61fa02778b39042a731aaebcd5b0a52a87a8bb19cc2a8e1e54e08c4e24ff1581

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
12/08/2024, 00:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61fa02778b39042a731aaebcd5b0a52a87a8bb19cc2a8e1e54e08c4e24ff1581.exe
Size

1.1MB
MD5

801b39b343089d1ef0c105098b5f9d88
SHA1

79b61e5dbaa4c581be887080febcf08556dded22
SHA256

61fa02778b39042a731aaebcd5b0a52a87a8bb19cc2a8e1e54e08c4e24ff1581
SHA512

6d511d996fa1246e7fe0ace25dc38d4f76836d3ba10af23fcbc1795faca6187b8a15aad1cf27ad8b942404e85ae5c7fce8356f9a4e49a48977b68811ad166abc
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qx:CcaClSFlG4ZM7QzMi

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2560	svchcst.exe

Executes dropped EXE 24 IoCs

pid	Process
2560	svchcst.exe
1352	svchcst.exe
1708	svchcst.exe
2684	svchcst.exe
1148	svchcst.exe
2016	svchcst.exe
1936	svchcst.exe
2436	svchcst.exe
1348	svchcst.exe
2000	svchcst.exe
1900	svchcst.exe
1768	svchcst.exe
1852	svchcst.exe
2544	svchcst.exe
3044	svchcst.exe
2908	svchcst.exe
2696	svchcst.exe
2432	svchcst.exe
2560	svchcst.exe
2320	svchcst.exe
2168	svchcst.exe
2036	svchcst.exe
848	svchcst.exe
2920	svchcst.exe

Loads dropped DLL 38 IoCs

pid	Process
2128	WScript.exe
2128	WScript.exe
2956	WScript.exe
788	WScript.exe
788	WScript.exe
2112	WScript.exe
2940	WScript.exe
2940	WScript.exe
1424	WScript.exe
1520	WScript.exe
1520	WScript.exe
1520	WScript.exe
2404	WScript.exe
2536	WScript.exe
2956	WScript.exe
2260	WScript.exe
2228	WScript.exe
2228	WScript.exe
2328	WScript.exe
2328	WScript.exe
2940	WScript.exe
2940	WScript.exe
3036	WScript.exe
3036	WScript.exe
2072	WScript.exe
2072	WScript.exe
1012	WScript.exe
1012	WScript.exe
2216	WScript.exe
2216	WScript.exe
1484	WScript.exe
1484	WScript.exe
3064	WScript.exe
3064	WScript.exe
1004	WScript.exe
1004	WScript.exe
112	WScript.exe
112	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 51 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61fa02778b39042a731aaebcd5b0a52a87a8bb19cc2a8e1e54e08c4e24ff1581.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2584	61fa02778b39042a731aaebcd5b0a52a87a8bb19cc2a8e1e54e08c4e24ff1581.exe
2584	61fa02778b39042a731aaebcd5b0a52a87a8bb19cc2a8e1e54e08c4e24ff1581.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2584	61fa02778b39042a731aaebcd5b0a52a87a8bb19cc2a8e1e54e08c4e24ff1581.exe

Suspicious use of SetWindowsHookEx 50 IoCs

pid	Process
2584	61fa02778b39042a731aaebcd5b0a52a87a8bb19cc2a8e1e54e08c4e24ff1581.exe
2584	61fa02778b39042a731aaebcd5b0a52a87a8bb19cc2a8e1e54e08c4e24ff1581.exe
2560	svchcst.exe
2560	svchcst.exe
1352	svchcst.exe
1352	svchcst.exe
1708	svchcst.exe
1708	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
1148	svchcst.exe
1148	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
1348	svchcst.exe
1348	svchcst.exe
2000	svchcst.exe
2000	svchcst.exe
1900	svchcst.exe
1900	svchcst.exe
1768	svchcst.exe
1768	svchcst.exe
1852	svchcst.exe
1852	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
3044	svchcst.exe
3044	svchcst.exe
2908	svchcst.exe
2908	svchcst.exe
2696	svchcst.exe
2696	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe
2320	svchcst.exe
2320	svchcst.exe
2168	svchcst.exe
2168	svchcst.exe
2036	svchcst.exe
2036	svchcst.exe
848	svchcst.exe
848	svchcst.exe
2920	svchcst.exe
2920	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2584 wrote to memory of 2856	2584	61fa02778b39042a731aaebcd5b0a52a87a8bb19cc2a8e1e54e08c4e24ff1581.exe	30
PID 2584 wrote to memory of 2856	2584	61fa02778b39042a731aaebcd5b0a52a87a8bb19cc2a8e1e54e08c4e24ff1581.exe	30
PID 2584 wrote to memory of 2856	2584	61fa02778b39042a731aaebcd5b0a52a87a8bb19cc2a8e1e54e08c4e24ff1581.exe	30
PID 2584 wrote to memory of 2856	2584	61fa02778b39042a731aaebcd5b0a52a87a8bb19cc2a8e1e54e08c4e24ff1581.exe	30
PID 2584 wrote to memory of 2128	2584	61fa02778b39042a731aaebcd5b0a52a87a8bb19cc2a8e1e54e08c4e24ff1581.exe	31
PID 2584 wrote to memory of 2128	2584	61fa02778b39042a731aaebcd5b0a52a87a8bb19cc2a8e1e54e08c4e24ff1581.exe	31
PID 2584 wrote to memory of 2128	2584	61fa02778b39042a731aaebcd5b0a52a87a8bb19cc2a8e1e54e08c4e24ff1581.exe	31
PID 2584 wrote to memory of 2128	2584	61fa02778b39042a731aaebcd5b0a52a87a8bb19cc2a8e1e54e08c4e24ff1581.exe	31
PID 2128 wrote to memory of 2560	2128	WScript.exe	34
PID 2128 wrote to memory of 2560	2128	WScript.exe	34
PID 2128 wrote to memory of 2560	2128	WScript.exe	34
PID 2128 wrote to memory of 2560	2128	WScript.exe	34
PID 2560 wrote to memory of 2956	2560	svchcst.exe	35
PID 2560 wrote to memory of 2956	2560	svchcst.exe	35
PID 2560 wrote to memory of 2956	2560	svchcst.exe	35
PID 2560 wrote to memory of 2956	2560	svchcst.exe	35
PID 2956 wrote to memory of 1352	2956	WScript.exe	36
PID 2956 wrote to memory of 1352	2956	WScript.exe	36
PID 2956 wrote to memory of 1352	2956	WScript.exe	36
PID 2956 wrote to memory of 1352	2956	WScript.exe	36
PID 1352 wrote to memory of 788	1352	svchcst.exe	37
PID 1352 wrote to memory of 788	1352	svchcst.exe	37
PID 1352 wrote to memory of 788	1352	svchcst.exe	37
PID 1352 wrote to memory of 788	1352	svchcst.exe	37
PID 788 wrote to memory of 1708	788	WScript.exe	38
PID 788 wrote to memory of 1708	788	WScript.exe	38
PID 788 wrote to memory of 1708	788	WScript.exe	38
PID 788 wrote to memory of 1708	788	WScript.exe	38
PID 1708 wrote to memory of 2816	1708	svchcst.exe	39
PID 1708 wrote to memory of 2816	1708	svchcst.exe	39
PID 1708 wrote to memory of 2816	1708	svchcst.exe	39
PID 1708 wrote to memory of 2816	1708	svchcst.exe	39
PID 788 wrote to memory of 2684	788	WScript.exe	40
PID 788 wrote to memory of 2684	788	WScript.exe	40
PID 788 wrote to memory of 2684	788	WScript.exe	40
PID 788 wrote to memory of 2684	788	WScript.exe	40
PID 2684 wrote to memory of 2112	2684	svchcst.exe	41
PID 2684 wrote to memory of 2112	2684	svchcst.exe	41
PID 2684 wrote to memory of 2112	2684	svchcst.exe	41
PID 2684 wrote to memory of 2112	2684	svchcst.exe	41
PID 2112 wrote to memory of 1148	2112	WScript.exe	42
PID 2112 wrote to memory of 1148	2112	WScript.exe	42
PID 2112 wrote to memory of 1148	2112	WScript.exe	42
PID 2112 wrote to memory of 1148	2112	WScript.exe	42
PID 1148 wrote to memory of 2940	1148	svchcst.exe	43
PID 1148 wrote to memory of 2940	1148	svchcst.exe	43
PID 1148 wrote to memory of 2940	1148	svchcst.exe	43
PID 1148 wrote to memory of 2940	1148	svchcst.exe	43
PID 2940 wrote to memory of 2016	2940	WScript.exe	44
PID 2940 wrote to memory of 2016	2940	WScript.exe	44
PID 2940 wrote to memory of 2016	2940	WScript.exe	44
PID 2940 wrote to memory of 2016	2940	WScript.exe	44
PID 2016 wrote to memory of 1424	2016	svchcst.exe	45
PID 2016 wrote to memory of 1424	2016	svchcst.exe	45
PID 2016 wrote to memory of 1424	2016	svchcst.exe	45
PID 2016 wrote to memory of 1424	2016	svchcst.exe	45
PID 1424 wrote to memory of 1936	1424	WScript.exe	46
PID 1424 wrote to memory of 1936	1424	WScript.exe	46
PID 1424 wrote to memory of 1936	1424	WScript.exe	46
PID 1424 wrote to memory of 1936	1424	WScript.exe	46
PID 1936 wrote to memory of 1520	1936	svchcst.exe	47
PID 1936 wrote to memory of 1520	1936	svchcst.exe	47
PID 1936 wrote to memory of 1520	1936	svchcst.exe	47
PID 1936 wrote to memory of 1520	1936	svchcst.exe	47

C:\Users\Admin\AppData\Local\Temp\61fa02778b39042a731aaebcd5b0a52a87a8bb19cc2a8e1e54e08c4e24ff1581.exe
"C:\Users\Admin\AppData\Local\Temp\61fa02778b39042a731aaebcd5b0a52a87a8bb19cc2a8e1e54e08c4e24ff1581.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2856
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2956
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1352
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:788
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1520
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2436
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2000
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2536
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1900
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1768
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2260
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1852
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2544
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3044
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2908
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2696
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2432
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1012
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2560
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2320
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1484
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2168
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2036
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1004
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:848
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:112
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2920
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5771c014296ebb077452c34a3ea54708

SHA1
6e6ff6d4e62db0f7295883fcdf1b10a4f69b2b58

SHA256
8abb3ec990928dfb09f067bb1f8b7e99a9487f039c9a5f80ab5306006c746859

SHA512
642db2534af82e398285770d5b6564603b457e1e4e0853cb46322aa24f7a880223a839875e7022d5c21f5eb01730df4e4dffdb426ef6e6c81defeb5f5f774ac5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
09860d973b19f909af75e64c1a230eab

SHA1
1cf45fb9f708cb816f4632d84fc860b942427f0d

SHA256
ebb7d2a3793a3ef65ad5540e60bee7bfb7d7e10ce1f71a4d33ba126cd6e05ad3

SHA512
dab6c174806573a22d40fd0d93e93bedf1bd64df7ba20c6b3fee0edc3141684d1539b5e62faa30d616131267bc4d73b86c2c3463ed9c055aa1d66f814b65433c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1ac4421f71447c6f92ce3ac17a3d9d38

SHA1
97f4ebc5875af7ee54f93ba70089361ca88da8af

SHA256
615df52b00308d2a7f8aed927fd28d1e40b5ac6cf5e6da78ec69acd149618d59

SHA512
3d7d6a0124324731462a5e71d797c77e9942371fbdda8b870cb9d035db293ef1765e1890737fd89fd1b9d56941bd04745f93c95c844057830605365367ea410e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
22ee4efbc67fc70b9f9d483cf169e846

SHA1
5e0a01490f92c7a77457c1df61c009cdc5c641dd

SHA256
abd4fb5ee308e65770cced9ea111c1dcfc48e0571cfcb79284f4fbbab293e161

SHA512
7638f6551734a6256e6d7666a9811368ee2894afeb442f65c6da0680fe8134059c52f552e36b2539774c4e3e5fc0cc1ae027e3ef872b5bb5d4b8e0f6687ce238

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
70e226fbd8b4b3f2ddf8a8753a77586a

SHA1
a81a39d08f77479d0ee65599dd2749031c32fc19

SHA256
3eb2bfca11e83ada63c9e426764e07267c058964f959ca5e0c3f0f8933e40026

SHA512
f8c3f2f4172e8cabb856cbc2527dae48cba6d740a8ad9844bb32013ccba200b4c03dfdbe3713d9caa5f7416b8729cba4d516a73989b388c952ab08205b3cd4b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
95cbcc068b61f14455af7f3daea5c57f

SHA1
7121bec25241666a150cd1a58eb7efb0b26eab96

SHA256
205412cd3d890bd070295ebf41e4a831de855a2b755c1a583b4dd2df66d5bc81

SHA512
5ae57031bb2ce71bf93c683f07f82b521918ef8a145a80f8e488e403d7ca97079cb305bb3f9ad93f2b3a99f44954063447a5f9a2c0f6f276a2ef84beff5674a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
30eafc82ac9962314c98d54ef2588957

SHA1
3bf1e1f24264448ba2688366b10b083c808e1e7a

SHA256
fc93c94af2daa9c8b70b9f6104f613a1cf0ac39bf1856542a3dbb6f828d2bee6

SHA512
5cd90109e61e06fda91874fd3cd28d83b42b6e586446ce99cf69a611f0015f56010937fadca4accef57ab47b5bca54b4171479a9a989ab5b1a015d491f985fb5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
efa4b9f79f0e80cc4480b4196f965c98

SHA1
56401c277c2e9c8111a865c9225b943fc4a7433b

SHA256
5db1107f337e47becfbcacfdc107678db82fb69fc4a9a1341c0decacff5146c3

SHA512
c3b3f2cd4b0a7257fcb391a7defee9a0db1650febb3dab466732bf81cdec9a8bbfb9e28afd2ffff03d57f2cd2be8adc8da67abeb39e295c94b3dd536fb092180

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1a9d2727f5157f704f57fb2f0e0a7939

SHA1
4085542ccb9a53b29208916307ee515880d6410f

SHA256
46c5d3b8a158fe319dfd325df66634b1bdef724bab79b7007f565e44beb34f31

SHA512
7ec52df630965769dae3e05a1b9fd489c7d5413ea77b28cbe2435e839f80d7eabdbbcc74af4cf544b9f0f57403a505501b08753ffeaec8cf6c32972fc3e72d68

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3fe126921f6537cf36cd507b1649ffbb

SHA1
445c8796d072bb5829f0af8421e3eb7da34add70

SHA256
b4af7c7ab452f12e0ea38532d00cfa19cf99247ef169e5e698acd882e72750a6

SHA512
5d8527210f01cc30bda93521cdbd9828d03f2af3e2810996ad8c60cf62a35e415c0e54a34e00847ae30bf2718e8c431b65ed4f509c11986a8eb54ed6ed64ac94

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
18daeaff7fc134fc2edabbaea7e7e9f0

SHA1
a6a3002f7828141bac042e08241df957ef348bb4

SHA256
56a26505482cb65715785a972070bd6b72ad56c09ec26f7a97d7b0ac5bf52303

SHA512
6a91ececa4ca5ffbd12c7ca83888a63a7baf2be281610d9b0d83ee9dfcb8f6d04c1466de5ac1b53abe3daaf2998ec40b4b3a1a1d6fc271f35d25523358bd3df0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
66dec81d7f7dc4e36f9d8151fe38056a

SHA1
fc169994b2239eb407778d28d35025f7c9a1658e

SHA256
a09a3c722b494400011829c5645415020d39c8e6ec90f466fc3109a1ba49db2a

SHA512
3e8af1d301ba9228d5afcfaa1e1d3e6f931c5f0ba5e19c74f73b88ddf7c4baa7b24f13533679096f6c94871985de9e47d0f91362ec2ee9132b1e1b772d56fbcc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
25741fab0bc335b1ed971b3134b0edd3

SHA1
9849046efa3f20662f73cefd0d090bef480c9835

SHA256
05963c6d3a7cc5421377a784df6474456fcbd2f95c7190f2ddb4a9ccbfbe7f98

SHA512
6e772baf90739a76c5c477780e2d158502b55d9c898e69402b0a3bfb840949959c6779f9b291c0503a4fcad95369be55b5f3233ded9329d49d5cde3f1a8369e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
77e6050060ba7681ef21dc2de87135f4

SHA1
53db924e4bec4058482ae6175895035cf18b02a0

SHA256
12c9247040d3f6a8b4cf9ed65c961c70050f161d9331380b21ab02aa29789b6b

SHA512
ec0496443d18924806928b43b57d8b13da2790ba9b89fbc20df13ede967adb8fa01d65521919fc93ceb0e3038acdf7e5282773ae93efc5005180c266563d83cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
234691e979c75e456b0a953fccae9eba

SHA1
69b83d555056d68dc5fba9ce4ce2cd01fc948145

SHA256
6dd790b0d962c8fe4776eb2f525d0e26038e1e8d016bc53e885cc8ecb9a64b37

SHA512
b82bd4081d16dd27a8201511daa72f0a1fbb8611104a440693a9ff2eca02a792634921a096860b3984dbfa6f38ef9e417c068184e138e89d2c1b55011005be1b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f8d2b62c8bb1d79057742c37deb97203

SHA1
51be80e5b8557fd0a26f44446a13d6d7501cf1c1

SHA256
b068318cd1199475646cd68a5ba36f129fe69629a5592a5cb169c090c4a34734

SHA512
32f82f9adb899539a78d236ce06626c1df940707e170dcc51eeb2407337df8baeedc98712fba24774a97960d107ab0d6d2bfe16c654c7f8774d8fd7ed7318a8f

Download Submit
memory/2584-10-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download