08d5568abcc7f49f7383500491ef4d3ef7b65da86dae227126547933d36affdc

Analysis

max time kernel
93s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08d5568abcc7f49f7383500491ef4d3ef7b65da86dae227126547933d36affdc.exe
Size

1.1MB
MD5

664ba2abd33f1369879e9c034225e215
SHA1

73af3ce078cb89ca29accd0683880e38434bb58f
SHA256

08d5568abcc7f49f7383500491ef4d3ef7b65da86dae227126547933d36affdc
SHA512

a7bda79a247ad4c29baf6b08ceb2ae1d547f0e467d34695115865789f1a532b2b63f71cac977685f60e8da491580d7137a0551a5a5323731130d49779aa34c3e
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qc:acallSllG4ZM7QzM7

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	08d5568abcc7f49f7383500491ef4d3ef7b65da86dae227126547933d36affdc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	svchcst.exe

Deletes itself 1 IoCs

pid	Process
2192	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
3516	svchcst.exe
1916	svchcst.exe
668	svchcst.exe
4536	svchcst.exe
2828	svchcst.exe
3324	svchcst.exe
2216	svchcst.exe
904	svchcst.exe
2620	svchcst.exe
4900	svchcst.exe
3788	svchcst.exe
4168	svchcst.exe
4772	svchcst.exe
1132	svchcst.exe
4112	svchcst.exe
632	svchcst.exe
3200	svchcst.exe
2192	svchcst.exe
4736	svchcst.exe
2044	svchcst.exe
448	svchcst.exe
3624	svchcst.exe
2428	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	08d5568abcc7f49f7383500491ef4d3ef7b65da86dae227126547933d36affdc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	08d5568abcc7f49f7383500491ef4d3ef7b65da86dae227126547933d36affdc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
640	08d5568abcc7f49f7383500491ef4d3ef7b65da86dae227126547933d36affdc.exe
640	08d5568abcc7f49f7383500491ef4d3ef7b65da86dae227126547933d36affdc.exe
640	08d5568abcc7f49f7383500491ef4d3ef7b65da86dae227126547933d36affdc.exe
640	08d5568abcc7f49f7383500491ef4d3ef7b65da86dae227126547933d36affdc.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
640	08d5568abcc7f49f7383500491ef4d3ef7b65da86dae227126547933d36affdc.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
640	08d5568abcc7f49f7383500491ef4d3ef7b65da86dae227126547933d36affdc.exe
640	08d5568abcc7f49f7383500491ef4d3ef7b65da86dae227126547933d36affdc.exe
3516	svchcst.exe
1916	svchcst.exe
1916	svchcst.exe
3516	svchcst.exe
668	svchcst.exe
668	svchcst.exe
4536	svchcst.exe
4536	svchcst.exe
2828	svchcst.exe
2828	svchcst.exe
3324	svchcst.exe
3324	svchcst.exe
2216	svchcst.exe
2216	svchcst.exe
904	svchcst.exe
904	svchcst.exe
2620	svchcst.exe
2620	svchcst.exe
4900	svchcst.exe
4900	svchcst.exe
3788	svchcst.exe
3788	svchcst.exe
4168	svchcst.exe
4168	svchcst.exe
4772	svchcst.exe
4772	svchcst.exe
1132	svchcst.exe
1132	svchcst.exe
4112	svchcst.exe
4112	svchcst.exe
632	svchcst.exe
632	svchcst.exe
3200	svchcst.exe
3200	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
4736	svchcst.exe
4736	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
448	svchcst.exe
448	svchcst.exe
3624	svchcst.exe
2428	svchcst.exe
3624	svchcst.exe
2428	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 2960	640	08d5568abcc7f49f7383500491ef4d3ef7b65da86dae227126547933d36affdc.exe	87
PID 640 wrote to memory of 2960	640	08d5568abcc7f49f7383500491ef4d3ef7b65da86dae227126547933d36affdc.exe	87
PID 640 wrote to memory of 2960	640	08d5568abcc7f49f7383500491ef4d3ef7b65da86dae227126547933d36affdc.exe	87
PID 640 wrote to memory of 1356	640	08d5568abcc7f49f7383500491ef4d3ef7b65da86dae227126547933d36affdc.exe	86
PID 640 wrote to memory of 1356	640	08d5568abcc7f49f7383500491ef4d3ef7b65da86dae227126547933d36affdc.exe	86
PID 640 wrote to memory of 1356	640	08d5568abcc7f49f7383500491ef4d3ef7b65da86dae227126547933d36affdc.exe	86
PID 1356 wrote to memory of 1916	1356	WScript.exe	89
PID 1356 wrote to memory of 1916	1356	WScript.exe	89
PID 1356 wrote to memory of 1916	1356	WScript.exe	89
PID 2960 wrote to memory of 3516	2960	WScript.exe	90
PID 2960 wrote to memory of 3516	2960	WScript.exe	90
PID 2960 wrote to memory of 3516	2960	WScript.exe	90
PID 2960 wrote to memory of 668	2960	WScript.exe	91
PID 2960 wrote to memory of 668	2960	WScript.exe	91
PID 2960 wrote to memory of 668	2960	WScript.exe	91
PID 1356 wrote to memory of 4536	1356	WScript.exe	92
PID 1356 wrote to memory of 4536	1356	WScript.exe	92
PID 1356 wrote to memory of 4536	1356	WScript.exe	92
PID 2960 wrote to memory of 2828	2960	WScript.exe	93
PID 2960 wrote to memory of 2828	2960	WScript.exe	93
PID 2960 wrote to memory of 2828	2960	WScript.exe	93
PID 1356 wrote to memory of 3324	1356	WScript.exe	94
PID 1356 wrote to memory of 3324	1356	WScript.exe	94
PID 1356 wrote to memory of 3324	1356	WScript.exe	94
PID 2960 wrote to memory of 2216	2960	WScript.exe	97
PID 2960 wrote to memory of 2216	2960	WScript.exe	97
PID 2960 wrote to memory of 2216	2960	WScript.exe	97
PID 1356 wrote to memory of 904	1356	WScript.exe	98
PID 1356 wrote to memory of 904	1356	WScript.exe	98
PID 1356 wrote to memory of 904	1356	WScript.exe	98
PID 2960 wrote to memory of 2620	2960	WScript.exe	99
PID 2960 wrote to memory of 2620	2960	WScript.exe	99
PID 2960 wrote to memory of 2620	2960	WScript.exe	99
PID 1356 wrote to memory of 4900	1356	WScript.exe	100
PID 1356 wrote to memory of 4900	1356	WScript.exe	100
PID 1356 wrote to memory of 4900	1356	WScript.exe	100
PID 2960 wrote to memory of 3788	2960	WScript.exe	102
PID 2960 wrote to memory of 3788	2960	WScript.exe	102
PID 2960 wrote to memory of 3788	2960	WScript.exe	102
PID 1356 wrote to memory of 4168	1356	WScript.exe	103
PID 1356 wrote to memory of 4168	1356	WScript.exe	103
PID 1356 wrote to memory of 4168	1356	WScript.exe	103
PID 2960 wrote to memory of 4772	2960	WScript.exe	104
PID 2960 wrote to memory of 4772	2960	WScript.exe	104
PID 2960 wrote to memory of 4772	2960	WScript.exe	104
PID 1356 wrote to memory of 1132	1356	WScript.exe	105
PID 1356 wrote to memory of 1132	1356	WScript.exe	105
PID 1356 wrote to memory of 1132	1356	WScript.exe	105
PID 2960 wrote to memory of 4112	2960	WScript.exe	106
PID 2960 wrote to memory of 4112	2960	WScript.exe	106
PID 2960 wrote to memory of 4112	2960	WScript.exe	106
PID 1356 wrote to memory of 632	1356	WScript.exe	107
PID 1356 wrote to memory of 632	1356	WScript.exe	107
PID 1356 wrote to memory of 632	1356	WScript.exe	107
PID 2960 wrote to memory of 3200	2960	WScript.exe	108
PID 2960 wrote to memory of 3200	2960	WScript.exe	108
PID 2960 wrote to memory of 3200	2960	WScript.exe	108
PID 2960 wrote to memory of 2192	2960	WScript.exe	109
PID 2960 wrote to memory of 2192	2960	WScript.exe	109
PID 2960 wrote to memory of 2192	2960	WScript.exe	109
PID 2192 wrote to memory of 3256	2192	svchcst.exe	111
PID 2192 wrote to memory of 3256	2192	svchcst.exe	111
PID 2192 wrote to memory of 3256	2192	svchcst.exe	111
PID 3256 wrote to memory of 4736	3256	WScript.exe	114

C:\Users\Admin\AppData\Local\Temp\08d5568abcc7f49f7383500491ef4d3ef7b65da86dae227126547933d36affdc.exe
"C:\Users\Admin\AppData\Local\Temp\08d5568abcc7f49f7383500491ef4d3ef7b65da86dae227126547933d36affdc.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:640
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1916
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4536
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3324
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:904
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4900
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4168
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1132
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:632
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3516
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:668
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2828
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2216
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2620
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3788
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4772
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4112
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3200
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2192
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3256
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:4736
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2916
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2044
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3936
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2428
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3608
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3624
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3248
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
28accf8c556428fe812f466604617fa4

SHA1
30bc7c29b8b24513fb16c142f3130291fe6545d6

SHA256
eae71e8aba8f64d7801e62fa5b8ca3e5ff54654da997ef4902d77dd450ed60e9

SHA512
72c4398fa9076f7077b63aef426be36c4334e3900793f3e287272e9b53eeaf09a1a39912434e5013b8566c6b66865be5a7df64913906655a7fb48d71b7697d16

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
28167c064311357a30cc6de51b34120d

SHA1
cd6e8343bf5fa014ded5905fd8c6037eda277818

SHA256
e1a76a59c230fb740b85443e95d9db97f660e6d57f8f79060c51d3fb21f7af2a

SHA512
a8ca9a0804c9cb2c87148d82b2ffb169d766b6ea91b4106363b24d555c9a58594915364b6cb61a1757723e96f7095f06859ab83a6e1055d43c8e78e9b52c8b57

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1af246ca0660faf0fa7da4b4c9c61316

SHA1
c050b0bd311f2e5240cd7e9df583e41b133e9521

SHA256
2b84bcefb62d7564e2e7d1be8105a26f798b4c73cca142c054da02262f61ede8

SHA512
3fadf6605620aea1f9c9e94d62193fc416af6d5272bc675d399ea1ea96a070b4de69cab61736cea89c744ce3b203f0790d617789d25811a6ca535fc9f6159793

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
70e226fbd8b4b3f2ddf8a8753a77586a

SHA1
a81a39d08f77479d0ee65599dd2749031c32fc19

SHA256
3eb2bfca11e83ada63c9e426764e07267c058964f959ca5e0c3f0f8933e40026

SHA512
f8c3f2f4172e8cabb856cbc2527dae48cba6d740a8ad9844bb32013ccba200b4c03dfdbe3713d9caa5f7416b8729cba4d516a73989b388c952ab08205b3cd4b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
6ab3a07f03348ea4ad9dfad0237dcf92

SHA1
fec8cc2517cd53b376a20f2b7bd5451ff25e5093

SHA256
86eed1174740bad1f5cfc551c614b7ab40d1954b1180a60a4464130cb49c20b8

SHA512
debab2153a23429c4b157f1c19279ae7b6c30286b90ea4d1f687c3f1362eed0ca4067b5d62c1d108389bcc2a660c326e201076a698a90139aca3bc780113ff3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
41a882f71f4d3dbccd738f65ab677f02

SHA1
1a12303da4df2563e5e15ee5abb0c8e7dee66011

SHA256
b70281f627ad23ef369c826e0faf7e204ecbd8305ace6a5a46efbb3b0d5cce92

SHA512
f2c9e2d87cf5eb8f13c7ecbf2d319d347f0cb1464dac913527f531998c14262ba4c6d6ef5184386d127423729ec4faa5526ce3e690930839eaed09b2d1543e74

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
023db6a8b23c668fea65c248a524aa3f

SHA1
e98e2335d7b782deca563a84dbb4175e138e4f99

SHA256
6956774196aec504d93b7b3291e9f775b581daadf136f1adeb2c0e4d74076c4b

SHA512
6f41f69e04d2e803d9f3098a979a9ebb94a36793b4805041fae7cb97de9ce538db83c4adddca844d175648b7cd705923eac234aac48218cb5d0ee55faa67ae6d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c1c9abeb1ac0832e8a57688d86052985

SHA1
438dbc7515403593dce0a69e77f27140669b0923

SHA256
f538979b8b20b37015c392744994dc65eaf5cc5698356827a9a4e3e024e860bd

SHA512
f27327e716533c30dd8ea3647623515d7b53a33e8866ee80bc7062b5442c37c239c305b7176402afc32eb75d5f0bf56b6ad3da85e4347c5591139f027fc88c89

Download Submit
memory/448-77-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/448-78-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/632-47-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/640-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/640-32-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/640-51-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/668-20-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/668-18-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/904-28-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/904-30-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1132-43-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1916-14-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1916-15-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2044-88-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2192-61-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2216-29-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2428-93-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2428-92-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2620-33-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2828-24-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3200-49-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3324-25-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3516-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3624-94-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3788-38-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4112-45-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4168-39-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4536-21-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4736-73-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4772-42-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4900-35-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download