fafa87728d1d80d72690d34614031adb0a76af857fadd7ae221d87df4f1bb59c

Analysis

max time kernel
88s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 17:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fafa87728d1d80d72690d34614031adb0a76af857fadd7ae221d87df4f1bb59c.exe
Size

1.1MB
MD5

5d0513cc6c66da67a62c8b3d6532ae88
SHA1

b659e3729c85bc71ba9a0412c5ebf27d4a235cac
SHA256

fafa87728d1d80d72690d34614031adb0a76af857fadd7ae221d87df4f1bb59c
SHA512

4e08dcb89e6fa015da9888a749620076e914e73f426f607d6360e1571a0f6723b1b443ee232cfcc3db84e6ef10f2a4ccaa94b82b91b5c3232cb559fc5a375180
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Q/:CcaClSFlG4ZM7QzM4

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2708	svchcst.exe

Executes dropped EXE 16 IoCs

pid	Process
2708	svchcst.exe
3000	svchcst.exe
2820	svchcst.exe
2108	svchcst.exe
3036	svchcst.exe
1520	svchcst.exe
2040	svchcst.exe
2172	svchcst.exe
2316	svchcst.exe
1068	svchcst.exe
2892	svchcst.exe
2508	svchcst.exe
1760	svchcst.exe
676	svchcst.exe
1736	svchcst.exe
1088	svchcst.exe

Loads dropped DLL 22 IoCs

pid	Process
2772	WScript.exe
2772	WScript.exe
1144	WScript.exe
1144	WScript.exe
1436	WScript.exe
2304	WScript.exe
3008	WScript.exe
3008	WScript.exe
2060	WScript.exe
1652	WScript.exe
1652	WScript.exe
1652	WScript.exe
2572	WScript.exe
1128	WScript.exe
1128	WScript.exe
1128	WScript.exe
2764	WScript.exe
1348	WScript.exe
2324	WScript.exe
2324	WScript.exe
2324	WScript.exe
1348	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fafa87728d1d80d72690d34614031adb0a76af857fadd7ae221d87df4f1bb59c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2400	fafa87728d1d80d72690d34614031adb0a76af857fadd7ae221d87df4f1bb59c.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2400	fafa87728d1d80d72690d34614031adb0a76af857fadd7ae221d87df4f1bb59c.exe

Suspicious use of SetWindowsHookEx 34 IoCs

pid	Process
2400	fafa87728d1d80d72690d34614031adb0a76af857fadd7ae221d87df4f1bb59c.exe
2400	fafa87728d1d80d72690d34614031adb0a76af857fadd7ae221d87df4f1bb59c.exe
2708	svchcst.exe
2708	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2108	svchcst.exe
2108	svchcst.exe
3036	svchcst.exe
3036	svchcst.exe
1520	svchcst.exe
1520	svchcst.exe
2040	svchcst.exe
2040	svchcst.exe
2172	svchcst.exe
2172	svchcst.exe
2316	svchcst.exe
2316	svchcst.exe
1068	svchcst.exe
1068	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
2508	svchcst.exe
2508	svchcst.exe
1760	svchcst.exe
1760	svchcst.exe
676	svchcst.exe
676	svchcst.exe
1088	svchcst.exe
1088	svchcst.exe
1736	svchcst.exe
1736	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2772	2400	fafa87728d1d80d72690d34614031adb0a76af857fadd7ae221d87df4f1bb59c.exe	30
PID 2400 wrote to memory of 2772	2400	fafa87728d1d80d72690d34614031adb0a76af857fadd7ae221d87df4f1bb59c.exe	30
PID 2400 wrote to memory of 2772	2400	fafa87728d1d80d72690d34614031adb0a76af857fadd7ae221d87df4f1bb59c.exe	30
PID 2400 wrote to memory of 2772	2400	fafa87728d1d80d72690d34614031adb0a76af857fadd7ae221d87df4f1bb59c.exe	30
PID 2772 wrote to memory of 2708	2772	WScript.exe	32
PID 2772 wrote to memory of 2708	2772	WScript.exe	32
PID 2772 wrote to memory of 2708	2772	WScript.exe	32
PID 2772 wrote to memory of 2708	2772	WScript.exe	32
PID 2708 wrote to memory of 1144	2708	svchcst.exe	33
PID 2708 wrote to memory of 1144	2708	svchcst.exe	33
PID 2708 wrote to memory of 1144	2708	svchcst.exe	33
PID 2708 wrote to memory of 1144	2708	svchcst.exe	33
PID 1144 wrote to memory of 3000	1144	WScript.exe	34
PID 1144 wrote to memory of 3000	1144	WScript.exe	34
PID 1144 wrote to memory of 3000	1144	WScript.exe	34
PID 1144 wrote to memory of 3000	1144	WScript.exe	34
PID 3000 wrote to memory of 1436	3000	svchcst.exe	35
PID 3000 wrote to memory of 1436	3000	svchcst.exe	35
PID 3000 wrote to memory of 1436	3000	svchcst.exe	35
PID 3000 wrote to memory of 1436	3000	svchcst.exe	35
PID 1436 wrote to memory of 2820	1436	WScript.exe	36
PID 1436 wrote to memory of 2820	1436	WScript.exe	36
PID 1436 wrote to memory of 2820	1436	WScript.exe	36
PID 1436 wrote to memory of 2820	1436	WScript.exe	36
PID 2820 wrote to memory of 2304	2820	svchcst.exe	37
PID 2820 wrote to memory of 2304	2820	svchcst.exe	37
PID 2820 wrote to memory of 2304	2820	svchcst.exe	37
PID 2820 wrote to memory of 2304	2820	svchcst.exe	37
PID 2304 wrote to memory of 2108	2304	WScript.exe	38
PID 2304 wrote to memory of 2108	2304	WScript.exe	38
PID 2304 wrote to memory of 2108	2304	WScript.exe	38
PID 2304 wrote to memory of 2108	2304	WScript.exe	38
PID 2108 wrote to memory of 3008	2108	svchcst.exe	39
PID 2108 wrote to memory of 3008	2108	svchcst.exe	39
PID 2108 wrote to memory of 3008	2108	svchcst.exe	39
PID 2108 wrote to memory of 3008	2108	svchcst.exe	39
PID 3008 wrote to memory of 3036	3008	WScript.exe	40
PID 3008 wrote to memory of 3036	3008	WScript.exe	40
PID 3008 wrote to memory of 3036	3008	WScript.exe	40
PID 3008 wrote to memory of 3036	3008	WScript.exe	40
PID 3036 wrote to memory of 2060	3036	svchcst.exe	41
PID 3036 wrote to memory of 2060	3036	svchcst.exe	41
PID 3036 wrote to memory of 2060	3036	svchcst.exe	41
PID 3036 wrote to memory of 2060	3036	svchcst.exe	41
PID 2060 wrote to memory of 1520	2060	WScript.exe	42
PID 2060 wrote to memory of 1520	2060	WScript.exe	42
PID 2060 wrote to memory of 1520	2060	WScript.exe	42
PID 2060 wrote to memory of 1520	2060	WScript.exe	42
PID 1520 wrote to memory of 1652	1520	svchcst.exe	43
PID 1520 wrote to memory of 1652	1520	svchcst.exe	43
PID 1520 wrote to memory of 1652	1520	svchcst.exe	43
PID 1520 wrote to memory of 1652	1520	svchcst.exe	43
PID 1652 wrote to memory of 2040	1652	WScript.exe	44
PID 1652 wrote to memory of 2040	1652	WScript.exe	44
PID 1652 wrote to memory of 2040	1652	WScript.exe	44
PID 1652 wrote to memory of 2040	1652	WScript.exe	44
PID 2040 wrote to memory of 1784	2040	svchcst.exe	45
PID 2040 wrote to memory of 1784	2040	svchcst.exe	45
PID 2040 wrote to memory of 1784	2040	svchcst.exe	45
PID 2040 wrote to memory of 1784	2040	svchcst.exe	45
PID 1652 wrote to memory of 2172	1652	WScript.exe	46
PID 1652 wrote to memory of 2172	1652	WScript.exe	46
PID 1652 wrote to memory of 2172	1652	WScript.exe	46
PID 1652 wrote to memory of 2172	1652	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\fafa87728d1d80d72690d34614031adb0a76af857fadd7ae221d87df4f1bb59c.exe
"C:\Users\Admin\AppData\Local\Temp\fafa87728d1d80d72690d34614031adb0a76af857fadd7ae221d87df4f1bb59c.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1144
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3000
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:1784
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2172
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2572
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2316
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1128
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1068
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2892
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2508
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2324
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:676
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1736
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1348
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1760
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:1092
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
379619305716718fbeeab2f364946c39

SHA1
b663cf106c4673549692fa39d25e9e8f4561cd64

SHA256
c844bc25686320e65c1b5259a6d0d6d47f61709f46e2c8eb2ad3f9c3b9333d84

SHA512
b2c91d0f1cbc9e253bb3bb339acbab0e31eef31188cc00132c423fee2a85c7a91132c9259b99b23a149f6ba1172b8522e2d8350f88dbb735ad8d7a32f71e2ed8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
951aaea1269f2a203f3dd7cd181c5d34

SHA1
3623d216764b24aa0b02cbc136287252bf5b412a

SHA256
228b66ed4c4a1270fe5a6655cdd849de937351e95974b96acafa59b8107b7dd4

SHA512
cd84967ad43a13c3cd57cc80f6533a9e9fd93a5eddf4807825b8d19883da4acda3e7b4ff963f23209c579050fedf834382d8e718386c852ceaf350b2b0f91816

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e4e96c55460da5fa5643648177198d56

SHA1
da09b8271cfd09349b8e79bd8856671e6124d6a0

SHA256
6ca56d2034da62f3a82f84935631e9d90430875cfd9b95382fdf1210758ba761

SHA512
23da2c3c87c8e52aab70931c7ca6f0d04f453cff01bda2fe078a060468d9d7b9e544635eb11976541246eaed2e4cac06e0ed7ed86bce775f95ff5d5f40c5d1bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
04b0fa55fa60edebea72ffd80d569a16

SHA1
cb51c088c5e28a58ec3d49941696b670660f0608

SHA256
62fa4ff053373b922bd2dd9db907d886492b948a8ee8e97f66999df44fd27e90

SHA512
355d445a279ce7010991d5693337be822d673f0f6f3dc648983ee7ce298391ddce8a12d3a792d76f5b75061fb8a3e744ddfed6d8cf9944bb2a6907015982afa9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3436c1c6420b4dd3e950884257e8b45d

SHA1
4889f8460c4c1b1fc3f357a03df6ca7fac272fbf

SHA256
88d11bc6a0ed417ee8dbbc8ec0894c9b616480afec00a30256ca41150aab17b8

SHA512
7960190b3738a018b0c04804e673662b6227bc397fa6a6ca2b1b1041ed7403f4dbe80f7aa6d63484f1f49c98361f27dd425b95b4c6fafedafb5f1e864b3adeb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ed546bb522a06b2fe1964359d1c00489

SHA1
f645b56f6b42e6e187d97e90006e64493e168dfd

SHA256
770b107915197c74e581cfd8ea4047ad94180a81a2e6422eb5a8139839645257

SHA512
bc0172ea605aeb832088b2e5d3cd3c4ba9f052a1f4afaa3696e8672f3e6a5776537472d56805f0dea9d8474ffca77d9b574331c9dc57bc7a6e029e01169de0b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e0e0a1f6d22e3905753a9c1ed053cbff

SHA1
52c11b8049f4015d7825fc1fcbd0d5eadb29a6e4

SHA256
2eca9ba67f160c00268003e7239f9cfc5da0f10b6a0b3c82538ef2a0874b871d

SHA512
3eb98287cc8115cb648626272eaa6cc77cb57fcd614f0e969d3af3977a8e09e0f7f6f3ee6ef9322e096bf0cec546f681a6983030a10e972b538d42e2bd17740c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6a10838e65cf3aedda11230ee7f407b7

SHA1
7878e96feb82d309b74e4fe98ad256d3bfd63d08

SHA256
79b9776ab8d5f525f63ccab50ff6d79e7a7daeb47894ce971b63ab072314009e

SHA512
7fd419656935cef9e30f36f618df90399b015dc281dea6b30f12ba7bf2c07a58e7aa570ea5fd1f04b3643be33eb1d8521787c94384cb7ef0ec8d5459a8c50eaa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
608aea68519434d685c413b31a12c6ce

SHA1
7a62e13cab985d0588a0faea63751fd0355da7fc

SHA256
5ed3aa382febd7a4e6c3a921a5add055f6e2bbea7558b21da46752f037d52b1a

SHA512
6ddca4b85fc1b6ecb6c1081b32067eb438ed5167b48565ea449e6babb1f27a01c75599c6b0f10b29ac9278e619891588d654466ce882d8080f4d2435f450d198

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
4f1c3e04fe09c26eac61a6a5e73d41a6

SHA1
5d61ea8f22af3a41286cfd2e03bf0d5fe912527e

SHA256
fcea651549aa97e3646b2b5857daab87dfa90158918203ea713fbc3d8dc96d2b

SHA512
23a253717242040b3497cc5dd9736a2a19adac084ebdf17f578f11a3c07aa584c78a8155ece8de4317293c4b75fca53b4cc225d05785f69e01d18ef6582e01f5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c1f667683c1809dc2fa81d863ea10a4e

SHA1
dc9fdbeca32f2afbcfdc5363769ebb594fc93e44

SHA256
a0afd04975f7f5cf26533640020a9533d4dcf1b152143e69196f93bd5b49fa1e

SHA512
e4c894530934444cb97392b0180e5b6040b84ab5c639412c6b9e5355a13152412da8d881403832c2f3c601624465b16242ebd8710f6e6a4666a27e15ce759b2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1ca638ab56e1883ffe75969d1d8c4a61

SHA1
2f32fe1ad07a21f4aade2693ef174e30427e4f26

SHA256
ab716890ffa3b303c706ba2fc2ff48ba57e82b94b3bb3198cbb5700d74218c9d

SHA512
91f259046507902e077ac73aa23005f33cb3f93b6822e325bf3dd785b7616128bae36e13ba016f6a67cdddedef644d9cf44d49bba7d989dc5e59b93d446d626c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
38524a81746242b3c6cf0addfdba65fb

SHA1
4edbf3cb2ee38f3a08cffb2285d7c400f04b83e7

SHA256
ac64e592982ddbb5ec6fcf21e1e8e77e13c00594855849f5fa7569d00893b19a

SHA512
8d9b2d2d83f76e1025468f4ef00d9f7a920ebf70a002e8eb1b54bc2f56147fd7e893af7be02796de6d075630f4f21a023870d5b55be0b0e7a82f3e3e689f5e29

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
128271e8cd7a2cce57098adee0602ec5

SHA1
1a3adf6dab3bcf5821af5f403201bb34626858bb

SHA256
dbd7d3e96dc3f39ae4826ed380d476ad7e385e4f8ad4c2dce74a93fadeb16b17

SHA512
791c8414e3c56141433dba7230d2561cfa296a89812fcff2f59319e30d738ec805d87a2852df58b768298613638b51279313441e1cb53a52a716efa9fd362a2a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2d280871e932e5e2cf825cb7c3889474

SHA1
c9b3081ea7c50f7807f83dd27e28fdf103e36aba

SHA256
a518a6f5be336e6c5fd002448ba44a04e19a40351d3e62c62853a35af8659c82

SHA512
f0f5a5a26baa0bed10f6f5a939451913ee56d72801d0f4e1cb6f1df9587e1c39482f8146d13ce17c8520c4bf3e05c325b6c81e7937e2ce3b06593a0119bed7e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
26549296772b096461e7764e2ee3e971

SHA1
81d37a57e4a5c5fb1dbb42f125327b6ad10b4926

SHA256
eb57fc50fa5981d4b0f8e0b602eb1717fdbc3499fd782012e6d0fdb5c2d572f1

SHA512
f426904c1a1d7d83be3c6fb2b95dbbbc4961c541d4f3f790557c9f6cc64aee9209b1a7d4a235a6de16d1ebc33eea9d27297f4d6463e7746e599e800301882318

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
8b3c262c9e39f661c3bf9e77c74736f9

SHA1
836a0872fb65c1b49ff0dd615f32edce963c942a

SHA256
0dcdc8f2b8a5bd5c2f81b77212f255c17302e3bfaeadafbd131a1956ada7a208

SHA512
11e8711cf64b3b979bfe68e34358b4797b3000a87b381bee9ace37cf84e0e351590b66e3cb12378b320e19bc80346ca9f6a605f0bd9264ef9567e6c691e3a645

Download Submit
memory/2400-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download