e27dac42621d2d54d2924491dd23f93152e042df9f66bd17e03bea7820f8d28b

Analysis

max time kernel
149s
max time network
125s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
29/08/2024, 00:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e27dac42621d2d54d2924491dd23f93152e042df9f66bd17e03bea7820f8d28b.exe
Size

1.1MB
MD5

817ded36ac83df717fca28eb5389a9e1
SHA1

acca237258df7f7442ff3d9e759913ea83edbaa0
SHA256

e27dac42621d2d54d2924491dd23f93152e042df9f66bd17e03bea7820f8d28b
SHA512

2ddbd81c633d9d6fb24a75ea0c32a74eec5c4049ddb29c2c032b2b1392e4a7917a5afc672811bd7702803c44fa68c971e57ca3ab4538bc71ebb90e148e3fe252
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qr:CcaClSFlG4ZM7QzMs

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2700	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2700	svchcst.exe
1104	svchcst.exe
1496	svchcst.exe
2296	svchcst.exe
448	svchcst.exe
1888	svchcst.exe
3032	svchcst.exe
2104	svchcst.exe
2588	svchcst.exe
1236	svchcst.exe
2908	svchcst.exe
532	svchcst.exe
956	svchcst.exe
2540	svchcst.exe
2140	svchcst.exe
952	svchcst.exe
2168	svchcst.exe
2832	svchcst.exe
2880	svchcst.exe
2984	svchcst.exe
1992	svchcst.exe
3036	svchcst.exe
1932	svchcst.exe

Loads dropped DLL 40 IoCs

pid	Process
2192	WScript.exe
2192	WScript.exe
2624	WScript.exe
1984	WScript.exe
1984	WScript.exe
1984	WScript.exe
2272	WScript.exe
1268	WScript.exe
1268	WScript.exe
1948	WScript.exe
696	WScript.exe
696	WScript.exe
1656	WScript.exe
1656	WScript.exe
2840	WScript.exe
2840	WScript.exe
2912	WScript.exe
2912	WScript.exe
2980	WScript.exe
2980	WScript.exe
3028	WScript.exe
3028	WScript.exe
3060	WScript.exe
3060	WScript.exe
1528	WScript.exe
1528	WScript.exe
2640	WScript.exe
2640	WScript.exe
876	WScript.exe
876	WScript.exe
1032	WScript.exe
1032	WScript.exe
1516	WScript.exe
1516	WScript.exe
2932	WScript.exe
2932	WScript.exe
2420	WScript.exe
2420	WScript.exe
2544	WScript.exe
2544	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e27dac42621d2d54d2924491dd23f93152e042df9f66bd17e03bea7820f8d28b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2368	e27dac42621d2d54d2924491dd23f93152e042df9f66bd17e03bea7820f8d28b.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe
2700	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2368	e27dac42621d2d54d2924491dd23f93152e042df9f66bd17e03bea7820f8d28b.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2368	e27dac42621d2d54d2924491dd23f93152e042df9f66bd17e03bea7820f8d28b.exe
2368	e27dac42621d2d54d2924491dd23f93152e042df9f66bd17e03bea7820f8d28b.exe
2700	svchcst.exe
2700	svchcst.exe
1104	svchcst.exe
1104	svchcst.exe
1496	svchcst.exe
1496	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
448	svchcst.exe
448	svchcst.exe
1888	svchcst.exe
1888	svchcst.exe
3032	svchcst.exe
3032	svchcst.exe
2104	svchcst.exe
2104	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
1236	svchcst.exe
1236	svchcst.exe
2908	svchcst.exe
2908	svchcst.exe
532	svchcst.exe
532	svchcst.exe
956	svchcst.exe
956	svchcst.exe
2540	svchcst.exe
2540	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
952	svchcst.exe
952	svchcst.exe
2168	svchcst.exe
2168	svchcst.exe
2832	svchcst.exe
2832	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
2984	svchcst.exe
2984	svchcst.exe
1992	svchcst.exe
1992	svchcst.exe
3036	svchcst.exe
3036	svchcst.exe
1932	svchcst.exe
1932	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2192	2368	e27dac42621d2d54d2924491dd23f93152e042df9f66bd17e03bea7820f8d28b.exe	30
PID 2368 wrote to memory of 2192	2368	e27dac42621d2d54d2924491dd23f93152e042df9f66bd17e03bea7820f8d28b.exe	30
PID 2368 wrote to memory of 2192	2368	e27dac42621d2d54d2924491dd23f93152e042df9f66bd17e03bea7820f8d28b.exe	30
PID 2368 wrote to memory of 2192	2368	e27dac42621d2d54d2924491dd23f93152e042df9f66bd17e03bea7820f8d28b.exe	30
PID 2192 wrote to memory of 2700	2192	WScript.exe	33
PID 2192 wrote to memory of 2700	2192	WScript.exe	33
PID 2192 wrote to memory of 2700	2192	WScript.exe	33
PID 2192 wrote to memory of 2700	2192	WScript.exe	33
PID 2700 wrote to memory of 2624	2700	svchcst.exe	34
PID 2700 wrote to memory of 2624	2700	svchcst.exe	34
PID 2700 wrote to memory of 2624	2700	svchcst.exe	34
PID 2700 wrote to memory of 2624	2700	svchcst.exe	34
PID 2624 wrote to memory of 1104	2624	WScript.exe	35
PID 2624 wrote to memory of 1104	2624	WScript.exe	35
PID 2624 wrote to memory of 1104	2624	WScript.exe	35
PID 2624 wrote to memory of 1104	2624	WScript.exe	35
PID 1104 wrote to memory of 1984	1104	svchcst.exe	36
PID 1104 wrote to memory of 1984	1104	svchcst.exe	36
PID 1104 wrote to memory of 1984	1104	svchcst.exe	36
PID 1104 wrote to memory of 1984	1104	svchcst.exe	36
PID 1984 wrote to memory of 1496	1984	WScript.exe	37
PID 1984 wrote to memory of 1496	1984	WScript.exe	37
PID 1984 wrote to memory of 1496	1984	WScript.exe	37
PID 1984 wrote to memory of 1496	1984	WScript.exe	37
PID 1496 wrote to memory of 2792	1496	svchcst.exe	38
PID 1496 wrote to memory of 2792	1496	svchcst.exe	38
PID 1496 wrote to memory of 2792	1496	svchcst.exe	38
PID 1496 wrote to memory of 2792	1496	svchcst.exe	38
PID 1984 wrote to memory of 2296	1984	WScript.exe	39
PID 1984 wrote to memory of 2296	1984	WScript.exe	39
PID 1984 wrote to memory of 2296	1984	WScript.exe	39
PID 1984 wrote to memory of 2296	1984	WScript.exe	39
PID 2296 wrote to memory of 2272	2296	svchcst.exe	40
PID 2296 wrote to memory of 2272	2296	svchcst.exe	40
PID 2296 wrote to memory of 2272	2296	svchcst.exe	40
PID 2296 wrote to memory of 2272	2296	svchcst.exe	40
PID 2272 wrote to memory of 448	2272	WScript.exe	41
PID 2272 wrote to memory of 448	2272	WScript.exe	41
PID 2272 wrote to memory of 448	2272	WScript.exe	41
PID 2272 wrote to memory of 448	2272	WScript.exe	41
PID 448 wrote to memory of 1268	448	svchcst.exe	42
PID 448 wrote to memory of 1268	448	svchcst.exe	42
PID 448 wrote to memory of 1268	448	svchcst.exe	42
PID 448 wrote to memory of 1268	448	svchcst.exe	42
PID 1268 wrote to memory of 1888	1268	WScript.exe	43
PID 1268 wrote to memory of 1888	1268	WScript.exe	43
PID 1268 wrote to memory of 1888	1268	WScript.exe	43
PID 1268 wrote to memory of 1888	1268	WScript.exe	43
PID 1888 wrote to memory of 936	1888	svchcst.exe	44
PID 1888 wrote to memory of 936	1888	svchcst.exe	44
PID 1888 wrote to memory of 936	1888	svchcst.exe	44
PID 1888 wrote to memory of 936	1888	svchcst.exe	44
PID 1268 wrote to memory of 3032	1268	WScript.exe	45
PID 1268 wrote to memory of 3032	1268	WScript.exe	45
PID 1268 wrote to memory of 3032	1268	WScript.exe	45
PID 1268 wrote to memory of 3032	1268	WScript.exe	45
PID 3032 wrote to memory of 1948	3032	svchcst.exe	46
PID 3032 wrote to memory of 1948	3032	svchcst.exe	46
PID 3032 wrote to memory of 1948	3032	svchcst.exe	46
PID 3032 wrote to memory of 1948	3032	svchcst.exe	46
PID 1948 wrote to memory of 2104	1948	WScript.exe	47
PID 1948 wrote to memory of 2104	1948	WScript.exe	47
PID 1948 wrote to memory of 2104	1948	WScript.exe	47
PID 1948 wrote to memory of 2104	1948	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\e27dac42621d2d54d2924491dd23f93152e042df9f66bd17e03bea7820f8d28b.exe
"C:\Users\Admin\AppData\Local\Temp\e27dac42621d2d54d2924491dd23f93152e042df9f66bd17e03bea7820f8d28b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2624
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1104
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:936
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2104
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:696
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2588
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1656
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1236
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2908
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2912
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:532
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2980
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:956
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3028
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2540
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2140
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1528
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:952
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2168
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:876
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2832
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1032
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2880
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1516
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2984
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1992
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3036
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2544
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1932
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:1244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
401d18ab8435a8ef6d3c325b3012cc38

SHA1
0d852d9f678cfff9355522356916ee26b8255549

SHA256
7d60b7ba6e379a01b7206bb1e32135e3617b7f0fe72b3f424d351a672a4389ba

SHA512
4ed2e7df446a20b6024e5e4e4c146e53f0a8b9665be479bc247e10c073fa957440b0f18a3eb260516a78b877bf66f158b55c03bf74237b967616269a182477ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
bd0cc8385e2c94da465451e7bd8d4303

SHA1
6866d3d8d4bc37bbd976b44b74d4cef9b018da66

SHA256
099ad392a60ee09509cf2982deb126acb373115124e33c1c9d18931fa32af630

SHA512
5212403107457416b6b8e3c033c9521f744845edbf0c9bba5c962bea5946c2a24e1081cf472e907b3e16fb593b98c119802e3162e5260b30574f2c086af3d6b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
234d3bd7d4c79c9f8515c4e3812a1c9b

SHA1
f0add1f9e02bad7016d7b183f6d64d4800df4e12

SHA256
c9ba84b70031261f15918f7e74bd45b7b889b8e8427efa4ff19537e3d27633d0

SHA512
3d42cb367d8ba46cff006692c69f88ab165b9b326000c0bf187e682ce181413dd6f8eb083972765f332dc4309996b3621018ce3cf22d4d944c2b3c0e51f4aea0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
297aff64991480fd92a4ce9fb4d40807

SHA1
c586f7003f854f442db26448516e59826dfe41e9

SHA256
5137a62e031c71093a7d6c2684519614bb5eed80fd8daa92912f085a6ab82b8a

SHA512
f7a2fae80f26e6fb846ec9675c5a03932c8bd842d75f68cdb05c2f18e9397ed32774ce0a1f495e5618a5ce1b37e088c8991a69fb999559d1e2b0dd360cc96b4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
02bec440e11bdc76b5de3232abd91f03

SHA1
2118a1f2249848ea084c7d98709f7ba7906e43a3

SHA256
4382e8d6fd98aeb7c574b195019c1687ac6628e8f97485614ad743ae5a0616b0

SHA512
f86e900e6bd38151fad12b160c0489823bd18d15609346172ca1f815593e69f9269cb28a0eaea6a588a29d41343f3b9d4c6489cc3c50e2b24a31720de26e0411

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6cc9dd78b42e2ca0e1deb237988b6ae2

SHA1
6ec16a7e43a4c558a19f125758d56ed9a180e6ee

SHA256
11367ac6f6a1b237ca69aeeb571a435181256f8836d6910f036beb90e160f7b2

SHA512
331f0ae896c0fb9906dd2fc2e3d58860073af97deb31cdb2184cc4bd104e2e066bfec6bdef0e16a8eda3d5605875fe7c03480b1e2d68bc9d7e3a2b237a3020a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3f88ed4a802ff96db44e34ad53ac06c2

SHA1
446fe4e265af02ea012b5a8d5d0e7a0c9867f1ed

SHA256
04a5abb92c689fa7b9d768a067b1d9bd16c0a5d856c67c7f7881d62662ae0911

SHA512
f1afaf53ee96969d58902836b841ca7feed9769c81d9b2d63b72db5d7cf04d6a659b50869f8dba0d650aa6833d892261c0c3dd918e8bfbed13237e6333c47fdf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
16b9011648a577741b7fb4a55f1eeaac

SHA1
b0d86d1cf62b882bf28f0897ddb610e41cc6814c

SHA256
7bf3fbb9962c054e651caf4e49fa468d5892cb0bf88f4bbf3fd85b372a7d173c

SHA512
1d8631904aa2df5a90aef858d4369ed53d0075f97b42361a8e05c9a64f8e6a786897b625b1230d20415f3923db8aa5d8f5f619b7b9084202fecf4e7cead4366d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5ef4272f4d6f345fc8cc1b2f059c81b4

SHA1
78bcb559f775d70e10396e1d6d7b95c28d2645d1

SHA256
19f8d5209b4a5789cdfd5b67cb0b9f6c3546c62912bcb1ef1c69a15602beb652

SHA512
002693255c600456d965b5a7e36f780deec4d80cd9fe56f7f974b8762e2b140002a1dabf4b059d6163c9cc00a0e1e9da71899e13347fb4bb2985bbc7058469cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b9f42b67196579be4b48ef3493e40a6d

SHA1
f0a798a4aa9401ce637b3016829d6bc178b46b36

SHA256
5af7cfef4fc0b02f32178caf67f947bc09a9631a5ec201ffa67b2f4f470bbed2

SHA512
875207383356da783c8f932da091d7c1316a0859406a388a6a4b0e641cc15326ac5134a5dc3e5299cccd6c245456483db86f5f9652fec2fa049996259d166284

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
55765ba68da8820ee35d2d4d1dedeac0

SHA1
19f5f147056f3d837a11d6b08a7fc9544f9927f6

SHA256
1eb237d283717ac45bdfef217d3d09fb4ef73db3838859057c94e488b329c522

SHA512
61b6361b8dfef2067016c50e830db1fc768d0654a3f643cf4b4cb1193de722f74401e73f719d8cff5a443058adfa7e3cd0dfc502f25dd249cdc36a7056c81c18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b5e11596fa3b5ec67af0232750a3cadb

SHA1
80cb25f5250390b6b2130c8b4eefc9872cc4939d

SHA256
d6429bbb3e3d5c86f30efdb3aa599d47eb8f130c1d0f2a6345e3e9387f7670b3

SHA512
06c71dd481c8936cb5c8a259111986a31b94e7bf73267a081e2162e16b3bffc633a257b5dcf2fd64c7bcc95a20ee841d5d07ca2ea5a16b7f862aec9cde5f17f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e8db8bf6305ada657f4147512cd8f7a6

SHA1
b523ab8297ab7a419004daeb68bdea2045dfb368

SHA256
84ff541277fc63d5f89a6da4f8e46d1134864ec3a87bb2500f3b3f20bfcf7924

SHA512
55b2f9749e7814fa76547893d1309040135e421d755c0a75249c52aa517b5a6ceac2d29ee7a154456f3473a98e5817f41964dace7b0de9eb357e9d0ebe370562

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
6407430a26f80419350613d3fe311422

SHA1
c3bd6779ab213e647522c2bc986b38b6d427119d

SHA256
ac89cc200e1e285df2f1f30c869907884361387a099affa23e70b130d8b6f192

SHA512
041cd41addbf7058e912f7ccdf6f31a0417de1e5d77f322516671ce2c95fdc61769ebd789b6aa3d7832e5f452f815fcac38b05b3525578f0f12ca4e3282a81c4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9d2e83e1aaede6309cfe01466b19c3c5

SHA1
4228afdc91be6ef45316da5a09455fb2375bb4e6

SHA256
72fc3d6c5530fb613f72d4b799361d5b68e481de82ae266dc62734a9aff08d2e

SHA512
e4e6303feacb917ab0246541af64924acb058fb45986940d8b8b4e38aa206e85ed447c943b81a989e68b8b712437c0d13c5eaa27065cedf3df5a5bffb6fdad6a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
5e3a1c0390147cf9e079070394f15d72

SHA1
79bd85c8bd9501bdb96fe8b8a62e29825a18ac7e

SHA256
3e52e4021be72e823637a58dbbc9ca0ff144b373a184a20c5b365d99d5e1f028

SHA512
ffe697ddb4fd1268bfd5ab1bb1aaaeb4768757b6597707469c12f6ea9a152fdbd1dbe370999dfb3376833dc32a59fcdb7921f7602adcfccd2a3e99171a5d1ae7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d1278ae5c3eff80be66f6316e709f1bc

SHA1
88d2e33554db7ffc4d2a7a43e84574312f955de2

SHA256
0b13eab5e939040726ffaf8c1b6659bfe104842e9009758353b030ec113cca3b

SHA512
390a71bcff6135c13e42fa2897f4bd056d6a36b444f53ac1439aa4b0138b547a60efa47085bd503c75817a812f530db6ac13b2e419bef39c2de59b1a54a31a9a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
354ab6962a6525e01b26ed1f710ddcdd

SHA1
1ca749e3880be5db0c40d772db38b2657d58a0c3

SHA256
8e6fb7c5695cbe1743f63d080e8edfc75ea3d0d4220c974af7f1307d48e0b775

SHA512
19b40c37eb711521f7d4532cf6178120c315d0a0c885251365e64aa8fe4f1af42114522b70b8f07b471655b508e7ba8a05a7ead8aa7e5652e8ef9344fac4bc9a

Download Submit
memory/2368-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download