d0613e01498071152bcfa5d00a0c446dbe9155778971ed932ae87fe317d94bd1

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29/09/2024, 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0613e01498071152bcfa5d00a0c446dbe9155778971ed932ae87fe317d94bd1.exe
Size

1.1MB
MD5

031bc22357284f776e5cd2799c481a61
SHA1

a4886dae501dea5452ad094d02fce52bb3868937
SHA256

d0613e01498071152bcfa5d00a0c446dbe9155778971ed932ae87fe317d94bd1
SHA512

1813d72a12ade83fff40aba2b128f6fd9e4971d8b1664fa9df8ddd854a13225b24efaadb3da7dcc9fdc6bff6498eb87600dab3768b74c859e71d4a2f65b5f506
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qg:CcaClSFlG4ZM7QzMX

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2560	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2560	svchcst.exe
400	svchcst.exe
3016	svchcst.exe
2060	svchcst.exe
288	svchcst.exe
2900	svchcst.exe
1248	svchcst.exe
596	svchcst.exe
2500	svchcst.exe
2340	svchcst.exe
876	svchcst.exe
2356	svchcst.exe
1720	svchcst.exe
316	svchcst.exe
1640	svchcst.exe
2632	svchcst.exe
2404	svchcst.exe
2936	svchcst.exe
2588	svchcst.exe
1532	svchcst.exe
2400	svchcst.exe
1696	svchcst.exe
2000	svchcst.exe

Loads dropped DLL 46 IoCs

pid	Process
3064	WScript.exe
3064	WScript.exe
2980	WScript.exe
2980	WScript.exe
2972	WScript.exe
2972	WScript.exe
1424	WScript.exe
1424	WScript.exe
832	WScript.exe
832	WScript.exe
2296	WScript.exe
2296	WScript.exe
2668	WScript.exe
2668	WScript.exe
2748	WScript.exe
2748	WScript.exe
556	WScript.exe
556	WScript.exe
2964	WScript.exe
2964	WScript.exe
1156	WScript.exe
1156	WScript.exe
768	WScript.exe
768	WScript.exe
844	WScript.exe
844	WScript.exe
1312	WScript.exe
1312	WScript.exe
1752	WScript.exe
1752	WScript.exe
2132	WScript.exe
2132	WScript.exe
696	WScript.exe
696	WScript.exe
2948	WScript.exe
2948	WScript.exe
1440	WScript.exe
1440	WScript.exe
2880	WScript.exe
2880	WScript.exe
876	WScript.exe
876	WScript.exe
2356	WScript.exe
2356	WScript.exe
2052	WScript.exe
2052	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d0613e01498071152bcfa5d00a0c446dbe9155778971ed932ae87fe317d94bd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2820	d0613e01498071152bcfa5d00a0c446dbe9155778971ed932ae87fe317d94bd1.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2820	d0613e01498071152bcfa5d00a0c446dbe9155778971ed932ae87fe317d94bd1.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2820	d0613e01498071152bcfa5d00a0c446dbe9155778971ed932ae87fe317d94bd1.exe
2820	d0613e01498071152bcfa5d00a0c446dbe9155778971ed932ae87fe317d94bd1.exe
2560	svchcst.exe
2560	svchcst.exe
400	svchcst.exe
400	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
2060	svchcst.exe
2060	svchcst.exe
288	svchcst.exe
288	svchcst.exe
2900	svchcst.exe
2900	svchcst.exe
1248	svchcst.exe
1248	svchcst.exe
596	svchcst.exe
596	svchcst.exe
2500	svchcst.exe
2500	svchcst.exe
2340	svchcst.exe
2340	svchcst.exe
876	svchcst.exe
876	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
1720	svchcst.exe
1720	svchcst.exe
316	svchcst.exe
316	svchcst.exe
1640	svchcst.exe
1640	svchcst.exe
2632	svchcst.exe
2632	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
1532	svchcst.exe
1532	svchcst.exe
2400	svchcst.exe
2400	svchcst.exe
1696	svchcst.exe
1696	svchcst.exe
2000	svchcst.exe
2000	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 3064	2820	d0613e01498071152bcfa5d00a0c446dbe9155778971ed932ae87fe317d94bd1.exe	30
PID 2820 wrote to memory of 3064	2820	d0613e01498071152bcfa5d00a0c446dbe9155778971ed932ae87fe317d94bd1.exe	30
PID 2820 wrote to memory of 3064	2820	d0613e01498071152bcfa5d00a0c446dbe9155778971ed932ae87fe317d94bd1.exe	30
PID 2820 wrote to memory of 3064	2820	d0613e01498071152bcfa5d00a0c446dbe9155778971ed932ae87fe317d94bd1.exe	30
PID 3064 wrote to memory of 2560	3064	WScript.exe	32
PID 3064 wrote to memory of 2560	3064	WScript.exe	32
PID 3064 wrote to memory of 2560	3064	WScript.exe	32
PID 3064 wrote to memory of 2560	3064	WScript.exe	32
PID 2560 wrote to memory of 2980	2560	svchcst.exe	33
PID 2560 wrote to memory of 2980	2560	svchcst.exe	33
PID 2560 wrote to memory of 2980	2560	svchcst.exe	33
PID 2560 wrote to memory of 2980	2560	svchcst.exe	33
PID 2980 wrote to memory of 400	2980	WScript.exe	34
PID 2980 wrote to memory of 400	2980	WScript.exe	34
PID 2980 wrote to memory of 400	2980	WScript.exe	34
PID 2980 wrote to memory of 400	2980	WScript.exe	34
PID 400 wrote to memory of 2972	400	svchcst.exe	35
PID 400 wrote to memory of 2972	400	svchcst.exe	35
PID 400 wrote to memory of 2972	400	svchcst.exe	35
PID 400 wrote to memory of 2972	400	svchcst.exe	35
PID 2972 wrote to memory of 3016	2972	WScript.exe	36
PID 2972 wrote to memory of 3016	2972	WScript.exe	36
PID 2972 wrote to memory of 3016	2972	WScript.exe	36
PID 2972 wrote to memory of 3016	2972	WScript.exe	36
PID 3016 wrote to memory of 1424	3016	svchcst.exe	37
PID 3016 wrote to memory of 1424	3016	svchcst.exe	37
PID 3016 wrote to memory of 1424	3016	svchcst.exe	37
PID 3016 wrote to memory of 1424	3016	svchcst.exe	37
PID 1424 wrote to memory of 2060	1424	WScript.exe	39
PID 1424 wrote to memory of 2060	1424	WScript.exe	39
PID 1424 wrote to memory of 2060	1424	WScript.exe	39
PID 1424 wrote to memory of 2060	1424	WScript.exe	39
PID 2060 wrote to memory of 2216	2060	svchcst.exe	40
PID 2060 wrote to memory of 2216	2060	svchcst.exe	40
PID 2060 wrote to memory of 2216	2060	svchcst.exe	40
PID 2060 wrote to memory of 2216	2060	svchcst.exe	40
PID 2060 wrote to memory of 832	2060	svchcst.exe	41
PID 2060 wrote to memory of 832	2060	svchcst.exe	41
PID 2060 wrote to memory of 832	2060	svchcst.exe	41
PID 2060 wrote to memory of 832	2060	svchcst.exe	41
PID 832 wrote to memory of 288	832	WScript.exe	42
PID 832 wrote to memory of 288	832	WScript.exe	42
PID 832 wrote to memory of 288	832	WScript.exe	42
PID 832 wrote to memory of 288	832	WScript.exe	42
PID 288 wrote to memory of 2296	288	svchcst.exe	43
PID 288 wrote to memory of 2296	288	svchcst.exe	43
PID 288 wrote to memory of 2296	288	svchcst.exe	43
PID 288 wrote to memory of 2296	288	svchcst.exe	43
PID 2296 wrote to memory of 2900	2296	WScript.exe	44
PID 2296 wrote to memory of 2900	2296	WScript.exe	44
PID 2296 wrote to memory of 2900	2296	WScript.exe	44
PID 2296 wrote to memory of 2900	2296	WScript.exe	44
PID 2900 wrote to memory of 2668	2900	svchcst.exe	45
PID 2900 wrote to memory of 2668	2900	svchcst.exe	45
PID 2900 wrote to memory of 2668	2900	svchcst.exe	45
PID 2900 wrote to memory of 2668	2900	svchcst.exe	45
PID 2668 wrote to memory of 1248	2668	WScript.exe	46
PID 2668 wrote to memory of 1248	2668	WScript.exe	46
PID 2668 wrote to memory of 1248	2668	WScript.exe	46
PID 2668 wrote to memory of 1248	2668	WScript.exe	46
PID 1248 wrote to memory of 2748	1248	svchcst.exe	47
PID 1248 wrote to memory of 2748	1248	svchcst.exe	47
PID 1248 wrote to memory of 2748	1248	svchcst.exe	47
PID 1248 wrote to memory of 2748	1248	svchcst.exe	47

C:\Users\Admin\AppData\Local\Temp\d0613e01498071152bcfa5d00a0c446dbe9155778971ed932ae87fe317d94bd1.exe
"C:\Users\Admin\AppData\Local\Temp\d0613e01498071152bcfa5d00a0c446dbe9155778971ed932ae87fe317d94bd1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2980
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:400
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:832
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:288
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2748
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:596
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:556
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2500
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2340
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1156
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:876
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:768
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2356
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:844
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1720
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1312
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:316
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1640
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2632
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:696
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2404
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2936
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1440
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2588
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1532
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:876
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2400
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1696
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2000
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
ef8553822edbf4d4b878273763a148e1

SHA1
9edf73c1ef88bccbfb55384922f2fa166db0195d

SHA256
8f61bf757efef84dc9f0ba2bf4d5596e7202f63d6d3cdb60c53bb0fef9e88045

SHA512
b2e551f10999880909349c8e4e5bf0d909cbd3d3f1f8ca2447d4f629d347ef176538082926c141950fb22096fa5963e9d15ee76c2225a4cafd83956b7d91567b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
9f87870aabac31b89e8f641cc4796a67

SHA1
0e7c4d9fa14eb4afe07e0ded564229685c3cbe4b

SHA256
c5ccc91ebc3838b354e5ae05c7b3efa01813e004b427f843ba23e78ff272e695

SHA512
28c7fe3049354286831a5c2b52ea96583bef30c4a294d07bfb10c11bb9e3469b944d8029d58f73611daa616a279e280d0c14fa037d390ab34a5daa2f5a25c4f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
68131c1f4506af5c010d5e01f031bfae

SHA1
51cc54917c040091c3a39dd33ec52fc5f4cb4c15

SHA256
d235953ddf5884a014ce05d8a26b9b93bafd580bdeda08e369e2d6e395d34a95

SHA512
69be7da57430dd6d3f1deea9c2a4f78a0ec41a74fc593f033a7944504cd9c4fe6d2f7a0be052e40238a4389b649c36a603b1725959fab050a0114714a6d65c6d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f68761d0622df41d256ee6fc39583d8a

SHA1
2dd40e574a86ff4b4be5e6aca6fda4d7fcc33d56

SHA256
b4bf1092c76497e935596e32fcb9119a44acab11e9b80b660ecea53867655245

SHA512
fd70e0b445bcd24117b449853c98a4996063d49f774a55bc5aca087b44cdb5381974551c4fcd2d3d1c82cd708fcb616009519f3914267ea5c37cdda4d31ea3a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d5a26bd3b4366107ffbb4663050f6576

SHA1
09a5b81e452620340fcc2343a146ac5469576d44

SHA256
6e6abc76efb5447d4e9b20d07396db93d0368e6f81f558217f81a4dedc437eef

SHA512
527fe34594e983df77843639208f832c63f24a23e6e72fabc3e27eb1cce2e08e4306f3a5ebd288142f9684c6730431fe09f2c60f699a0825dc8270e961abbb10

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d44632a3e4cce7689f6de0096ea7b712

SHA1
62726ae2641d71b6a218793f1ca8c00c81443eda

SHA256
013ba01f27689a865f4497bdab298b8914e8c235beac2311020fa928649a7603

SHA512
ed9934194e0211fca3d30bb16802ae080086a71d4b8b065afecea339f06f4d5dc43f51786059d6ccaf7718a54dde8b050268068ed6a416dacfa6c79a8ba0881a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e94e88174ec781f873054a1341dde3c1

SHA1
1bfcc1fd57262661e3e17db7f582004d481e95d9

SHA256
83a3606b4d4b48761b768ff2bd5668a599025f46b5d31b73bd0b014f6f95e225

SHA512
10dd4c89ea250920267a33317f693093471b805e33f18b38ffd7e3b9fb12624047f6bca7c82b0a2c83a3d6cead4d289f3da723b249a7ab6a9c40b339977fe7f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c94fda6716d92036e02a0e70b433735f

SHA1
eb4e57b1461e03a201dbfd20dd308ca88694e55d

SHA256
ca8d32856a5ad76e2bf41249ee83a498c238f51d9d3addbd5ca456ee6a6108ba

SHA512
bf4b3613a4d6d2854f7750a73f84579a3022c2aaae770c392c3d4b273cbb2b493028f8109856ba66ee4636bcfac53b61b7f9b689002858a040b62b47d097d24f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6cc9dd78b42e2ca0e1deb237988b6ae2

SHA1
6ec16a7e43a4c558a19f125758d56ed9a180e6ee

SHA256
11367ac6f6a1b237ca69aeeb571a435181256f8836d6910f036beb90e160f7b2

SHA512
331f0ae896c0fb9906dd2fc2e3d58860073af97deb31cdb2184cc4bd104e2e066bfec6bdef0e16a8eda3d5605875fe7c03480b1e2d68bc9d7e3a2b237a3020a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c1f667683c1809dc2fa81d863ea10a4e

SHA1
dc9fdbeca32f2afbcfdc5363769ebb594fc93e44

SHA256
a0afd04975f7f5cf26533640020a9533d4dcf1b152143e69196f93bd5b49fa1e

SHA512
e4c894530934444cb97392b0180e5b6040b84ab5c639412c6b9e5355a13152412da8d881403832c2f3c601624465b16242ebd8710f6e6a4666a27e15ce759b2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
4cf7a2ae6e29068c15e9c309fcd08496

SHA1
166f14ec51416b6c3e60548edeb2d0aae28e67fb

SHA256
0ec1d8aa23417622d1f0e42f5fff28f98db9217d10fc255d1ed555e98a0d264c

SHA512
690092a89a7f6ce0c1d23a96c02e12a773f0a79b992e2f793c5789c4bd979df6442ea711125e42462abf4caab29686bac8a0f918c62f857f14e653b1aeb6d27a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
6a176a96ecae8d58773ee1bb571f08be

SHA1
beb4e24b7cb543f7d58d40fd6aea69a29e1ad4fd

SHA256
6a6c05278be54ae55b716021dd81ba2c8ffccb08e4cd57e8023715ad02e32510

SHA512
ecaa0247251cb2a616acd224dd589dff3192ae4df8ae020ec7b3109c6a8e3de39b750cfd5e603a74f72c80edd84952ee97b88e2275740589bc9feefe5b6205ea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c28377a050cf751a521406d0c966c899

SHA1
9a7426cdacfd986e1eb9b77e583e99f0d2af305a

SHA256
6d8bf6910227935ad75869200c0f92675f8a6331337c985b2b50aa4f0a17f19f

SHA512
b28863035d056ffe1201553526d3ac3c9a794c440899ecf7bfcfa2e2fba216896f0ba399a35439ca160331fabc3165d4a524bbfeb22fba625d7c3f69de043fe1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
8761c9da0091705d32e07b1765af28c8

SHA1
ca778c99f0656f2aacc1c7cb75cb3e34286929fb

SHA256
c395ad0fca49518e278231fbb56e8bd0d8384c51ffd91df79e4c931c1a5afbed

SHA512
b6d4342501adf610140d47e404c48fd4f3cba759919f18d26e251cb1b006c97e707f5e0de0a36a851d44349e10b0e62e1a83998ebc8156091652c0c4e8851d13

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7d5348c2356f05ad37776e40af7e52fc

SHA1
1a1b118832ad412160808047047dc778b422e223

SHA256
d47e0b145f86d234552da2c03ac052c08cc8e5b1c5a099235571af0793981806

SHA512
cff40094e1f8b54360690b5108eb739eec92bce77fc8fd9c5e2550a2aa6650ad0eee3cb3226d588027d86091e584677b2ce3d33d5c6d221b38581c467a848487

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b607382c3b40654a7014b7d98a3bacaf

SHA1
aa1f88be9741d51688cddee67040a74633d06cd9

SHA256
3177141b2449d6ddd7f64ea1960331228c3e876bfdca0adebb7b87411a07119e

SHA512
c82003c5aa1db08b1bff94fd22008a482b8672a5c33474fa8289017d5624d5374298a8786fbf166097a7e08ed2511136f30dfdc9ddc8338aab8756f63878890c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
228b7441d2cdc3d230bbe4886d4d462d

SHA1
0989c6f1527a49b1aa07f9a96bd88dc90e02b7d0

SHA256
1cb2467133af855452140d095f8fed58fb16835c359dd57e81afec4e1efe3ba3

SHA512
73110cbc568a4f028ecbebeb95231d58364298b2a7656996b860f2060f425c6921cb21d7f96c175114bc6be14197ac88276b48ab1368e9437a3055c602d21981

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2d93ad14ebdebf8eac4d42bf32e61453

SHA1
0e0b3c19c719e2a2ace4b3f20a3d210f63ca5db9

SHA256
45ba5c3093c66937dea3cea4f5cbe41798a3a431a94f791b63a065528134b3d0

SHA512
0ae716cc230bfff8026e1ff376f2b32d2961e27c9145115be02c71b5a8fc8e8f1ca837c28337930419a4a3c96ca9daff224974913cc9708b1283c22770daeb6d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
294273e52ba7f9edbe328c258cd0213b

SHA1
7e02ce0779ed258c52c70af85d85863e1749b401

SHA256
a7d245d9b81824ea0a6195a4e2e249fae531e45b12b8308ee1a7f062a91df5e0

SHA512
848819b28558d3f47daa7840d4a8374e635a10c215556d5140e817b52f9eb406e6c3036dc31833dac2caf5b9654a75f687c6011f30855f0ebedd68d511451b31

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f90bcace7723544af5cd69bc36178f0a

SHA1
5c99990f51b582800471ef9a5f3899c984547330

SHA256
6f0ee3a98e0cc9cbe93404da5b8284c70f85318a2cfe534acce1aa8295383999

SHA512
a3838e0b5e5e6a841f8c9f969e4ab2df9ad68ae2dd09d81bb8a34a9f6c94c27864198fd73a33eb4970d9a901dede071aeb82189e99691cf78e702408bb609901

Download Submit
memory/2820-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download