5d63ff1157ee070bd451e6b5104de30f3973e03c4f95d1078922963d3fd7b846

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-09-2024 19:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d63ff1157ee070bd451e6b5104de30f3973e03c4f95d1078922963d3fd7b846.exe
Size

1.1MB
MD5

fc805aaf5e42ceeb89a2d70ea1073daa
SHA1

a12a18b346006b4d260c31daf20ebe304b2bc881
SHA256

5d63ff1157ee070bd451e6b5104de30f3973e03c4f95d1078922963d3fd7b846
SHA512

f24f87cb34436055f763912f4a3470982a99736e71b4fca6fe7f895261db8dbafd53ed8030ab0a628b39d5e215a42b68230e5549b398a3657d4f3f6b17c6a456
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QL:CcaClSFlG4ZM7QzM8

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2804	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2804	svchcst.exe
1412	svchcst.exe
2860	svchcst.exe
2372	svchcst.exe
3064	svchcst.exe
944	svchcst.exe
1668	svchcst.exe
1960	svchcst.exe
2676	svchcst.exe
1728	svchcst.exe
2128	svchcst.exe
1084	svchcst.exe
1320	svchcst.exe
1384	svchcst.exe
2412	svchcst.exe
1732	svchcst.exe
2276	svchcst.exe
1804	svchcst.exe
1376	svchcst.exe
2824	svchcst.exe
1932	svchcst.exe
1652	svchcst.exe
880	svchcst.exe

Loads dropped DLL 45 IoCs

pid	Process
2520	WScript.exe
2520	WScript.exe
2872	WScript.exe
2872	WScript.exe
2744	WScript.exe
2744	WScript.exe
1312	WScript.exe
1312	WScript.exe
2136	WScript.exe
2136	WScript.exe
1724	WScript.exe
1724	WScript.exe
1640	WScript.exe
1640	WScript.exe
1100	WScript.exe
1100	WScript.exe
2596	WScript.exe
2596	WScript.exe
2656	WScript.exe
2656	WScript.exe
1496	WScript.exe
2416	WScript.exe
2416	WScript.exe
3056	WScript.exe
3056	WScript.exe
672	WScript.exe
672	WScript.exe
2524	WScript.exe
2524	WScript.exe
3028	WScript.exe
3028	WScript.exe
2720	WScript.exe
2720	WScript.exe
536	WScript.exe
536	WScript.exe
1584	WScript.exe
1584	WScript.exe
2952	WScript.exe
2952	WScript.exe
920	WScript.exe
920	WScript.exe
2348	WScript.exe
2348	WScript.exe
2336	WScript.exe
2336	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5d63ff1157ee070bd451e6b5104de30f3973e03c4f95d1078922963d3fd7b846.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2600	5d63ff1157ee070bd451e6b5104de30f3973e03c4f95d1078922963d3fd7b846.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe
2804	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2600	5d63ff1157ee070bd451e6b5104de30f3973e03c4f95d1078922963d3fd7b846.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2600	5d63ff1157ee070bd451e6b5104de30f3973e03c4f95d1078922963d3fd7b846.exe
2600	5d63ff1157ee070bd451e6b5104de30f3973e03c4f95d1078922963d3fd7b846.exe
2804	svchcst.exe
2804	svchcst.exe
1412	svchcst.exe
1412	svchcst.exe
2860	svchcst.exe
2860	svchcst.exe
2372	svchcst.exe
2372	svchcst.exe
3064	svchcst.exe
3064	svchcst.exe
944	svchcst.exe
944	svchcst.exe
1668	svchcst.exe
1668	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
1728	svchcst.exe
1728	svchcst.exe
2128	svchcst.exe
2128	svchcst.exe
1084	svchcst.exe
1084	svchcst.exe
1320	svchcst.exe
1320	svchcst.exe
1384	svchcst.exe
1384	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
1732	svchcst.exe
1732	svchcst.exe
2276	svchcst.exe
2276	svchcst.exe
1804	svchcst.exe
1804	svchcst.exe
1376	svchcst.exe
1376	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
1932	svchcst.exe
1932	svchcst.exe
1652	svchcst.exe
1652	svchcst.exe
880	svchcst.exe
880	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2600 wrote to memory of 2520	2600	5d63ff1157ee070bd451e6b5104de30f3973e03c4f95d1078922963d3fd7b846.exe	30
PID 2600 wrote to memory of 2520	2600	5d63ff1157ee070bd451e6b5104de30f3973e03c4f95d1078922963d3fd7b846.exe	30
PID 2600 wrote to memory of 2520	2600	5d63ff1157ee070bd451e6b5104de30f3973e03c4f95d1078922963d3fd7b846.exe	30
PID 2600 wrote to memory of 2520	2600	5d63ff1157ee070bd451e6b5104de30f3973e03c4f95d1078922963d3fd7b846.exe	30
PID 2520 wrote to memory of 2804	2520	WScript.exe	32
PID 2520 wrote to memory of 2804	2520	WScript.exe	32
PID 2520 wrote to memory of 2804	2520	WScript.exe	32
PID 2520 wrote to memory of 2804	2520	WScript.exe	32
PID 2804 wrote to memory of 2872	2804	svchcst.exe	33
PID 2804 wrote to memory of 2872	2804	svchcst.exe	33
PID 2804 wrote to memory of 2872	2804	svchcst.exe	33
PID 2804 wrote to memory of 2872	2804	svchcst.exe	33
PID 2872 wrote to memory of 1412	2872	WScript.exe	35
PID 2872 wrote to memory of 1412	2872	WScript.exe	35
PID 2872 wrote to memory of 1412	2872	WScript.exe	35
PID 2872 wrote to memory of 1412	2872	WScript.exe	35
PID 1412 wrote to memory of 2744	1412	svchcst.exe	36
PID 1412 wrote to memory of 2744	1412	svchcst.exe	36
PID 1412 wrote to memory of 2744	1412	svchcst.exe	36
PID 1412 wrote to memory of 2744	1412	svchcst.exe	36
PID 2744 wrote to memory of 2860	2744	WScript.exe	37
PID 2744 wrote to memory of 2860	2744	WScript.exe	37
PID 2744 wrote to memory of 2860	2744	WScript.exe	37
PID 2744 wrote to memory of 2860	2744	WScript.exe	37
PID 2860 wrote to memory of 1312	2860	svchcst.exe	38
PID 2860 wrote to memory of 1312	2860	svchcst.exe	38
PID 2860 wrote to memory of 1312	2860	svchcst.exe	38
PID 2860 wrote to memory of 1312	2860	svchcst.exe	38
PID 1312 wrote to memory of 2372	1312	WScript.exe	39
PID 1312 wrote to memory of 2372	1312	WScript.exe	39
PID 1312 wrote to memory of 2372	1312	WScript.exe	39
PID 1312 wrote to memory of 2372	1312	WScript.exe	39
PID 2372 wrote to memory of 2136	2372	svchcst.exe	40
PID 2372 wrote to memory of 2136	2372	svchcst.exe	40
PID 2372 wrote to memory of 2136	2372	svchcst.exe	40
PID 2372 wrote to memory of 2136	2372	svchcst.exe	40
PID 2136 wrote to memory of 3064	2136	WScript.exe	41
PID 2136 wrote to memory of 3064	2136	WScript.exe	41
PID 2136 wrote to memory of 3064	2136	WScript.exe	41
PID 2136 wrote to memory of 3064	2136	WScript.exe	41
PID 3064 wrote to memory of 1724	3064	svchcst.exe	42
PID 3064 wrote to memory of 1724	3064	svchcst.exe	42
PID 3064 wrote to memory of 1724	3064	svchcst.exe	42
PID 3064 wrote to memory of 1724	3064	svchcst.exe	42
PID 1724 wrote to memory of 944	1724	WScript.exe	43
PID 1724 wrote to memory of 944	1724	WScript.exe	43
PID 1724 wrote to memory of 944	1724	WScript.exe	43
PID 1724 wrote to memory of 944	1724	WScript.exe	43
PID 944 wrote to memory of 1640	944	svchcst.exe	44
PID 944 wrote to memory of 1640	944	svchcst.exe	44
PID 944 wrote to memory of 1640	944	svchcst.exe	44
PID 944 wrote to memory of 1640	944	svchcst.exe	44
PID 1640 wrote to memory of 1668	1640	WScript.exe	45
PID 1640 wrote to memory of 1668	1640	WScript.exe	45
PID 1640 wrote to memory of 1668	1640	WScript.exe	45
PID 1640 wrote to memory of 1668	1640	WScript.exe	45
PID 1668 wrote to memory of 1100	1668	svchcst.exe	46
PID 1668 wrote to memory of 1100	1668	svchcst.exe	46
PID 1668 wrote to memory of 1100	1668	svchcst.exe	46
PID 1668 wrote to memory of 1100	1668	svchcst.exe	46
PID 1100 wrote to memory of 1960	1100	WScript.exe	47
PID 1100 wrote to memory of 1960	1100	WScript.exe	47
PID 1100 wrote to memory of 1960	1100	WScript.exe	47
PID 1100 wrote to memory of 1960	1100	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\5d63ff1157ee070bd451e6b5104de30f3973e03c4f95d1078922963d3fd7b846.exe
"C:\Users\Admin\AppData\Local\Temp\5d63ff1157ee070bd451e6b5104de30f3973e03c4f95d1078922963d3fd7b846.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2872
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1412
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:944
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1100
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1960
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2676
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1728
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1496
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2128
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2416
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1084
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1320
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:672
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1384
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2524
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2412
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3028
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1732
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2276
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:536
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1804
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1584
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1376
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2824
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:920
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1932
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1652
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:880
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
69a03cc29a0c43603b916694a952d3ea

SHA1
fb10fb02ec64b59062a115d8953fc51a91b01fa6

SHA256
0ab039e3e004f0158e3adbb4973d06c03bb5ce305d0b25cc8014824f9e92b2e5

SHA512
450048c0bbef2246035c8b3376581860afe800b1270d9cff45a8c48591251720338200217d61679196c182929741a90b7c39d00d7f82f8d62de15f8a5025ec3b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
66dec81d7f7dc4e36f9d8151fe38056a

SHA1
fc169994b2239eb407778d28d35025f7c9a1658e

SHA256
a09a3c722b494400011829c5645415020d39c8e6ec90f466fc3109a1ba49db2a

SHA512
3e8af1d301ba9228d5afcfaa1e1d3e6f931c5f0ba5e19c74f73b88ddf7c4baa7b24f13533679096f6c94871985de9e47d0f91362ec2ee9132b1e1b772d56fbcc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f68761d0622df41d256ee6fc39583d8a

SHA1
2dd40e574a86ff4b4be5e6aca6fda4d7fcc33d56

SHA256
b4bf1092c76497e935596e32fcb9119a44acab11e9b80b660ecea53867655245

SHA512
fd70e0b445bcd24117b449853c98a4996063d49f774a55bc5aca087b44cdb5381974551c4fcd2d3d1c82cd708fcb616009519f3914267ea5c37cdda4d31ea3a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c4e7c6e63669b7ac19a2abc4d482e577

SHA1
0b715c1b8c52526a168c5972ce10621deb7454cb

SHA256
44ce88ac30afb018736ddeb48d6592af936aa52a424f3630ed07f9ff016b3a58

SHA512
f95b66230ceb77d9ce412c472376233324766a3b31adcfe85797f5628b933811c970a7c538ebb06e5c66418656766704206c178745f71bec63bbbabab46af747

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0297693238c8d2753940dd61243ddfd8

SHA1
c5e61e727061ecb2475cfd052102d1ec3f837ad8

SHA256
2c553c736dbf82875ba83b712b4d0a0e5b63b0e4089f0882755bbf078c22c0a5

SHA512
042527b1ea8d7e3cc25f8cc72c357e39ef822e78eb9c5802613ff806f9869fff49e63ebd0d8e52754c5a918fd76640dd0bc7a1a1dfd5e82cecfcfcc13c8579cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1a9d2727f5157f704f57fb2f0e0a7939

SHA1
4085542ccb9a53b29208916307ee515880d6410f

SHA256
46c5d3b8a158fe319dfd325df66634b1bdef724bab79b7007f565e44beb34f31

SHA512
7ec52df630965769dae3e05a1b9fd489c7d5413ea77b28cbe2435e839f80d7eabdbbcc74af4cf544b9f0f57403a505501b08753ffeaec8cf6c32972fc3e72d68

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
03088ab16e4136b8d3a3366505b767ed

SHA1
e1d73c9dc7e6009659519b33b3dd80f3011adad8

SHA256
b31956814f1bc7c1e47a025622160df37664a3ee8e6d2016ce8919f1fba63a59

SHA512
0c841cc8236b405951c5bdf0ea7c620ef32ab930077442e5c1f2eca9fe474c113e1377829e8072afdbfd9a0f0b2797cf156b2f861395d14b851abc7b365ec11a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b5e11596fa3b5ec67af0232750a3cadb

SHA1
80cb25f5250390b6b2130c8b4eefc9872cc4939d

SHA256
d6429bbb3e3d5c86f30efdb3aa599d47eb8f130c1d0f2a6345e3e9387f7670b3

SHA512
06c71dd481c8936cb5c8a259111986a31b94e7bf73267a081e2162e16b3bffc633a257b5dcf2fd64c7bcc95a20ee841d5d07ca2ea5a16b7f862aec9cde5f17f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
cd3670279cfd4857ab7ae976f56ad473

SHA1
2b4136cb5f5aa98e7cf48135db771fe497da942f

SHA256
9824342f00af60b70c73fd0b0b08c54f1439d6f6964ce1286a7eec748047041f

SHA512
30e7536c3209027ad3df30edd10d69b666a936c4184f3ad26ebf683ae2d066607b9eda521955af0a3cb235d6d84cc5c6fda747525bef19ec3a5016db66945889

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
bd0cc8385e2c94da465451e7bd8d4303

SHA1
6866d3d8d4bc37bbd976b44b74d4cef9b018da66

SHA256
099ad392a60ee09509cf2982deb126acb373115124e33c1c9d18931fa32af630

SHA512
5212403107457416b6b8e3c033c9521f744845edbf0c9bba5c962bea5946c2a24e1081cf472e907b3e16fb593b98c119802e3162e5260b30574f2c086af3d6b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
49586bddf88b5db5b4106eee55d7e03b

SHA1
3001fb71136b5c8d307695de4f651ccd9b4dcebc

SHA256
bf9c7a65973ae0ee9e2da4bae47ba378234e45820598034a3672edfb233e002d

SHA512
6933b416d4af6997e31e7277ddbf5820f421f01763ee6560e50a0dfb8323e8c66312511b4093d16540c17521f338b239e79d67c70fcda4ff793363e1366d4011

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1bfc9d235e46361ed10c5ffec379250d

SHA1
4f733783a8773d785d7db96ebc6d371d740ce5a5

SHA256
8a842076683c4b6ae41effedf7f3b709dbc28ccd98b3b14d05452f02354638f6

SHA512
685f89bb140f0d7bccc26cdad869b296e18d4a3eb9cacbec98e78b5f4611c68f7ddea128a05dc01349601b5eadb996c7a2acc78c77d5ade7692e8a9413347108

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7089aec09a0cf36b0c10b8022d02c526

SHA1
6383d41dd6f3722c9486991c77f8530c9bf609e6

SHA256
7b44a1b51b36deb11aa83fd6fd9074f9c2e2a846b583a825e8fdc7b0cc2e2f19

SHA512
55275013289ed4a6b0629e04aa7022619d210ea2bdbdd730e7b7103e12c945c1e5220ad9e6a320c91b9d759d61720e605ac5c57ba8bbc9d56ea86d62fdc157f5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f006e96f9f4e4711ab2f42186afe469c

SHA1
67cbcdab88a636b7ab295da47ee2db7d3c471b3b

SHA256
a3ee3f7c0c5dc6d32c52f5b74d3595b57bbd14ac1f67d6ab27409a9d47f411d9

SHA512
ba988065cd6b0c022a3675a080792a3c87a632f5078703307c30e564c0b0aea153d7b7f0c2783375e8737c49a8a3409f5896234555720d80af0f73f32e2e9e67

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
55ee6e81c474ddf7d1ab7aeb32ab25b7

SHA1
fb7a14c38af7e84bb40d0b146a5c57a5966a1f40

SHA256
8e39623f72cfa68d13a008e5c9ba93035febb8cf126a6f3808948c032003e109

SHA512
e35726347d3ab2a278e48fb9a71889b10affa20cdb1f8d82469b8d97cf6685026b495da317d2eb1d69cf3229bc9f6a463419e57a3cde22dd0576d00e2a72507b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
5b7c8528863996630a50821251fd3d98

SHA1
0dd228415e48110520c77f08fcd8a84c310f06c6

SHA256
0ca8a69811da9c4b2a65cbddf0efa4978587d5df62f4665364ff241745ae5ee7

SHA512
c49359ab0dee16b6c444c64a62896633b2dba7a7c4452970ad6715ae796bfd530211c468ed4b933cba89ddf6401f007a5438d4850b69e467d102e2fdc308409c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ca2ed702e6f563af22313e8ddc707dde

SHA1
730e935453b8890ea39fa64876169b5ad4b5ab34

SHA256
ba65b0bde76748b40868b2c3413ee661a709923aa3d756ef8dc730126372b133

SHA512
8963bcbca1c8b1bb87bed047367eff8ee6ae64804565c1e70e251458cf66eedc992af0941d7fda6cf06ff80d49d32af5affeeeef91c9e1452d966422d503e939

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
6be03977be74a64eddea91b1d20b4013

SHA1
5586eb69563d3bb650e16eba3e2a2847671ea8cd

SHA256
118b82f858c4f8bfe4685761e81609feefc3e51f3f8d4e5c00410fd717d8e190

SHA512
6466d87793c129e24f55ee79fa7cef144c452d7e181b8103a21d00f76eba49537bce045527ca80a66a8fe52b159df65a344e59a028512ec2a2b9c6ff93c4a850

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
57f101dbdaac64906831c6cb961cc718

SHA1
424569e98b70dd3a2308e21055d2246087b2cc20

SHA256
a0007e7babd996d911dd657a6c5f8974139163e9549c1cb4a14eb7ecd536bb39

SHA512
5ac3f6fa516b7914324c0fd6a94f21f089fe0877e440efbdefafa207459bd7d31d7a141c4a6368a4b1e6511fe67231f5bf62dd9607185ca3d66123710d3ab4fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
be13aad0d9d3e829ef7aea405c6cc5d9

SHA1
1df8fff3b8520c4e66ca7d191b9e0be6615c0116

SHA256
8552f8bd272bb4e91b391c029dff4cdbd429bb5a31a7349d28759ecf8e36e47c

SHA512
c1e3af6a7f8fea4a2a5d19bb9fdb88f0d2e8904cdff2ce0be0e384bfaa2499dc09c23a109f73fc351593f2141240d9f3529ebdc180326adfc3975d9f9a39c1de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
30ba71f2e35472541408d944d4a0e4ae

SHA1
79939c4164177acb44da76fc4c0ad547119228ea

SHA256
ed79ca331660ad6bbe26640773bb9a3b15ad6ff8f87b23db332eda126fbda087

SHA512
5d15fee126d25293fe79a581f1b68ce4a0f7ffc82ed150dda36eb0b13ed14bb1444b6a839b8760261e6dc1fa96a7e217efcbb29f7172dcede6ecb79103f1179e

Download Submit
memory/2600-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download