b23ba60000e2ba57eadb6adec35cc24842d96c18a61160f6fefb9500b7b54c76

Analysis

max time kernel
76s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/08/2024, 06:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b23ba60000e2ba57eadb6adec35cc24842d96c18a61160f6fefb9500b7b54c76.exe
Size

1.1MB
MD5

58bf159be8449845d776de671852081a
SHA1

3d9094e301b57977f5102cc2ccc72be614fc03b9
SHA256

b23ba60000e2ba57eadb6adec35cc24842d96c18a61160f6fefb9500b7b54c76
SHA512

0d2b2dcfb634dfaf3702e6ce5f3998c174f981699d6d57b451943354aa327b81a4aaff3c1ec33e24e1e8329268b891ab7b7596d382738c1207e618ab0cd7da18
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QJ:acallSllG4ZM7QzM6

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	b23ba60000e2ba57eadb6adec35cc24842d96c18a61160f6fefb9500b7b54c76.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	svchcst.exe

Deletes itself 1 IoCs

pid	Process
2356	svchcst.exe

Executes dropped EXE 20 IoCs

pid	Process
4868	svchcst.exe
2336	svchcst.exe
3416	svchcst.exe
3600	svchcst.exe
4336	svchcst.exe
3936	svchcst.exe
1968	svchcst.exe
4764	svchcst.exe
2028	svchcst.exe
3304	svchcst.exe
2256	svchcst.exe
3008	svchcst.exe
4788	svchcst.exe
532	svchcst.exe
1660	svchcst.exe
2356	svchcst.exe
2276	svchcst.exe
1968	svchcst.exe
2676	svchcst.exe
3920	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b23ba60000e2ba57eadb6adec35cc24842d96c18a61160f6fefb9500b7b54c76.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	b23ba60000e2ba57eadb6adec35cc24842d96c18a61160f6fefb9500b7b54c76.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1208	b23ba60000e2ba57eadb6adec35cc24842d96c18a61160f6fefb9500b7b54c76.exe
1208	b23ba60000e2ba57eadb6adec35cc24842d96c18a61160f6fefb9500b7b54c76.exe
1208	b23ba60000e2ba57eadb6adec35cc24842d96c18a61160f6fefb9500b7b54c76.exe
1208	b23ba60000e2ba57eadb6adec35cc24842d96c18a61160f6fefb9500b7b54c76.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1208	b23ba60000e2ba57eadb6adec35cc24842d96c18a61160f6fefb9500b7b54c76.exe

Suspicious use of SetWindowsHookEx 42 IoCs

pid	Process
1208	b23ba60000e2ba57eadb6adec35cc24842d96c18a61160f6fefb9500b7b54c76.exe
1208	b23ba60000e2ba57eadb6adec35cc24842d96c18a61160f6fefb9500b7b54c76.exe
4868	svchcst.exe
4868	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
3416	svchcst.exe
3416	svchcst.exe
3600	svchcst.exe
3600	svchcst.exe
3936	svchcst.exe
4336	svchcst.exe
3936	svchcst.exe
4336	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
4764	svchcst.exe
4764	svchcst.exe
2028	svchcst.exe
2028	svchcst.exe
3304	svchcst.exe
3304	svchcst.exe
2256	svchcst.exe
2256	svchcst.exe
3008	svchcst.exe
3008	svchcst.exe
4788	svchcst.exe
4788	svchcst.exe
532	svchcst.exe
532	svchcst.exe
1660	svchcst.exe
1660	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2276	svchcst.exe
2276	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
2676	svchcst.exe
3920	svchcst.exe
2676	svchcst.exe
3920	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 3236	1208	b23ba60000e2ba57eadb6adec35cc24842d96c18a61160f6fefb9500b7b54c76.exe	89
PID 1208 wrote to memory of 3236	1208	b23ba60000e2ba57eadb6adec35cc24842d96c18a61160f6fefb9500b7b54c76.exe	89
PID 1208 wrote to memory of 3236	1208	b23ba60000e2ba57eadb6adec35cc24842d96c18a61160f6fefb9500b7b54c76.exe	89
PID 1208 wrote to memory of 3648	1208	b23ba60000e2ba57eadb6adec35cc24842d96c18a61160f6fefb9500b7b54c76.exe	90
PID 1208 wrote to memory of 3648	1208	b23ba60000e2ba57eadb6adec35cc24842d96c18a61160f6fefb9500b7b54c76.exe	90
PID 1208 wrote to memory of 3648	1208	b23ba60000e2ba57eadb6adec35cc24842d96c18a61160f6fefb9500b7b54c76.exe	90
PID 3648 wrote to memory of 4868	3648	WScript.exe	92
PID 3648 wrote to memory of 4868	3648	WScript.exe	92
PID 3648 wrote to memory of 4868	3648	WScript.exe	92
PID 3236 wrote to memory of 2336	3236	WScript.exe	93
PID 3236 wrote to memory of 2336	3236	WScript.exe	93
PID 3236 wrote to memory of 2336	3236	WScript.exe	93
PID 3236 wrote to memory of 3416	3236	WScript.exe	95
PID 3236 wrote to memory of 3416	3236	WScript.exe	95
PID 3236 wrote to memory of 3416	3236	WScript.exe	95
PID 3648 wrote to memory of 3600	3648	WScript.exe	94
PID 3648 wrote to memory of 3600	3648	WScript.exe	94
PID 3648 wrote to memory of 3600	3648	WScript.exe	94
PID 3648 wrote to memory of 3936	3648	WScript.exe	96
PID 3648 wrote to memory of 3936	3648	WScript.exe	96
PID 3648 wrote to memory of 3936	3648	WScript.exe	96
PID 3236 wrote to memory of 4336	3236	WScript.exe	97
PID 3236 wrote to memory of 4336	3236	WScript.exe	97
PID 3236 wrote to memory of 4336	3236	WScript.exe	97
PID 3236 wrote to memory of 1968	3236	WScript.exe	98
PID 3236 wrote to memory of 1968	3236	WScript.exe	98
PID 3236 wrote to memory of 1968	3236	WScript.exe	98
PID 3648 wrote to memory of 4764	3648	WScript.exe	99
PID 3648 wrote to memory of 4764	3648	WScript.exe	99
PID 3648 wrote to memory of 4764	3648	WScript.exe	99
PID 3236 wrote to memory of 2028	3236	WScript.exe	102
PID 3236 wrote to memory of 2028	3236	WScript.exe	102
PID 3236 wrote to memory of 2028	3236	WScript.exe	102
PID 3648 wrote to memory of 3304	3648	WScript.exe	103
PID 3648 wrote to memory of 3304	3648	WScript.exe	103
PID 3648 wrote to memory of 3304	3648	WScript.exe	103
PID 3236 wrote to memory of 2256	3236	WScript.exe	104
PID 3236 wrote to memory of 2256	3236	WScript.exe	104
PID 3236 wrote to memory of 2256	3236	WScript.exe	104
PID 3236 wrote to memory of 3008	3236	WScript.exe	106
PID 3236 wrote to memory of 3008	3236	WScript.exe	106
PID 3236 wrote to memory of 3008	3236	WScript.exe	106
PID 3236 wrote to memory of 4788	3236	WScript.exe	107
PID 3236 wrote to memory of 4788	3236	WScript.exe	107
PID 3236 wrote to memory of 4788	3236	WScript.exe	107
PID 3648 wrote to memory of 532	3648	WScript.exe	108
PID 3648 wrote to memory of 532	3648	WScript.exe	108
PID 3648 wrote to memory of 532	3648	WScript.exe	108
PID 3236 wrote to memory of 1660	3236	WScript.exe	109
PID 3236 wrote to memory of 1660	3236	WScript.exe	109
PID 3236 wrote to memory of 1660	3236	WScript.exe	109
PID 3236 wrote to memory of 2356	3236	WScript.exe	110
PID 3236 wrote to memory of 2356	3236	WScript.exe	110
PID 3236 wrote to memory of 2356	3236	WScript.exe	110
PID 2356 wrote to memory of 3348	2356	svchcst.exe	112
PID 2356 wrote to memory of 3348	2356	svchcst.exe	112
PID 2356 wrote to memory of 3348	2356	svchcst.exe	112
PID 2356 wrote to memory of 4000	2356	svchcst.exe	113
PID 2356 wrote to memory of 4000	2356	svchcst.exe	113
PID 2356 wrote to memory of 4000	2356	svchcst.exe	113
PID 4000 wrote to memory of 2276	4000	WScript.exe	116
PID 4000 wrote to memory of 2276	4000	WScript.exe	116
PID 4000 wrote to memory of 2276	4000	WScript.exe	116
PID 2276 wrote to memory of 8	2276	svchcst.exe	117

C:\Users\Admin\AppData\Local\Temp\b23ba60000e2ba57eadb6adec35cc24842d96c18a61160f6fefb9500b7b54c76.exe
"C:\Users\Admin\AppData\Local\Temp\b23ba60000e2ba57eadb6adec35cc24842d96c18a61160f6fefb9500b7b54c76.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3236
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2336
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3416
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4336
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1968
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2028
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2256
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3008
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4788
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1660
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2356
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3348
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4000
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2276
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:8
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1968
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:860
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3920
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4568
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2676
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4220
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3648
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4868
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3600
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3936
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4764
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3304
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
3230d647f99bdf5dc1e789effd3c6327

SHA1
d9faa6cc0e406549ac30464618123ceefaddd39a

SHA256
1ac381ee2e4f99552762da3c0f95edf5c22caea2842816b5ad0e5269798fb5d2

SHA512
a106c938025454b961b000d972483599321e22d6a664cea19db59e7a55432751e210d646e48c9d38387403d87e7c19f93efafef55c4926cb508651273c0f5ee6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
99190cc32e9995c46b8a5b9b268a5bbe

SHA1
4ad00bc8655bced61776b40f2cc5bf0180a175d4

SHA256
308f79dad8498e1020104d40c992a2a6b9d4841f2c9c705e4b4401c48764a096

SHA512
f6447cdd779f7e95f6e84469388e55d7c18249f434aadf7cb7d4ec18cded20161a1cd8bb8830186c55ce8a945ab7c7cff08f85787c2616d447a90cb6f4622571

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
dcda7be7bee467e770890045f8b7ae2a

SHA1
c2d1c9669b5115473dd2fcb27bb76aed83afdcd1

SHA256
5818c70269cba768813218e1a65265488b4c36ebee593535af98a52bf1eeed33

SHA512
5a69286101d6a3f52a919910584f2618e2e7adcf8b77806b5e4ecd8b881a86693df968818cec771b93b50d05849e165da0d66c5cfb121297f56cf7bef804a408

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f080eefd41c0fca1c404d5133fb5c957

SHA1
bef3f9c014eca7cf4dc001f3d85befd3681d4bcc

SHA256
758f74e1aa31de598fbf37f70ffd76f936c0b5dd2227b17c0d8e9ac4506f3aaf

SHA512
e2066e4082f51d4064bfd68eff48c97c481bbb524bb0fa2da0b5ae25bda730811d2933480a72d91a8e5c10ac794f0e793fb8323892332eb9b7c43890ee25c4d7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ee3d511bee484aec8d87a17cf2f3605b

SHA1
51f9bf64b880a282d9a4b9c6874cf1c10e0cee46

SHA256
387019e3e679c661d0102b40204037842d9fc2b108e85f431ae7b5afd275e0bb

SHA512
e1a60ab687b4a5f395339815da2025eb75cf313156e439d42cedf3db955d972f6e5da6f668164ffc15f25234f4fb1e141fc7c525c3f04edbd894f9a6cc669d20

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
8dcb5cad07ec57318a876e4ac882e8e0

SHA1
72a2a4c3971742bb1d4c794abbf52b7d17b74c12

SHA256
7442390c6282bbfd146b769e7b5e16b92a2b2be9b1a31095fceee5258ae5c941

SHA512
cec66f7d2d587f16bfe72c6469eba823f117d9c09e376969b8a3b708103c77273edfe2e2d64bb6b1148e99537b1ad675b3e598d55446d98fbd6a56c2924175e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2ed41077667cabbaf1741d5870c588a2

SHA1
46762704579a2a1063ac8ce675e0a5042109a778

SHA256
8f09daea4a962951abdf811d9b2040d80f17dc2a2bf7f73a9c12571619d9ee21

SHA512
4993daf1ebfa0ec2e658a655eadfa9d765fe98ae09209f36bcc6fa206dcdbbeba22b1896ef03a6fa7418ded4a3925ebde60e9d28d580a77959bee91f76dc9bc7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
dc62eb4decfe0875ba488af702e22439

SHA1
39c8b0fa272d24d48888e7044bc558ab4967e72d

SHA256
87019d03bebba730b3dd9178e5435791a2fe064fadbe52a1c53031283bafddfa

SHA512
1be46dfc8b7ca0d8a336b9a0f7d7a870b67c7eb94cd9e82e53ea045f0e18804c9a9d1388882b1eba955c8eb7e9bfa9a815e39073926aa60d37c647fa73597d21

Download Submit
memory/532-45-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1208-39-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1208-50-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1208-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1660-48-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1660-47-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1968-85-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1968-30-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1968-75-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2028-33-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2256-37-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2276-72-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2336-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2336-14-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2356-62-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2676-90-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2676-89-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3008-40-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3304-35-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3416-19-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3600-20-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3920-91-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3936-25-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3936-24-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4336-26-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4336-23-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4764-31-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4764-29-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4788-43-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4788-42-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4868-15-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download