88a3d2170ec08bdd937fe83247ccd217b8bbd5e12d1310244483a4873d843b39

Analysis

max time kernel
64s
max time network
127s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
02/08/2024, 06:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88a3d2170ec08bdd937fe83247ccd217b8bbd5e12d1310244483a4873d843b39.exe
Size

1.1MB
MD5

400f693c2c8abb895b25e5fb410dd022
SHA1

bca9d595d5559c953b15985cfba5b2fc84b6467d
SHA256

88a3d2170ec08bdd937fe83247ccd217b8bbd5e12d1310244483a4873d843b39
SHA512

9ba0ac473594e43b1e2f493566201801d8849945e079b9b552f37fefbf9424e399a7f415212df2206c26548d30a58a601b47431235a5690631a97d03aab617dc
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QE:CcaClSFlG4ZM7QzMj

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2904	svchcst.exe

Executes dropped EXE 9 IoCs

pid	Process
2904	svchcst.exe
1332	svchcst.exe
2092	svchcst.exe
2084	svchcst.exe
1484	svchcst.exe
2180	svchcst.exe
1216	svchcst.exe
3032	svchcst.exe
2248	svchcst.exe

Loads dropped DLL 10 IoCs

pid	Process
3068	WScript.exe
3068	WScript.exe
2588	WScript.exe
568	WScript.exe
568	WScript.exe
2280	WScript.exe
2280	WScript.exe
1036	WScript.exe
2428	WScript.exe
2696	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	88a3d2170ec08bdd937fe83247ccd217b8bbd5e12d1310244483a4873d843b39.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2272	88a3d2170ec08bdd937fe83247ccd217b8bbd5e12d1310244483a4873d843b39.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2272	88a3d2170ec08bdd937fe83247ccd217b8bbd5e12d1310244483a4873d843b39.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
2272	88a3d2170ec08bdd937fe83247ccd217b8bbd5e12d1310244483a4873d843b39.exe
2272	88a3d2170ec08bdd937fe83247ccd217b8bbd5e12d1310244483a4873d843b39.exe
2904	svchcst.exe
2904	svchcst.exe
1332	svchcst.exe
1332	svchcst.exe
2092	svchcst.exe
2092	svchcst.exe
2084	svchcst.exe
2084	svchcst.exe
1484	svchcst.exe
1484	svchcst.exe
2180	svchcst.exe
2180	svchcst.exe
1216	svchcst.exe
1216	svchcst.exe
2248	svchcst.exe
2248	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 3068	2272	88a3d2170ec08bdd937fe83247ccd217b8bbd5e12d1310244483a4873d843b39.exe	30
PID 2272 wrote to memory of 3068	2272	88a3d2170ec08bdd937fe83247ccd217b8bbd5e12d1310244483a4873d843b39.exe	30
PID 2272 wrote to memory of 3068	2272	88a3d2170ec08bdd937fe83247ccd217b8bbd5e12d1310244483a4873d843b39.exe	30
PID 2272 wrote to memory of 3068	2272	88a3d2170ec08bdd937fe83247ccd217b8bbd5e12d1310244483a4873d843b39.exe	30
PID 3068 wrote to memory of 2904	3068	WScript.exe	32
PID 3068 wrote to memory of 2904	3068	WScript.exe	32
PID 3068 wrote to memory of 2904	3068	WScript.exe	32
PID 3068 wrote to memory of 2904	3068	WScript.exe	32
PID 2904 wrote to memory of 2588	2904	svchcst.exe	33
PID 2904 wrote to memory of 2588	2904	svchcst.exe	33
PID 2904 wrote to memory of 2588	2904	svchcst.exe	33
PID 2904 wrote to memory of 2588	2904	svchcst.exe	33
PID 2588 wrote to memory of 1332	2588	WScript.exe	34
PID 2588 wrote to memory of 1332	2588	WScript.exe	34
PID 2588 wrote to memory of 1332	2588	WScript.exe	34
PID 2588 wrote to memory of 1332	2588	WScript.exe	34
PID 1332 wrote to memory of 568	1332	svchcst.exe	35
PID 1332 wrote to memory of 568	1332	svchcst.exe	35
PID 1332 wrote to memory of 568	1332	svchcst.exe	35
PID 1332 wrote to memory of 568	1332	svchcst.exe	35
PID 568 wrote to memory of 2092	568	WScript.exe	36
PID 568 wrote to memory of 2092	568	WScript.exe	36
PID 568 wrote to memory of 2092	568	WScript.exe	36
PID 568 wrote to memory of 2092	568	WScript.exe	36
PID 2092 wrote to memory of 1832	2092	svchcst.exe	37
PID 2092 wrote to memory of 1832	2092	svchcst.exe	37
PID 2092 wrote to memory of 1832	2092	svchcst.exe	37
PID 2092 wrote to memory of 1832	2092	svchcst.exe	37
PID 568 wrote to memory of 2084	568	WScript.exe	38
PID 568 wrote to memory of 2084	568	WScript.exe	38
PID 568 wrote to memory of 2084	568	WScript.exe	38
PID 568 wrote to memory of 2084	568	WScript.exe	38
PID 2084 wrote to memory of 2280	2084	svchcst.exe	60
PID 2084 wrote to memory of 2280	2084	svchcst.exe	60
PID 2084 wrote to memory of 2280	2084	svchcst.exe	60
PID 2084 wrote to memory of 2280	2084	svchcst.exe	60
PID 2280 wrote to memory of 1484	2280	WScript.exe	40
PID 2280 wrote to memory of 1484	2280	WScript.exe	40
PID 2280 wrote to memory of 1484	2280	WScript.exe	40
PID 2280 wrote to memory of 1484	2280	WScript.exe	40
PID 1484 wrote to memory of 1688	1484	svchcst.exe	41
PID 1484 wrote to memory of 1688	1484	svchcst.exe	41
PID 1484 wrote to memory of 1688	1484	svchcst.exe	41
PID 1484 wrote to memory of 1688	1484	svchcst.exe	41
PID 2280 wrote to memory of 2180	2280	WScript.exe	42
PID 2280 wrote to memory of 2180	2280	WScript.exe	42
PID 2280 wrote to memory of 2180	2280	WScript.exe	42
PID 2280 wrote to memory of 2180	2280	WScript.exe	42
PID 2180 wrote to memory of 1036	2180	svchcst.exe	43
PID 2180 wrote to memory of 1036	2180	svchcst.exe	43
PID 2180 wrote to memory of 1036	2180	svchcst.exe	43
PID 2180 wrote to memory of 1036	2180	svchcst.exe	43
PID 1036 wrote to memory of 1216	1036	WScript.exe	44
PID 1036 wrote to memory of 1216	1036	WScript.exe	44
PID 1036 wrote to memory of 1216	1036	WScript.exe	44
PID 1036 wrote to memory of 1216	1036	WScript.exe	44
PID 1216 wrote to memory of 2428	1216	svchcst.exe	45
PID 1216 wrote to memory of 2428	1216	svchcst.exe	45
PID 1216 wrote to memory of 2428	1216	svchcst.exe	45
PID 1216 wrote to memory of 2428	1216	svchcst.exe	45
PID 2428 wrote to memory of 3032	2428	WScript.exe	46
PID 2428 wrote to memory of 3032	2428	WScript.exe	46
PID 2428 wrote to memory of 3032	2428	WScript.exe	46
PID 2428 wrote to memory of 3032	2428	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\88a3d2170ec08bdd937fe83247ccd217b8bbd5e12d1310244483a4873d843b39.exe
"C:\Users\Admin\AppData\Local\Temp\88a3d2170ec08bdd937fe83247ccd217b8bbd5e12d1310244483a4873d843b39.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1332
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:568
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1832
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2248
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        
        PID:288
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        
        PID:344
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        
        PID:624
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        
        PID:868
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        
        PID:536
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        
        PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
dc591da6847ff2846baebc070c548042

SHA1
9a487751d40f2b5c9db0d2f2c63dd8b8c321d5b5

SHA256
9cf75576bb8dd4399dfd9355dde70e425d3be5d69665c5d2dddec8662afc8da7

SHA512
5b640e2edfc6499277a9b391362fd00a58e6c9f666c567dd55fac01ea11a76243fc8bf5f6b56a32daa326e429e9bfbcc91c29272dbb5f0e23ec7b0a87697d8bc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
418e489a61f524eb101168676ee507c0

SHA1
c2d403388bfdccf0d75b4ef92dd8a453c413057c

SHA256
2ec2f981acbd3a091e05e93f06c952fdf6372e4d4d4ad78e7ddfe60043b1ad3c

SHA512
56033db0322098091059ab662f14f51c8bd98fc6784e3a5c553428c3c91d160fa5f784e43020fde5630515f87a2dbd7dff88865a5ecc4f349f6482eaef1b522a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b80e64a84f22d05c1da6e47ce54973aa

SHA1
5cad9390328f2c7439c775fabb7a0456663085d9

SHA256
9dd0f5f176d3fad7c0eb3bdd6f14036a878cbce9fd50fb1a47318da147bfd82e

SHA512
983affb7f9189c1eb80982438c288ee607e7ee91675b6a6e854873c476961b39ddec66801e0a09bedd0f133a0132693a5fed5c8ff0f8c3d3aa4f470fdb8c39b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8e2ae053ceb7062fca84af2a4b776842

SHA1
e0efd0b54009a60e3682ed38deaddd833c8652b6

SHA256
58391f462883b293fdb398c52afb015698a4aa455fde921d706159ccccc6375f

SHA512
71b28f16bbcd83fd3cd69c985cc7482ddb167f287f6f331fc6c2f71b5b9759d6692ad93eb45e3a4039e5234f795076cd090e46c80b2661a00327a19b0ceab7b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
632419f9e97777f0bcd1af67443cadae

SHA1
52edb2e30a2b1156ff9f77c0fe7435bc1a616ac8

SHA256
50e39163065b39c8cac4f381ff35c00972adde6c6fcd6d9cf555d1b0b8b68554

SHA512
b9b188d33cab5023dd410c0d6c01b5b200c003b432d44fe47da9b6ca1d4a5fa6fd3e869baeac6c8f5d7fae063e6128ee9c96b9258e10e550093e199cccaca2b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7d2c3f227d42fae4a5b7fbcb491b74e3

SHA1
c1271bbd86747cc709b694ba9579a68b5e75a17c

SHA256
9353a2f27a61e571c5bc92ccc1046c1059c5fad8e1e2cafe63a9cc73e1169c33

SHA512
50330ad733975966b32fbedffb99a25cd13004d685e5788ef11f1f0fedfc62658e3e8f5ed0030fe60ecb02ba95ffa7d440c067a1e164cc3bc02ac5008b6a27d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f76c7cf504b872903a1325a57e8baaf9

SHA1
896ac9d8338b41c7673781f07915612c538c385f

SHA256
46436b128cbdb907e9666c1aa6257164f7e5a2ebe1c79b9198b36e50115a8163

SHA512
59c0e9f508682af572185dd2578ad1e62abb99297a99018af7638bc8d2f6693fe00900bd739e00a912088f77624f08034dba041ce1677e2924cb8ab3196b6054

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8b412aa0b6687b4da946906a06c460fa

SHA1
180bb2d6f0645242e91d23e76043c0301916f7f5

SHA256
923ae6b14f6c2bebf34efcf9db8485390ca298cdb952df04bc457df9c45647b3

SHA512
73d949f5159a7c976e250d20b975fff6469d5c41b47488d9738a3466dfb372c7977846f6d8fbf676e07715a5fe284ca1597b74f090e0b55301314f71522ac143

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3f88ed4a802ff96db44e34ad53ac06c2

SHA1
446fe4e265af02ea012b5a8d5d0e7a0c9867f1ed

SHA256
04a5abb92c689fa7b9d768a067b1d9bd16c0a5d856c67c7f7881d62662ae0911

SHA512
f1afaf53ee96969d58902836b841ca7feed9769c81d9b2d63b72db5d7cf04d6a659b50869f8dba0d650aa6833d892261c0c3dd918e8bfbed13237e6333c47fdf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
03088ab16e4136b8d3a3366505b767ed

SHA1
e1d73c9dc7e6009659519b33b3dd80f3011adad8

SHA256
b31956814f1bc7c1e47a025622160df37664a3ee8e6d2016ce8919f1fba63a59

SHA512
0c841cc8236b405951c5bdf0ea7c620ef32ab930077442e5c1f2eca9fe474c113e1377829e8072afdbfd9a0f0b2797cf156b2f861395d14b851abc7b365ec11a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7c7211c6ab078878929bb3683f705560

SHA1
5a52049f54692294392837b5922d865e9c407022

SHA256
bb9e2a89c0fc9574eac35f2b2c4bc696f3642fc96ff2fd1f6a2d3467784fbeff

SHA512
4d9b5d0053b0f57651c08084c87416d2ae8613b9ea74651e51f251e5d806f36c194735e4f6f3152d7c72592f60f2a7e971ee82c60410762472942823b1956c38

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
152cdcb10a0dcbdcaeb00bd4b08b2f94

SHA1
d957bd7eff64e6b13d3a088c0ae764eaeedf0ad2

SHA256
5525126f60e1b6cf4d353d30db46873836712e3964020d1dbca2694b6dc3d599

SHA512
c2e61516af9e5c14978792ec3b5e20aa84d5f6d9607322575d2f0448a67b6a10911ebf350f51e24e19f40840897251c891cda2c651c0881fccc9e0006d1a2f99

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
81911744d71ed066085116eec2026095

SHA1
47cfe383cd90c80f367d20667fa26cd160507a8f

SHA256
3154f7fe0c77b8441733285f257a444605ca5badb1148288aa7275033f75d3f5

SHA512
e64925ee682737251c7d5f42a378a4f6c23a50a07a6811882547567725b59c172da356b235afc977d4c1e8209f5c1ba696b9dd54e7739f67a71c099c031d7396

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9b01a8a020fe58ea74b9bc68544d5070

SHA1
3727d3ecba99c94b89a980873b980b20d9ed1e27

SHA256
0c2c5192029d8c4b067d56cd49a8cc2afbcce4e1223b2dee17a9f2922565245b

SHA512
1daff0a81d7cb40fa40f32a89b556c4258bd33efad16f66584c541e2f704848d2f98e7c9c5ffc8bb43811fd1f7cff388a427b3a877a5752a163b141c4b518dc1

Download Submit
memory/2272-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download