1cae720dc4b8901f0be74be1583319caa992cb030f39f0eb88a1ec382bbdf48c

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
30-09-2024 05:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1cae720dc4b8901f0be74be1583319caa992cb030f39f0eb88a1ec382bbdf48c.exe
Size

1.1MB
MD5

6519c7aa42263db95e7346ebbdebb274
SHA1

0bff4170d4eb65a947a6cf6eafe9bb7db2dde89c
SHA256

1cae720dc4b8901f0be74be1583319caa992cb030f39f0eb88a1ec382bbdf48c
SHA512

09a1ba84d51d238acdf75f0f3453ed7c6d87ce87900a40a6cea2dd122e636dc146d4eb9f9fdb390b0b09bac66d4c8704a86edeb82df1c7c22562b196f7b8d0d6
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Q1:CcaClSFlG4ZM7QzM+

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2944	svchcst.exe

Executes dropped EXE 24 IoCs

pid	Process
2944	svchcst.exe
2904	svchcst.exe
2920	svchcst.exe
2092	svchcst.exe
1096	svchcst.exe
1736	svchcst.exe
2856	svchcst.exe
1656	svchcst.exe
2064	svchcst.exe
1996	svchcst.exe
1952	svchcst.exe
1524	svchcst.exe
1628	svchcst.exe
996	svchcst.exe
580	svchcst.exe
2996	svchcst.exe
2912	svchcst.exe
1948	svchcst.exe
1912	svchcst.exe
1788	svchcst.exe
2460	svchcst.exe
1048	svchcst.exe
1700	svchcst.exe
2740	svchcst.exe

Loads dropped DLL 45 IoCs

pid	Process
2624	WScript.exe
2624	WScript.exe
2980	WScript.exe
2980	WScript.exe
856	WScript.exe
856	WScript.exe
2980	WScript.exe
2980	WScript.exe
1652	WScript.exe
1652	WScript.exe
648	WScript.exe
2524	WScript.exe
2524	WScript.exe
2524	WScript.exe
2344	WScript.exe
2344	WScript.exe
2816	WScript.exe
2816	WScript.exe
2688	WScript.exe
2688	WScript.exe
884	WScript.exe
828	WScript.exe
828	WScript.exe
1308	WScript.exe
1308	WScript.exe
2500	WScript.exe
2500	WScript.exe
2836	WScript.exe
2836	WScript.exe
2944	WScript.exe
2944	WScript.exe
2360	WScript.exe
2360	WScript.exe
1032	WScript.exe
1032	WScript.exe
2272	WScript.exe
2272	WScript.exe
2992	WScript.exe
2992	WScript.exe
564	WScript.exe
564	WScript.exe
1748	WScript.exe
1748	WScript.exe
1188	WScript.exe
1188	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 53 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1cae720dc4b8901f0be74be1583319caa992cb030f39f0eb88a1ec382bbdf48c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2736	1cae720dc4b8901f0be74be1583319caa992cb030f39f0eb88a1ec382bbdf48c.exe
2736	1cae720dc4b8901f0be74be1583319caa992cb030f39f0eb88a1ec382bbdf48c.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2736	1cae720dc4b8901f0be74be1583319caa992cb030f39f0eb88a1ec382bbdf48c.exe

Suspicious use of SetWindowsHookEx 50 IoCs

pid	Process
2736	1cae720dc4b8901f0be74be1583319caa992cb030f39f0eb88a1ec382bbdf48c.exe
2736	1cae720dc4b8901f0be74be1583319caa992cb030f39f0eb88a1ec382bbdf48c.exe
2944	svchcst.exe
2944	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2920	svchcst.exe
2920	svchcst.exe
2092	svchcst.exe
2092	svchcst.exe
1096	svchcst.exe
1096	svchcst.exe
1736	svchcst.exe
1736	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
1656	svchcst.exe
1656	svchcst.exe
2064	svchcst.exe
2064	svchcst.exe
1996	svchcst.exe
1996	svchcst.exe
1952	svchcst.exe
1952	svchcst.exe
1524	svchcst.exe
1524	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
996	svchcst.exe
996	svchcst.exe
580	svchcst.exe
580	svchcst.exe
2996	svchcst.exe
2996	svchcst.exe
2912	svchcst.exe
2912	svchcst.exe
1948	svchcst.exe
1948	svchcst.exe
1912	svchcst.exe
1912	svchcst.exe
1788	svchcst.exe
1788	svchcst.exe
2460	svchcst.exe
2460	svchcst.exe
1048	svchcst.exe
1048	svchcst.exe
1700	svchcst.exe
1700	svchcst.exe
2740	svchcst.exe
2740	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2624	2736	1cae720dc4b8901f0be74be1583319caa992cb030f39f0eb88a1ec382bbdf48c.exe	30
PID 2736 wrote to memory of 2624	2736	1cae720dc4b8901f0be74be1583319caa992cb030f39f0eb88a1ec382bbdf48c.exe	30
PID 2736 wrote to memory of 2624	2736	1cae720dc4b8901f0be74be1583319caa992cb030f39f0eb88a1ec382bbdf48c.exe	30
PID 2736 wrote to memory of 2624	2736	1cae720dc4b8901f0be74be1583319caa992cb030f39f0eb88a1ec382bbdf48c.exe	30
PID 2736 wrote to memory of 2616	2736	1cae720dc4b8901f0be74be1583319caa992cb030f39f0eb88a1ec382bbdf48c.exe	31
PID 2736 wrote to memory of 2616	2736	1cae720dc4b8901f0be74be1583319caa992cb030f39f0eb88a1ec382bbdf48c.exe	31
PID 2736 wrote to memory of 2616	2736	1cae720dc4b8901f0be74be1583319caa992cb030f39f0eb88a1ec382bbdf48c.exe	31
PID 2736 wrote to memory of 2616	2736	1cae720dc4b8901f0be74be1583319caa992cb030f39f0eb88a1ec382bbdf48c.exe	31
PID 2624 wrote to memory of 2944	2624	WScript.exe	33
PID 2624 wrote to memory of 2944	2624	WScript.exe	33
PID 2624 wrote to memory of 2944	2624	WScript.exe	33
PID 2624 wrote to memory of 2944	2624	WScript.exe	33
PID 2944 wrote to memory of 856	2944	svchcst.exe	34
PID 2944 wrote to memory of 856	2944	svchcst.exe	34
PID 2944 wrote to memory of 856	2944	svchcst.exe	34
PID 2944 wrote to memory of 856	2944	svchcst.exe	34
PID 2944 wrote to memory of 2980	2944	svchcst.exe	35
PID 2944 wrote to memory of 2980	2944	svchcst.exe	35
PID 2944 wrote to memory of 2980	2944	svchcst.exe	35
PID 2944 wrote to memory of 2980	2944	svchcst.exe	35
PID 2980 wrote to memory of 2904	2980	WScript.exe	36
PID 2980 wrote to memory of 2904	2980	WScript.exe	36
PID 2980 wrote to memory of 2904	2980	WScript.exe	36
PID 2980 wrote to memory of 2904	2980	WScript.exe	36
PID 856 wrote to memory of 2920	856	WScript.exe	37
PID 856 wrote to memory of 2920	856	WScript.exe	37
PID 856 wrote to memory of 2920	856	WScript.exe	37
PID 856 wrote to memory of 2920	856	WScript.exe	37
PID 2920 wrote to memory of 1516	2920	svchcst.exe	38
PID 2920 wrote to memory of 1516	2920	svchcst.exe	38
PID 2920 wrote to memory of 1516	2920	svchcst.exe	38
PID 2920 wrote to memory of 1516	2920	svchcst.exe	38
PID 2980 wrote to memory of 2092	2980	WScript.exe	39
PID 2980 wrote to memory of 2092	2980	WScript.exe	39
PID 2980 wrote to memory of 2092	2980	WScript.exe	39
PID 2980 wrote to memory of 2092	2980	WScript.exe	39
PID 2092 wrote to memory of 668	2092	svchcst.exe	40
PID 2092 wrote to memory of 668	2092	svchcst.exe	40
PID 2092 wrote to memory of 668	2092	svchcst.exe	40
PID 2092 wrote to memory of 668	2092	svchcst.exe	40
PID 2092 wrote to memory of 1652	2092	svchcst.exe	41
PID 2092 wrote to memory of 1652	2092	svchcst.exe	41
PID 2092 wrote to memory of 1652	2092	svchcst.exe	41
PID 2092 wrote to memory of 1652	2092	svchcst.exe	41
PID 1652 wrote to memory of 1096	1652	WScript.exe	43
PID 1652 wrote to memory of 1096	1652	WScript.exe	43
PID 1652 wrote to memory of 1096	1652	WScript.exe	43
PID 1652 wrote to memory of 1096	1652	WScript.exe	43
PID 1096 wrote to memory of 648	1096	svchcst.exe	44
PID 1096 wrote to memory of 648	1096	svchcst.exe	44
PID 1096 wrote to memory of 648	1096	svchcst.exe	44
PID 1096 wrote to memory of 648	1096	svchcst.exe	44
PID 1096 wrote to memory of 1056	1096	svchcst.exe	45
PID 1096 wrote to memory of 1056	1096	svchcst.exe	45
PID 1096 wrote to memory of 1056	1096	svchcst.exe	45
PID 1096 wrote to memory of 1056	1096	svchcst.exe	45
PID 648 wrote to memory of 1736	648	WScript.exe	46
PID 648 wrote to memory of 1736	648	WScript.exe	46
PID 648 wrote to memory of 1736	648	WScript.exe	46
PID 648 wrote to memory of 1736	648	WScript.exe	46
PID 1736 wrote to memory of 2524	1736	svchcst.exe	47
PID 1736 wrote to memory of 2524	1736	svchcst.exe	47
PID 1736 wrote to memory of 2524	1736	svchcst.exe	47
PID 1736 wrote to memory of 2524	1736	svchcst.exe	47

C:\Users\Admin\AppData\Local\Temp\1cae720dc4b8901f0be74be1583319caa992cb030f39f0eb88a1ec382bbdf48c.exe
"C:\Users\Admin\AppData\Local\Temp\1cae720dc4b8901f0be74be1583319caa992cb030f39f0eb88a1ec382bbdf48c.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:856
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2920
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1516
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2980
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2904
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2092
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:668
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:648
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2524
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2856
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1656
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2064
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1996
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1952
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:884
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1524
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:828
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1628
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1308
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:996
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2500
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:580
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2836
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2996
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2912
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1948
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1032
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1912
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2272
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1788
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2460
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:564
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1048
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1748
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1700
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1188
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2740
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:1156
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:2804
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1056
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
d75071c07525e608ac168868bd1df38b

SHA1
091454c6c5b806b854b42c3eddde8c79d4a4e58f

SHA256
bfc9e4a5da806cadb4a777556d7d33fa69b96f075186a9d9be88586c2bcf97d5

SHA512
542590dbd88e0eb7f5b97bb1980f92166da67b495053f9e4f31ca83b43db8b83c5293d50d08e7cb6ad6a5e6504ab7e74a8d91163cf8d27aa564dcc9401b88603

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
08e59d2d672728796d1d263f61b8e693

SHA1
e2cf49b43ffba5735bf7d9aa4e1da8c5a1a4a243

SHA256
f0504a6142a9709ba8612a4e55816d410dc92778bedea66d34316e77edd2f923

SHA512
328bc5a9404388f3ef192bb0e4da20cc34b9eacd974299461b5cc2f37ce7d7f9bb494e933fe7e8bca0baa037b40778b06965e76ce258b596b60e88bd6b2f4253

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f3159db8bd483868144429c5909d280a

SHA1
a3698b1ebb0e43a564357bb77c3462539a114f87

SHA256
f31b8921a342ba1eecff8852bd1904a17e94e544a1975106b9b5533155ed044c

SHA512
328e166bbd706c7e6848c246909d96779ee2efcdf7bdb0ff47eed24e0267dcca005bb41651b60393ffafbb7b7467d94b22454e8c4be57108ffeb6238e88db916

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
297aff64991480fd92a4ce9fb4d40807

SHA1
c586f7003f854f442db26448516e59826dfe41e9

SHA256
5137a62e031c71093a7d6c2684519614bb5eed80fd8daa92912f085a6ab82b8a

SHA512
f7a2fae80f26e6fb846ec9675c5a03932c8bd842d75f68cdb05c2f18e9397ed32774ce0a1f495e5618a5ce1b37e088c8991a69fb999559d1e2b0dd360cc96b4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8cb32754e88999ece2a392d94875313e

SHA1
da0ef4e297872b82db206ebdc4cafefeed2a4e3d

SHA256
3dc5ae697f3f5a3ffe053412e05a646883c49be29b179039ceadf5f71a595f9d

SHA512
a331a2472d0ef04f4d6a9b41a147020a688c96977feec8d61878f31382af8c27b8e990dc404137475d48f0155d600cc0d6ebe0a5d1cbb60b1fecf364301ebaa7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
85fa416be0b995c6e53ce5e2df106d8a

SHA1
bcffe6d0eb7594897fb6c1c1e6e409bacd04f009

SHA256
f08a191ea7850c2d2e0fa0cd1f40254eecb8dcb63a9dfa94cc8a97f609c49293

SHA512
5d92938d833d0555e94027148d0d9fc064274885bb4992f4e5840e7be03b629a3d2dc3703f9a7aa7614cb46ee19f9cfe26c69cc2e3a162f4be9045e5da18efbf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d5a26bd3b4366107ffbb4663050f6576

SHA1
09a5b81e452620340fcc2343a146ac5469576d44

SHA256
6e6abc76efb5447d4e9b20d07396db93d0368e6f81f558217f81a4dedc437eef

SHA512
527fe34594e983df77843639208f832c63f24a23e6e72fabc3e27eb1cce2e08e4306f3a5ebd288142f9684c6730431fe09f2c60f699a0825dc8270e961abbb10

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a7abbe21bd06224da6044ceefc079882

SHA1
45948d51fb8d65cd1032448311043927dcfa0d2f

SHA256
5f4905388f1de9cd98bc931f1f041dd2543394219661a271c11fff5b0d8222b2

SHA512
3371b7d36aadb7aa31617ba0d8cb23e2ccd36c8268946e8ec526e98e61d0312622b089331f05a36775fd59174fa8a68595e664a665feeb9afce17c906a8b1bd5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
33923002ff087d4e9d20dc9167bf4b6f

SHA1
cd218dc8073081f7329889f96e1159c6d11fb8a1

SHA256
f24781ed9f535b0d29cbef666b2e299ee84ab75c48fd47bfdf0e9c2beaa0796e

SHA512
628c465e3ebed9b3ad689a6fa1fe38d3194c69a7446320408c28667acd49a157b853f734325e828a1577810393d0f9e69b6719bd7c201816ef0f06219a26534c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5200291c61f8a54498d5ea3882597c4f

SHA1
7faf4fa36d25b6e6a25fa637cd4d565bacfc98c9

SHA256
370d3f0009b4f5179e917aaf335aa8267dd7e03688f0fff18f72d7d7af43d55f

SHA512
7fab6730403115fe4a56ca1d5d9056a0796ca40f75c0499cb0a1d7cb77ad696163f960414f3248c7893a1cc99dadcdb73251603bca50a54668b45b79bc62b06e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9f6e23042bafc46ab5ba782ed0c813ba

SHA1
e9f20e4bdaad0b4b7cb76544f0973d75b09c66ca

SHA256
8aea3fcd965712c8e8cce8287ca9d203816c04f250ac0a89972b685bb822cd36

SHA512
1a7855a75f02f5086c59095bb647ec889b3383706adea6391093bd6b808b9597dadb02ea5d0ce6f4e8897dad958397cbeff80fae40a8afbcaf12d34fe9fc8e51

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
fb471b5e488e0aff50aa4d4d416b98a2

SHA1
53cd0ee7c720e1baf957aa77179c186ed4c6740e

SHA256
fffd0d9858c2e9c2bb09ee29c02192753caf6e06a6be5b48619b1db2e4bef66a

SHA512
0347baedb2fd490efcef0360123e390ac966f5e116c5bcca75c51afa261d722870eab7a84fa353bc70c32054333613440ce1419813418f76ed1696c8a307fde5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1b809b007f5426f1e68581a411357b64

SHA1
f66514c6b7df37a6d1b7056aa928ce1d39bc72c7

SHA256
89899ba729eec1932ad1834eb439b443c374d49250a830c1cd419014bcc06062

SHA512
77e03a44826e70d5769cabd1ee4de945cd41b5f6fbf0c6c485555713bae8ae2cf3e71b0f75d1327e1de41db9fef465cd8f1b5b4317edbb7552c349cea22c23ee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2c99eeeb5b248498111d98ec623b18d8

SHA1
d272e81332688512e253e0af3a1dc37e9cfe52fb

SHA256
986a196fde2962d9e68323706212116bea8f5406522637368591c7382bbae09a

SHA512
e560aa589ac735d8c164e06c1ae627cd0f71beb582acce5c85f32a301e052cf91607b17350647d91c7ebf559e9bb4a9b10cb016de195963b7bed0e7db69242e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
4e3913f2e650c67b94c815959de2b3a1

SHA1
25d07b51a19e7752fabb1a642529cf5819706324

SHA256
f752a9402b609fcf9e33f798c411d44cdc140974a135e5f6fe8d1bea76c98e83

SHA512
ac7542ff2abd16484e1367b186e5ab5d0848d88446ea4ced2cf1dae8ac37d7c711d96dcc2f025248d3c2ca4ae6e8065c8d99d754e62e8c5fd31da9520f55b28e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
18f22260a75a93ccb3bc4f371ff2927b

SHA1
6921735280b11ff06be21afd1898c30619a6acf6

SHA256
098c647e79a78966ed57626003b0284b436c40057341064262f0e0c379f49db8

SHA512
0a2f260a3a97f26520b470be5f9e3e11fcc45bedcb0a9f188c3e752579d68c855169226291e8fc889ee077867d32e45fadd50a95a7cbc83ed20abf4b1a87b217

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
5cc9e82b0d792fe1197b48563ae695ac

SHA1
b4bd4b628140e0a25d28b7b08696ed9fa8ec604a

SHA256
5a4e27fc5be1c3e280086ada263b651196c3a11a0ce56d7892fc623443b7a84c

SHA512
e1b79aa1717ba850000be5a63f09293225000b2c093c8f17e62afdacc8f796c0963584f125edcf8cc432714b430f306a70d2be29b66b1d414e10b06b802d008f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b5c23371384ef20fbae8ce1fba38a9d0

SHA1
0f4ceec86dc916e5ba31ca1e994ec073287e21c7

SHA256
2c84a2283f1cd7e9d1a6571b31f0626e1ac7b23dd43bfea2fe9e3ad17406d812

SHA512
faaa79ed1506d8972b5de3177ed517acf719854c7def4aceffcb8a54e5024029cc986e8d8a3664f11de3415aa93c4e2e1bbd369b3d5f22d64b312fdfd9f3fae7

Download Submit
memory/2736-10-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download