f3e7cb06d250d2edd56b4264bfdf839036d17e84bdb500a80e2436d21911a2b1

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/08/2024, 05:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f3e7cb06d250d2edd56b4264bfdf839036d17e84bdb500a80e2436d21911a2b1.exe
Size

1.1MB
MD5

71745098ee42363d3d18489e6cf47c73
SHA1

cd134c3b2b816f1e6cd4452de63b22b9637f2514
SHA256

f3e7cb06d250d2edd56b4264bfdf839036d17e84bdb500a80e2436d21911a2b1
SHA512

b7063ad3580dbc53f465f5cbf26bf3352d3be44600dac7b9151dec7a4f0a7a099aafb5c5df050590964b8a817f11eb5ef806d5b8ec6c934843391342f37b052f
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QR:CcaClSFlG4ZM7QzMy

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2868	svchcst.exe

Executes dropped EXE 33 IoCs

pid	Process
2172	svchcst.exe
2716	svchcst.exe
552	svchcst.exe
2952	svchcst.exe
2908	svchcst.exe
1228	svchcst.exe
2412	svchcst.exe
3016	svchcst.exe
1892	svchcst.exe
2216	svchcst.exe
2416	svchcst.exe
2868	svchcst.exe
540	svchcst.exe
2096	svchcst.exe
884	svchcst.exe
1464	svchcst.exe
1352	svchcst.exe
2384	svchcst.exe
2460	svchcst.exe
2264	svchcst.exe
2120	svchcst.exe
844	svchcst.exe
2284	svchcst.exe
1084	svchcst.exe
2776	svchcst.exe
2908	svchcst.exe
2012	svchcst.exe
1888	svchcst.exe
2356	svchcst.exe
2092	svchcst.exe
1468	svchcst.exe
2088	svchcst.exe
288	svchcst.exe

Loads dropped DLL 56 IoCs

pid	Process
2768	WScript.exe
2768	WScript.exe
2768	WScript.exe
2768	WScript.exe
2768	WScript.exe
2768	WScript.exe
2768	WScript.exe
2768	WScript.exe
2768	WScript.exe
2768	WScript.exe
2768	WScript.exe
2768	WScript.exe
2768	WScript.exe
2768	WScript.exe
2472	WScript.exe
2472	WScript.exe
2192	WScript.exe
2192	WScript.exe
2428	WScript.exe
2428	WScript.exe
1224	WScript.exe
1224	WScript.exe
1200	WScript.exe
1200	WScript.exe
1908	WScript.exe
1908	WScript.exe
2644	WScript.exe
2644	WScript.exe
2368	WScript.exe
2368	WScript.exe
2116	WScript.exe
2116	WScript.exe
568	WScript.exe
568	WScript.exe
288	WScript.exe
288	WScript.exe
1700	WScript.exe
1700	WScript.exe
2272	WScript.exe
2272	WScript.exe
2924	WScript.exe
2924	WScript.exe
900	WScript.exe
900	WScript.exe
2932	WScript.exe
2932	WScript.exe
2328	WScript.exe
2328	WScript.exe
2604	WScript.exe
2604	WScript.exe
2056	WScript.exe
2056	WScript.exe
2020	WScript.exe
2020	WScript.exe
1244	WScript.exe
1244	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 59 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f3e7cb06d250d2edd56b4264bfdf839036d17e84bdb500a80e2436d21911a2b1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2644	f3e7cb06d250d2edd56b4264bfdf839036d17e84bdb500a80e2436d21911a2b1.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2644	f3e7cb06d250d2edd56b4264bfdf839036d17e84bdb500a80e2436d21911a2b1.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2644	f3e7cb06d250d2edd56b4264bfdf839036d17e84bdb500a80e2436d21911a2b1.exe
2644	f3e7cb06d250d2edd56b4264bfdf839036d17e84bdb500a80e2436d21911a2b1.exe
2172	svchcst.exe
2172	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
552	svchcst.exe
552	svchcst.exe
2952	svchcst.exe
2952	svchcst.exe
2908	svchcst.exe
2908	svchcst.exe
1228	svchcst.exe
1228	svchcst.exe
2412	svchcst.exe
2412	svchcst.exe
3016	svchcst.exe
3016	svchcst.exe
1892	svchcst.exe
1892	svchcst.exe
2216	svchcst.exe
2216	svchcst.exe
2416	svchcst.exe
2416	svchcst.exe
2868	svchcst.exe
2868	svchcst.exe
540	svchcst.exe
540	svchcst.exe
2096	svchcst.exe
2096	svchcst.exe
884	svchcst.exe
884	svchcst.exe
1464	svchcst.exe
1464	svchcst.exe
2948	svchcst.exe
2948	svchcst.exe
2384	svchcst.exe
2384	svchcst.exe
2460	svchcst.exe
2460	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2120	svchcst.exe
2120	svchcst.exe
844	svchcst.exe
844	svchcst.exe
2284	svchcst.exe
2284	svchcst.exe
1084	svchcst.exe
1084	svchcst.exe
2776	svchcst.exe
2776	svchcst.exe
2908	svchcst.exe
2908	svchcst.exe
2012	svchcst.exe
2012	svchcst.exe
1888	svchcst.exe
1888	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2092	svchcst.exe
2092	svchcst.exe
1468	svchcst.exe
1468	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2768	2644	f3e7cb06d250d2edd56b4264bfdf839036d17e84bdb500a80e2436d21911a2b1.exe	30
PID 2644 wrote to memory of 2768	2644	f3e7cb06d250d2edd56b4264bfdf839036d17e84bdb500a80e2436d21911a2b1.exe	30
PID 2644 wrote to memory of 2768	2644	f3e7cb06d250d2edd56b4264bfdf839036d17e84bdb500a80e2436d21911a2b1.exe	30
PID 2644 wrote to memory of 2768	2644	f3e7cb06d250d2edd56b4264bfdf839036d17e84bdb500a80e2436d21911a2b1.exe	30
PID 2768 wrote to memory of 2172	2768	WScript.exe	32
PID 2768 wrote to memory of 2172	2768	WScript.exe	32
PID 2768 wrote to memory of 2172	2768	WScript.exe	32
PID 2768 wrote to memory of 2172	2768	WScript.exe	32
PID 2768 wrote to memory of 2716	2768	WScript.exe	33
PID 2768 wrote to memory of 2716	2768	WScript.exe	33
PID 2768 wrote to memory of 2716	2768	WScript.exe	33
PID 2768 wrote to memory of 2716	2768	WScript.exe	33
PID 2768 wrote to memory of 552	2768	WScript.exe	34
PID 2768 wrote to memory of 552	2768	WScript.exe	34
PID 2768 wrote to memory of 552	2768	WScript.exe	34
PID 2768 wrote to memory of 552	2768	WScript.exe	34
PID 2768 wrote to memory of 2952	2768	WScript.exe	35
PID 2768 wrote to memory of 2952	2768	WScript.exe	35
PID 2768 wrote to memory of 2952	2768	WScript.exe	35
PID 2768 wrote to memory of 2952	2768	WScript.exe	35
PID 2768 wrote to memory of 2908	2768	WScript.exe	36
PID 2768 wrote to memory of 2908	2768	WScript.exe	36
PID 2768 wrote to memory of 2908	2768	WScript.exe	36
PID 2768 wrote to memory of 2908	2768	WScript.exe	36
PID 2768 wrote to memory of 1228	2768	WScript.exe	37
PID 2768 wrote to memory of 1228	2768	WScript.exe	37
PID 2768 wrote to memory of 1228	2768	WScript.exe	37
PID 2768 wrote to memory of 1228	2768	WScript.exe	37
PID 2768 wrote to memory of 2412	2768	WScript.exe	38
PID 2768 wrote to memory of 2412	2768	WScript.exe	38
PID 2768 wrote to memory of 2412	2768	WScript.exe	38
PID 2768 wrote to memory of 2412	2768	WScript.exe	38
PID 2768 wrote to memory of 3016	2768	WScript.exe	39
PID 2768 wrote to memory of 3016	2768	WScript.exe	39
PID 2768 wrote to memory of 3016	2768	WScript.exe	39
PID 2768 wrote to memory of 3016	2768	WScript.exe	39
PID 2768 wrote to memory of 1892	2768	WScript.exe	40
PID 2768 wrote to memory of 1892	2768	WScript.exe	40
PID 2768 wrote to memory of 1892	2768	WScript.exe	40
PID 2768 wrote to memory of 1892	2768	WScript.exe	40
PID 2768 wrote to memory of 2216	2768	WScript.exe	41
PID 2768 wrote to memory of 2216	2768	WScript.exe	41
PID 2768 wrote to memory of 2216	2768	WScript.exe	41
PID 2768 wrote to memory of 2216	2768	WScript.exe	41
PID 2768 wrote to memory of 2416	2768	WScript.exe	42
PID 2768 wrote to memory of 2416	2768	WScript.exe	42
PID 2768 wrote to memory of 2416	2768	WScript.exe	42
PID 2768 wrote to memory of 2416	2768	WScript.exe	42
PID 2768 wrote to memory of 2868	2768	WScript.exe	43
PID 2768 wrote to memory of 2868	2768	WScript.exe	43
PID 2768 wrote to memory of 2868	2768	WScript.exe	43
PID 2768 wrote to memory of 2868	2768	WScript.exe	43
PID 2868 wrote to memory of 2472	2868	svchcst.exe	44
PID 2868 wrote to memory of 2472	2868	svchcst.exe	44
PID 2868 wrote to memory of 2472	2868	svchcst.exe	44
PID 2868 wrote to memory of 2472	2868	svchcst.exe	44
PID 2472 wrote to memory of 540	2472	WScript.exe	45
PID 2472 wrote to memory of 540	2472	WScript.exe	45
PID 2472 wrote to memory of 540	2472	WScript.exe	45
PID 2472 wrote to memory of 540	2472	WScript.exe	45
PID 540 wrote to memory of 2192	540	svchcst.exe	46
PID 540 wrote to memory of 2192	540	svchcst.exe	46
PID 540 wrote to memory of 2192	540	svchcst.exe	46
PID 540 wrote to memory of 2192	540	svchcst.exe	46

C:\Users\Admin\AppData\Local\Temp\f3e7cb06d250d2edd56b4264bfdf839036d17e84bdb500a80e2436d21911a2b1.exe
"C:\Users\Admin\AppData\Local\Temp\f3e7cb06d250d2edd56b4264bfdf839036d17e84bdb500a80e2436d21911a2b1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2172
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2716
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:552
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2952
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2908
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1228
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2412
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3016
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1892
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2216
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2416
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2472
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:540
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2096
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2428
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:884
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1224
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1464
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1200
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1352
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2948
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1908
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2384
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2460
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2264
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2120
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:568
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:844
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:288
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2284
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1700
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1084
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2272
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2776
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2908
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:900
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2012
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1888
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2356
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2604
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2092
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2056
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1468
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2088
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1244
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:288
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
66502faede9d85474d80393e1e8f9f04

SHA1
182789761a0b9d0438894350d9fda0a805c14805

SHA256
0db4dbf41ac511a6ed33f7a427a6b18ced4e5677a3c75f00ada8495a25041aa8

SHA512
814c0c7a0441fe16b066369369bc40a680e77e2dbf65d2ca6da0443329b397ef246a8661ded0328770e17245fb24b30c12f44cd947a027a5137488f667ce939c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
4433cc23fc280ad8dcff9966bac19fe4

SHA1
62cc2abfe6e2ee0fd6b5cbce20daff4ba787bff0

SHA256
ca7cfd972b03d0b30404c8233125adda1dacc81a2e43e919d70bf1c2700af55b

SHA512
6a5e7454dde98251a987bedc21e628550c469480cbe41f3b3644789da38e782c8b94660d4a076697cc7abf3fcc767650d00ac3639b11cfeba96ece8110920b4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d32955f30e8aad52247ece470e41d5ad

SHA1
ac6775ee1d2cccafe3baeb722ca57bf16953f173

SHA256
bbd8749995b7f218975a3955fac72a16d1f5a3fd3826f7bb98d0b4fe537d6697

SHA512
1a00595cdfca51c9c95101a1d04a15089aded3fc687de721d882c6ef57697a943c0a99d917167e76d55040c5d8607e01fe5a206054112635a642f6364d3fdcaf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
9e8dca236ce949019c46b94428612ac9

SHA1
0917050afcbb7b94fce6fbb9827fb57de7432b0b

SHA256
bd9f06dbb8f2165c3b75da289ad7983f0c57328d236b2c68a2b5798188874fb3

SHA512
23ce9deba9286cbb24c1725503542b63d7e44ea7ada302e5aba6595f84398e2162008d7431f842cccfb2b8fae126216d85c566931d5fcc8c8c5625e2c05f44d6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2c6490a42a6a0c40ff0c4e23b3e1aa2f

SHA1
673399038e095a86936267b5014fc7d216ee5c0a

SHA256
4b5b75f23c5d2765bccf9691327947fcdd4e1e17e6da73c1b1c47dab8db99b3d

SHA512
8ffd13c3e9ecd8c522703bf13f839b3925bf3dd0418c33e8b4edc5cd07ca53d76d21e3d8f2e47622d51cc73ac3eed7dd2f7308bb332cde1bd1e6f1cb8f8bb8d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
57e51d7e4374cd875109b11b9b8deb29

SHA1
aa5554bdcf8417f4b5fc9242f1de625e2fb820bf

SHA256
054ccb4671ec5693715c290f0bed875878cda62addcb38ef21257c59037fe30a

SHA512
6f58d52a71466d92d7da68e1bfdd91db03619d810eae2622b4e5623d2ad4e30e294d885c8c5405b775aa3256e3acbd0442a3bb2a4b6eb50001ee5f8848d66da3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b42266100fb9f5e0b7be593aac3c37cf

SHA1
7cd55f31fd2871d09de73a6f62e3a7e1a53327b2

SHA256
1a6710caaf3886be368f3205ee8c9905e10f8ed754d80598c80f1455a700d846

SHA512
d3e5a4f7395d6196403e60214239043b2da6e546cbe080f74c3a680a6f4a7fe1374988df0a1aa84dbc0e41199efd8fb11050d1d1295f3b45811935d740a5108b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e5bba46683440caa1508061b6e638120

SHA1
538ff5b7cb3ca90cee3e60bae0b487f4b78912de

SHA256
9b324dbd185a14c0ebfd2cd2731f6bb32c501dfefa7aef4f65b137357502c65d

SHA512
466f00fee10e323273e5d1151062e9fcc36f5657a404c6dd3c0c9ecb56e5205930087e612b13a9c6d1a56df7e05a2bd9c14e95debd5e5aed96ad2ef867e8de4d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
62c562a17934ddba0f2178496c42f1c8

SHA1
69d47abb283b373048a743f6240b2dd3fa06fd56

SHA256
287510d0f09e1cb49e5c5b759c807aa1b4060e30436b3995d097108b3fd1f501

SHA512
f3c0ce568f592d7af824502e86fa4a40baa217f906e2ca857d69765297edf195da26ff75c37d08e1d4d278505816476eeaabe8c1fe0e1408fbcb516443d8ac6d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2ca33937342a219b95553ff27c97ceaa

SHA1
4971c0611fabcf3fd21e3e28d6a81f30c89020fe

SHA256
bb24bb6d6ecf092df340aa763fcdd2f3ff0b219f61933010626434a7b40c10cd

SHA512
a6c53e4e4a11c0888bd0e443163260c2cfc0295b84671fbcbf2af81bde7511fdc5668da4b4cf287ec4ff3294bd823968776c56e81a70f8f5b79549a606b8ee76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a193201241039dc9a66decf0d544e354

SHA1
e0996af1339561ab0eedc57abf52c9c85bb14040

SHA256
b0359a3e545e1a28d73f69dd7e7d9c43096ae62b2a0a9ce06d6b607733b11b21

SHA512
5df166384266af7f52993bac6b4a8244e234941914a7e1c793523ef58656ace311b47dc654e870aa1baad3c2cda6e7cc2f02d75e2932e9d00dc1f052a78c64fa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f50934e5951480adde5dfabafc2a8ec1

SHA1
fc0a0b1b88eaf6f4e7dd1796a334d400ec69cef0

SHA256
551a5ecac3300da484778ac3d4b3d65f00c944e533861e6ece842ac70818dfda

SHA512
61067b0e4d7b98b90899e86f08ab429183784089e1fd0d1c3929807f07ddf5edf60a241f057d001b7544ba23bd7c3d649328a92366089acb1bb3dc8893f7db84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
6a99d775f16b55b76f7aa221307a8358

SHA1
559e69dd55b87d39aa00196aed3ab279df310c1f

SHA256
4b635e7f5e4fad8be023e89eec8d24d7513e74136dda36be982da8ae7bfc9d68

SHA512
10e8ae09e587c69b2037e9c486a9e44232126d36bc3f662f565678053e8d8ce18431bb49aae93d4828d8b7d0cb14e1ceca9dfcb5fffbc275b8b0abac6b8b8993

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
4b7ed1202849cbda98df6450468ad7e9

SHA1
b7ac28016428bb45d35192e9b094ab9944ede914

SHA256
a308985dab7b1bd973127d78b4b5ff51bfa98c937fe5b0f3d02e530f4f92e078

SHA512
4ad1eabb9e5f3d98f682e67a5eb4184ba1e739d374e0b500095414b847d92607fc478dd96cde647f26646bbfbf27e4e3f9f05b8d9c8bf3deb13809de5bfca0fa

Download Submit
memory/2644-33-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download