svchcst.exe
2176	svchcst.exe
2176	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
924	svchcst.exe
924	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
1920	svchcst.exe
1920	svchcst.exe
1908	svchcst.exe
1908	svchcst.exe
2652	svchcst.exe
2652	svchcst.exe
2108	svchcst.exe
2108	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
820	svchcst.exe
820	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
324	svchcst.exe
324	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 2748	1656	632409420865b0fd19b94907022fb7cbcb800ecdd9b202628fe4bd43e1a070cd.exe	30
PID 1656 wrote to memory of 2748	1656	632409420865b0fd19b94907022fb7cbcb800ecdd9b202628fe4bd43e1a070cd.exe	30
PID 1656 wrote to memory of 2748	1656	632409420865b0fd19b94907022fb7cbcb800ecdd9b202628fe4bd43e1a070cd.exe	30
PID 1656 wrote to memory of 2748	1656	632409420865b0fd19b94907022fb7cbcb800ecdd9b202628fe4bd43e1a070cd.exe	30
PID 2748 wrote to memory of 2772	2748	WScript.exe	32
PID 2748 wrote to memory of 2772	2748	WScript.exe	32
PID 2748 wrote to memory of 2772	2748	WScript.exe	32
PID 2748 wrote to memory of 2772	2748	WScript.exe	32
PID 2772 wrote to memory of 3044	2772	svchcst.exe	33
PID 2772 wrote to memory of 3044	2772	svchcst.exe	33
PID 2772 wrote to memory of 3044	2772	svchcst.exe	33
PID 2772 wrote to memory of 3044	2772	svchcst.exe	33
PID 3044 wrote to memory of 1996	3044	WScript.exe	34
PID 3044 wrote to memory of 1996	3044	WScript.exe	34
PID 3044 wrote to memory of 1996	3044	WScript.exe	34
PID 3044 wrote to memory of 1996	3044	WScript.exe	34
PID 1996 wrote to memory of 2932	1996	svchcst.exe	35
PID 1996 wrote to memory of 2932	1996	svchcst.exe	35
PID 1996 wrote to memory of 2932	1996	svchcst.exe	35
PID 1996 wrote to memory of 2932	1996	svchcst.exe	35
PID 2932 wrote to memory of 1784	2932	WScript.exe	36
PID 2932 wrote to memory of 1784	2932	WScript.exe	36
PID 2932 wrote to memory of 1784	2932	WScript.exe	36
PID 2932 wrote to memory of 1784	2932	WScript.exe	36
PID 1784 wrote to memory of 2412	1784	svchcst.exe	37
PID 1784 wrote to memory of 2412	1784	svchcst.exe	37
PID 1784 wrote to memory of 2412	1784	svchcst.exe	37
PID 1784 wrote to memory of 2412	1784	svchcst.exe	37
PID 2412 wrote to memory of 2308	2412	WScript.exe	38
PID 2412 wrote to memory of 2308	2412	WScript.exe	38
PID 2412 wrote to memory of 2308	2412	WScript.exe	38
PID 2412 wrote to memory of 2308	2412	WScript.exe	38
PID 2308 wrote to memory of 2076	2308	svchcst.exe	39
PID 2308 wrote to memory of 2076	2308	svchcst.exe	39
PID 2308 wrote to memory of 2076	2308	svchcst.exe	39
PID 2308 wrote to memory of 2076	2308	svchcst.exe	39
PID 2076 wrote to memory of 1084	2076	WScript.exe	40
PID 2076 wrote to memory of 1084	2076	WScript.exe	40
PID 2076 wrote to memory of 1084	2076	WScript.exe	40
PID 2076 wrote to memory of 1084	2076	WScript.exe	40
PID 1084 wrote to memory of 2504	1084	svchcst.exe	41
PID 1084 wrote to memory of 2504	1084	svchcst.exe	41
PID 1084 wrote to memory of 2504	1084	svchcst.exe	41
PID 1084 wrote to memory of 2504	1084	svchcst.exe	41
PID 2504 wrote to memory of 2224	2504	WScript.exe	42
PID 2504 wrote to memory of 2224	2504	WScript.exe	42
PID 2504 wrote to memory of 2224	2504	WScript.exe	42
PID 2504 wrote to memory of 2224	2504	WScript.exe	42
PID 2224 wrote to memory of 2536	2224	svchcst.exe	43
PID 2224 wrote to memory of 2536	2224	svchcst.exe	43
PID 2224 wrote to memory of 2536	2224	svchcst.exe	43
PID 2224 wrote to memory of 2536	2224	svchcst.exe	43
PID 2536 wrote to memory of 352	2536	WScript.exe	44
PID 2536 wrote to memory of 352	2536	WScript.exe	44
PID 2536 wrote to memory of 352	2536	WScript.exe	44
PID 2536 wrote to memory of 352	2536	WScript.exe	44
PID 352 wrote to memory of 2792	352	svchcst.exe	45
PID 352 wrote to memory of 2792	352	svchcst.exe	45
PID 352 wrote to memory of 2792	352	svchcst.exe	45
PID 352 wrote to memory of 2792	352	svchcst.exe	45
PID 2792 wrote to memory of 2852	2792	WScript.exe	46
PID 2792 wrote to memory of 2852	2792	WScript.exe	46
PID 2792 wrote to memory of 2852	2792	WScript.exe	46
PID 2792 wrote to memory of 2852	2792	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\632409420865b0fd19b94907022fb7cbcb800ecdd9b202628fe4bd43e1a070cd.exe
"C:\Users\Admin\AppData\Local\Temp\632409420865b0fd19b94907022fb7cbcb800ecdd9b202628fe4bd43e1a070cd.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3044
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1996
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:352
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2852
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2752
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2108
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:320
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2176
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2404
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2848
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:924
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1936
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1504
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3004
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1920
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1908
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2652
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2108
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:892
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2892
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:820
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:916
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2484
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2848
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:324
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2524
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6a10838e65cf3aedda11230ee7f407b7

SHA1
7878e96feb82d309b74e4fe98ad256d3bfd63d08

SHA256
79b9776ab8d5f525f63ccab50ff6d79e7a7daeb47894ce971b63ab072314009e

SHA512
7fd419656935cef9e30f36f618df90399b015dc281dea6b30f12ba7bf2c07a58e7aa570ea5fd1f04b3643be33eb1d8521787c94384cb7ef0ec8d5459a8c50eaa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
efe2274eae216f1b0d033b68be91f92f

SHA1
bb6481b2b87f5df6066a729bfe671dc126491901

SHA256
e6c7702842671d1ff05dea3051e316d1d475e9dbf3124bb3f3d6576a3f77e49c

SHA512
f1cc48a39d29e1060b601cf0f541a58b316dc91bc53fb8aa6650a737be079b15a0bd5f6dcd31c6cfa16f2d630558776047ae45818f4b25d74e8ebefa92d679e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
99c82369839776d3d954a85361e76565

SHA1
fe01d71a20a80f468e5fa4df991eacca97e650a1

SHA256
ecfe1904a389f25b460a8eec64349498fde06733fa12cd5ae8e0c49a9699154f

SHA512
5deb6fd1534298cbc80f4653e60b9dcaba6cfd4af1f3b1e5369929472ab4f8cba7d50d3f63d7154170b5ea84f40f7511f1839f2e89340c6942fede255c93b69f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
81911744d71ed066085116eec2026095

SHA1
47cfe383cd90c80f367d20667fa26cd160507a8f

SHA256
3154f7fe0c77b8441733285f257a444605ca5badb1148288aa7275033f75d3f5

SHA512
e64925ee682737251c7d5f42a378a4f6c23a50a07a6811882547567725b59c172da356b235afc977d4c1e8209f5c1ba696b9dd54e7739f67a71c099c031d7396

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b9f42b67196579be4b48ef3493e40a6d

SHA1
f0a798a4aa9401ce637b3016829d6bc178b46b36

SHA256
5af7cfef4fc0b02f32178caf67f947bc09a9631a5ec201ffa67b2f4f470bbed2

SHA512
875207383356da783c8f932da091d7c1316a0859406a388a6a4b0e641cc15326ac5134a5dc3e5299cccd6c245456483db86f5f9652fec2fa049996259d166284

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
10ffe941ac3b45a1b27eaab090d03e3b

SHA1
4f72abac858bc7659692930176f0cd4f18e354f1

SHA256
b2a27182b84ccf59736264c5fc788f96d92a2d3a14fe7c964e0976af00956144

SHA512
638a48fe06a5e0c47e50ac67e0df2d6952e5e39620a585e5fb086d40ff61cff9bee6a6cfda6582c54e216f052dc6ba4ce5d742ae5174a987701701e67dc65544

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
780c5b88f55c3463a252f361d53f98db

SHA1
244e739c7401ce41027d7786f4a48f4806a9939b

SHA256
d8b383df125f83a39c299a3134c88e981cf47755ddd6b44310f70231305c6bb0

SHA512
b12e3266edea4f9dff105ed8617c81a29f9873d646b6b326c5c29c0c590049dd85458b8ff7541957f9ab995896e7bfd08b171959e592ccc6edbedf998fdf1045

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d44632a3e4cce7689f6de0096ea7b712

SHA1
62726ae2641d71b6a218793f1ca8c00c81443eda

SHA256
013ba01f27689a865f4497bdab298b8914e8c235beac2311020fa928649a7603

SHA512
ed9934194e0211fca3d30bb16802ae080086a71d4b8b065afecea339f06f4d5dc43f51786059d6ccaf7718a54dde8b050268068ed6a416dacfa6c79a8ba0881a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7c92f92a39b74a1a62d4e78cab1e85ce

SHA1
12be3de5566511f06ef1d1354ce14e74381ef078

SHA256
919b452d34117c54e6e79cf6c3d338679c3553dd3ef1bb8d750da8738f6f4166

SHA512
ad945215baeb1b488a43705d18520fea653a881632cfcd8bc79182ce2863d7167e8631043bdea1ee1071eabfb87f7ce63f460becf63c9c2060e51a30fc8171b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
44c38fa25d3a9963483b583388b6f47b

SHA1
e9b37eb8bcbe2ddda96178ee7502616660cfce57

SHA256
004b640ccc72e36c16e85661847b12fff228d63de834042accadde333aa33e36

SHA512
c39bd240b263314169cef9af85a8e8a89146e96400026936b68a69a7c732d301c16561971dbeaee752e2618f2a592bff5a6a91ee75893522e77f574176887905

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1931659cf1a0b565c26fde26192e60ea

SHA1
290204916cf2bd320dd6af5de4fea33f4b987a23

SHA256
8d4ff60de30d55f81dda162ccf8ad556e3a1c9a9e20260d8a767def90595191a

SHA512
9a90635a350ecaf5d4f9c5787f4079e90d6e2983b87e8dc6db38a2d0121e68422d2fc8c7e322c0b6556cd92870713380edf55950260e9369350e96d4603f390e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
22871ebc67ce94c553174441c8e3d00d

SHA1
c87a02efb1d8918af07e094e7e2c279c563f5963

SHA256
dc03bc2be3feb95af21bcbc7dd3e101e87fad615b5d4419b8a827bf9629aed66

SHA512
a5447d85eccaa79278235e15a37d711ec19dc4f6468e1b78020147ac90a570ea1ef54369e512bc4e316a1bfe6870203e90ba0ba9b80da32adb0900059cb557c0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7c4f0875f8d09bebed0b5e8ce728de21

SHA1
c91981d98ffc8f13fa4902dca64ddcaa56a6a3fb

SHA256
ed7bda157ce61fe21c3a6ffdb6ed5a86339e816d7fdaad54bca448e94797b651

SHA512
fa7d14a5e357ce95cb10a424f56099e3e55b9c8b5ff57a6260d21490ea22758d4e180351556bdc5d93749e5372be276928c3d57a75b899f97440674b51609047

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f1e3fc855db42190aef4da9d9f0d2f3c

SHA1
a0082eb878423b3e4a6cc8a15287d08258f3372a

SHA256
24ba30c44268dbec6bf77fcd98f06153414eecb57bba0314bfe17a22883da547

SHA512
4209b6c2abdbc38ac04a91a521c3384757db40de5192323344393b83376e0c61a328cd4147f2582a48712787203a22186af34e4adba8b2a1979d9371bb5b1f78

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d26688f2a9763cd082ebea7c71ca53de

SHA1
f03c728ec8e0a765b3266ec79a9a2e1aba9b52ec

SHA256
ee9357136878372a70d8c6992e7d25426d92bfcdc578de4007f6966fdefad92a

SHA512
54df9f396ca858dc8d5c2de874763f6d4721cc29b9aae8ad115b1f1db7b2e6fa2e44ea62a60e499d01b8d91af61396f59fb1e61b178b4a46eead78e85277035c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
86a7199505dca9bf34c06927c08ae821

SHA1
79fb8432db9f9f361eb60ca3177e33648d1f1913

SHA256
046501a2f8ea3ad690d76823f30ade715b13c5b5f70f734d23bb47a6bfbdf995

SHA512
01650ff3c08846d5343b7f703876b7762aa8e5e0b4c5039f7eae0b1c33058bac11f13a57d1399f07967c664bedf842ed9c36f2b99f393e995c6de7e7a93bd37d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ef6aa4e22286103fb441030ae9053dd8

SHA1
8b8f69012f36e400b29a6423dafb551b13780547

SHA256
6be36fdd3e5316bc86e507d06e93384b6bd68179231d470925a99a155972dab2

SHA512
d10a46db7e66ba2d9e9966985ce41cd98ba9f9e13dadb50894d4f115f99f59f2d0b6caef93fb9a201e5e84bf27ac6d9b4a9dc6bfe101a683725c76ff0feef4ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0eaad5ea646f5a0b4e61aee44cac2e29

SHA1
297ea804ad7f99e282747c668ea99d2a4e14b25e

SHA256
675b534db9bd6ad97850fce779f704ebbe30edd80d533e698c5d9099982111b7

SHA512
48655da2cde096c490756ee0d75b7a7ea43f94fb1f1bb1d3fb0bd1b5bba6587d62d5b30583c161a83be10c013a8958f80b8721274d8cb1de8bb04a70f67b2995

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
16e61401b8f5b8713506267b63d08882

SHA1
6ce43be0eac724f1da6769980236c1a279e5fc2b

SHA256
acf0b9e71b4b06e4ee95a92d2c54311646e981a6f7d0a454cf3d7098aa543b9f

SHA512
2b0828ead3d391c3215762232743dba8288fbc13fba96e82b07aed14902ff41d1b9c019194e102b3dba4943c648b31620fd7279f20f922b47e50aa90d7652abc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b3f26b362885896205eb7b374c69cd48

SHA1
7bfdbff96dbb1d05281cd990970f677ae77a9483

SHA256
4599721b507dde3dea12789a3915935fa31fd47e8d28eac1246dda5b7046324c

SHA512
a7fc8ae17c0b172cee711057fac308934615057f83b3a8568e08a9ac22afcf80fddb9b6ddd1938341ec23f176aa581cb0ce40903d3f86017ceffeec8ff5a3aa6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
fac31554e52af596a1ac387d1f98620f

SHA1
c589361744dd96cb69f39741e34cbb47eaa308f6

SHA256
bffb174f1aeb005e8d35cc3f3399903c442463b24455f7f6f92d1555387cb86d

SHA512
4406a8f5c002eb7cb4ddf3453c3ed69d3386f1a19ab2129c4dfafed053d3b15181e7f7e69fc8b94fa9717781de0c08ffbe955222dbd2c9aaf2ff67b1df30a59c

Download Submit
memory/1656-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download