f31d6cfcd606e85494d2788288fa927bdb438e6314a43cfce7ca4b2a785eec5e

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f31d6cfcd606e85494d2788288fa927bdb438e6314a43cfce7ca4b2a785eec5e.exe
Size

1.1MB
MD5

e73af20e87412f354e2e080280a9bdff
SHA1

d9d82c249f6ec0e337acfc040103047b891246bc
SHA256

f31d6cfcd606e85494d2788288fa927bdb438e6314a43cfce7ca4b2a785eec5e
SHA512

fd9423a302ede6b2b5dd6cb080affcd1d4db803fae5e5e926e2c882e5aec2b4cc9d5502b13d1c406eaa93ba91ded0431928637feeb76c60c0e3aafc0b5eb049a
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qd:CcaClSFlG4ZM7QzM2

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2756	svchcst.exe

Executes dropped EXE 24 IoCs

pid	Process
2756	svchcst.exe
2140	svchcst.exe
1932	svchcst.exe
1260	svchcst.exe
756	svchcst.exe
2084	svchcst.exe
2156	svchcst.exe
1856	svchcst.exe
3020	svchcst.exe
2960	svchcst.exe
2704	svchcst.exe
2400	svchcst.exe
1060	svchcst.exe
2044	svchcst.exe
1628	svchcst.exe
792	svchcst.exe
2240	svchcst.exe
2296	svchcst.exe
1708	svchcst.exe
1936	svchcst.exe
2648	svchcst.exe
2196	svchcst.exe
2088	svchcst.exe
1148	svchcst.exe

Loads dropped DLL 36 IoCs

pid	Process
1136	WScript.exe
1136	WScript.exe
2412	WScript.exe
1264	WScript.exe
1264	WScript.exe
2344	WScript.exe
2344	WScript.exe
1340	WScript.exe
1340	WScript.exe
2544	WScript.exe
2544	WScript.exe
2828	WScript.exe
2828	WScript.exe
1732	WScript.exe
1732	WScript.exe
2828	WScript.exe
2604	WScript.exe
2604	WScript.exe
572	WScript.exe
572	WScript.exe
1780	WScript.exe
1780	WScript.exe
984	WScript.exe
984	WScript.exe
2332	WScript.exe
2332	WScript.exe
2440	WScript.exe
2440	WScript.exe
2836	WScript.exe
2836	WScript.exe
2120	WScript.exe
2120	WScript.exe
924	WScript.exe
924	WScript.exe
2612	WScript.exe
2612	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 50 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f31d6cfcd606e85494d2788288fa927bdb438e6314a43cfce7ca4b2a785eec5e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3056	f31d6cfcd606e85494d2788288fa927bdb438e6314a43cfce7ca4b2a785eec5e.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe
2756	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3056	f31d6cfcd606e85494d2788288fa927bdb438e6314a43cfce7ca4b2a785eec5e.exe

Suspicious use of SetWindowsHookEx 50 IoCs

pid	Process
3056	f31d6cfcd606e85494d2788288fa927bdb438e6314a43cfce7ca4b2a785eec5e.exe
3056	f31d6cfcd606e85494d2788288fa927bdb438e6314a43cfce7ca4b2a785eec5e.exe
2756	svchcst.exe
2756	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe
1932	svchcst.exe
1932	svchcst.exe
1260	svchcst.exe
1260	svchcst.exe
756	svchcst.exe
756	svchcst.exe
2084	svchcst.exe
2084	svchcst.exe
2156	svchcst.exe
2156	svchcst.exe
1856	svchcst.exe
1856	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
2960	svchcst.exe
2960	svchcst.exe
2704	svchcst.exe
2704	svchcst.exe
2400	svchcst.exe
2400	svchcst.exe
1060	svchcst.exe
1060	svchcst.exe
2044	svchcst.exe
2044	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
792	svchcst.exe
792	svchcst.exe
2240	svchcst.exe
2240	svchcst.exe
2936	svchcst.exe
2936	svchcst.exe
1708	svchcst.exe
1708	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
2648	svchcst.exe
2648	svchcst.exe
2196	svchcst.exe
2196	svchcst.exe
2088	svchcst.exe
2088	svchcst.exe
1148	svchcst.exe
1148	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 1136	3056	f31d6cfcd606e85494d2788288fa927bdb438e6314a43cfce7ca4b2a785eec5e.exe	30
PID 3056 wrote to memory of 1136	3056	f31d6cfcd606e85494d2788288fa927bdb438e6314a43cfce7ca4b2a785eec5e.exe	30
PID 3056 wrote to memory of 1136	3056	f31d6cfcd606e85494d2788288fa927bdb438e6314a43cfce7ca4b2a785eec5e.exe	30
PID 3056 wrote to memory of 1136	3056	f31d6cfcd606e85494d2788288fa927bdb438e6314a43cfce7ca4b2a785eec5e.exe	30
PID 1136 wrote to memory of 2756	1136	WScript.exe	32
PID 1136 wrote to memory of 2756	1136	WScript.exe	32
PID 1136 wrote to memory of 2756	1136	WScript.exe	32
PID 1136 wrote to memory of 2756	1136	WScript.exe	32
PID 2756 wrote to memory of 2412	2756	svchcst.exe	33
PID 2756 wrote to memory of 2412	2756	svchcst.exe	33
PID 2756 wrote to memory of 2412	2756	svchcst.exe	33
PID 2756 wrote to memory of 2412	2756	svchcst.exe	33
PID 2412 wrote to memory of 2140	2412	WScript.exe	35
PID 2412 wrote to memory of 2140	2412	WScript.exe	35
PID 2412 wrote to memory of 2140	2412	WScript.exe	35
PID 2412 wrote to memory of 2140	2412	WScript.exe	35
PID 2140 wrote to memory of 1264	2140	svchcst.exe	36
PID 2140 wrote to memory of 1264	2140	svchcst.exe	36
PID 2140 wrote to memory of 1264	2140	svchcst.exe	36
PID 2140 wrote to memory of 1264	2140	svchcst.exe	36
PID 1264 wrote to memory of 1932	1264	WScript.exe	37
PID 1264 wrote to memory of 1932	1264	WScript.exe	37
PID 1264 wrote to memory of 1932	1264	WScript.exe	37
PID 1264 wrote to memory of 1932	1264	WScript.exe	37
PID 1932 wrote to memory of 2200	1932	svchcst.exe	38
PID 1932 wrote to memory of 2200	1932	svchcst.exe	38
PID 1932 wrote to memory of 2200	1932	svchcst.exe	38
PID 1932 wrote to memory of 2200	1932	svchcst.exe	38
PID 1264 wrote to memory of 1260	1264	WScript.exe	39
PID 1264 wrote to memory of 1260	1264	WScript.exe	39
PID 1264 wrote to memory of 1260	1264	WScript.exe	39
PID 1264 wrote to memory of 1260	1264	WScript.exe	39
PID 1260 wrote to memory of 2344	1260	svchcst.exe	40
PID 1260 wrote to memory of 2344	1260	svchcst.exe	40
PID 1260 wrote to memory of 2344	1260	svchcst.exe	40
PID 1260 wrote to memory of 2344	1260	svchcst.exe	40
PID 2344 wrote to memory of 756	2344	WScript.exe	41
PID 2344 wrote to memory of 756	2344	WScript.exe	41
PID 2344 wrote to memory of 756	2344	WScript.exe	41
PID 2344 wrote to memory of 756	2344	WScript.exe	41
PID 756 wrote to memory of 1152	756	svchcst.exe	42
PID 756 wrote to memory of 1152	756	svchcst.exe	42
PID 756 wrote to memory of 1152	756	svchcst.exe	42
PID 756 wrote to memory of 1152	756	svchcst.exe	42
PID 2344 wrote to memory of 2084	2344	WScript.exe	43
PID 2344 wrote to memory of 2084	2344	WScript.exe	43
PID 2344 wrote to memory of 2084	2344	WScript.exe	43
PID 2344 wrote to memory of 2084	2344	WScript.exe	43
PID 2084 wrote to memory of 1340	2084	svchcst.exe	44
PID 2084 wrote to memory of 1340	2084	svchcst.exe	44
PID 2084 wrote to memory of 1340	2084	svchcst.exe	44
PID 2084 wrote to memory of 1340	2084	svchcst.exe	44
PID 1340 wrote to memory of 2156	1340	WScript.exe	45
PID 1340 wrote to memory of 2156	1340	WScript.exe	45
PID 1340 wrote to memory of 2156	1340	WScript.exe	45
PID 1340 wrote to memory of 2156	1340	WScript.exe	45
PID 2156 wrote to memory of 2356	2156	svchcst.exe	46
PID 2156 wrote to memory of 2356	2156	svchcst.exe	46
PID 2156 wrote to memory of 2356	2156	svchcst.exe	46
PID 2156 wrote to memory of 2356	2156	svchcst.exe	46
PID 1340 wrote to memory of 1856	1340	WScript.exe	47
PID 1340 wrote to memory of 1856	1340	WScript.exe	47
PID 1340 wrote to memory of 1856	1340	WScript.exe	47
PID 1340 wrote to memory of 1856	1340	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\f31d6cfcd606e85494d2788288fa927bdb438e6314a43cfce7ca4b2a785eec5e.exe
"C:\Users\Admin\AppData\Local\Temp\f31d6cfcd606e85494d2788288fa927bdb438e6314a43cfce7ca4b2a785eec5e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1136
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2412
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2140
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1152
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1856
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2544
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3020
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2828
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2704
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2400
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:2032
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2044
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2604
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1628
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:572
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:792
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1780
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2240
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:984
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2296
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:876
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2936
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1708
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2440
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1936
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2836
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2648
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2120
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2196
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:924
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2088
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2612
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1148
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:2324
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2960
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1732
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0297693238c8d2753940dd61243ddfd8

SHA1
c5e61e727061ecb2475cfd052102d1ec3f837ad8

SHA256
2c553c736dbf82875ba83b712b4d0a0e5b63b0e4089f0882755bbf078c22c0a5

SHA512
042527b1ea8d7e3cc25f8cc72c357e39ef822e78eb9c5802613ff806f9869fff49e63ebd0d8e52754c5a918fd76640dd0bc7a1a1dfd5e82cecfcfcc13c8579cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
cb7503ce039a2b61b726bb822bff372d

SHA1
5510770d001676247583b91e5d64a98066f7727f

SHA256
26d51dfadededb042d7ccb76aa373c6c8e3b870f6445e44e1feaa04bcf09232b

SHA512
f68816d6f63d85c4825efc66a63d34b77403ba2b3236c935b3a49e9ffb72160c4cc89a6b0a5efeddefab342d58e59a36d2cb14b496d0c423a51683b58fdb8669

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d9ab21af2046aedc3484d569036c3ef7

SHA1
ade5e9eb5b1180a77a2164e61f74beb411cdfb56

SHA256
90b8f17e573879b63c512e7c0dd6ff9454d177163e2d95d0090b2ef22ae5ec79

SHA512
cb8c202cd3d66ee897982e42257320dfef0a23eb96b9a3189869e9a0ce030d4baaa8c0a6fc5e197d2d19d742b0d7b3f34adb12933192dd6e4b1388433755d1ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d6aef0b19d7d8dc2eda464cf358007b7

SHA1
c271fa23eee2c534cc862f7575df47f660c94d27

SHA256
70965d19e9afccec497ac21e98bfea9be46cf5df938982b3d19e6295aab3bb1d

SHA512
c547f50069f9f97dd9877bdb529f4ed49f9761d5cab1ff703e5185a6071e7591b98237834c6bd386b68b9c6504b76bdc581bf17a6fcef94e74b1483d47cf764a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
33923002ff087d4e9d20dc9167bf4b6f

SHA1
cd218dc8073081f7329889f96e1159c6d11fb8a1

SHA256
f24781ed9f535b0d29cbef666b2e299ee84ab75c48fd47bfdf0e9c2beaa0796e

SHA512
628c465e3ebed9b3ad689a6fa1fe38d3194c69a7446320408c28667acd49a157b853f734325e828a1577810393d0f9e69b6719bd7c201816ef0f06219a26534c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1a94fff9bade36e4d067e0fcefb1a8f5

SHA1
1713c3fc499a56cd97035e44405e0b5e1a0a586b

SHA256
1977a5ac15e88252efdd11b9aace6de92383e71132a94273b0e890e92ae91048

SHA512
89a7dd6811f9491a14bf49f1cbce3e869107d2e0d410fa3d3c867ce68d573d6f8e6ada98ac3635fc620c96c61676b5cef2563b5fbea14f617c1fa61bce4f3ac7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
93bffb400f506fbd69421b6075802c65

SHA1
b9d8c4ea6a8fd739f6cf167e1f58412525f15784

SHA256
2e455d4d9ba6db3056e273b33c3cc67d60d76c4a750b98b2d4d0e2bcc6aa57b1

SHA512
e00a5d4ad19c488dc18e50150fcd50505133666e333f12f9e0cb3a894162951e4195886798de3531561ff99b4a3fbca6fb351f1ff0bcd0e1ac20cd685962ec23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a3b1a2435db9006df38c9e78df96e2f2

SHA1
a8a6d302d102686610f54547bdf0245b177a752f

SHA256
8ca1784265581709551e81326c9733c10ac943c899070bee9b799f88dad7870e

SHA512
fe8a0d2a67e28fcf1b31e640132a669186ddb33302b135d11c0706a5c9e98548d53d51be0d2ecc9d20c43efbe393d7865c57ca9b6c651deca93f67aff0968210

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5d0d203da02edb604545d3d826c88b42

SHA1
9be0cfd40b48d4e6041e00827047a8b0d877d4a1

SHA256
5f341c2f1ff381eecedbf6fcbe549724323c30c05728132a98ea55f607bc3e81

SHA512
a3e01552a9576ba8dd9aa9f65211f74a69588a316d984b8887e740c6c174e19df2056dc0138d5af26bd927e192ec2c7d355fc8b4092e30d55de910e932fbd49f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8e2ae053ceb7062fca84af2a4b776842

SHA1
e0efd0b54009a60e3682ed38deaddd833c8652b6

SHA256
58391f462883b293fdb398c52afb015698a4aa455fde921d706159ccccc6375f

SHA512
71b28f16bbcd83fd3cd69c985cc7482ddb167f287f6f331fc6c2f71b5b9759d6692ad93eb45e3a4039e5234f795076cd090e46c80b2661a00327a19b0ceab7b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1af246ca0660faf0fa7da4b4c9c61316

SHA1
c050b0bd311f2e5240cd7e9df583e41b133e9521

SHA256
2b84bcefb62d7564e2e7d1be8105a26f798b4c73cca142c054da02262f61ede8

SHA512
3fadf6605620aea1f9c9e94d62193fc416af6d5272bc675d399ea1ea96a070b4de69cab61736cea89c744ce3b203f0790d617789d25811a6ca535fc9f6159793

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f90544e58b22e5a8cf9e054521f08dbe

SHA1
41576d7e10771d6d7a5665155469656571415994

SHA256
bbf3272e98c50a2c6ae314cf2eaa62ebb3dd4589aea7a51d6755f8fbf3f581a9

SHA512
58db59fb96992f3142e766fe91ef939340fe2ab216e4b5d00554da8890c0080524b516cbd3469844f7357ae90684825ec0a543d72c37e34c93f63527dca20285

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
90aea3ab5704aa1f3e923d67d4b00f0b

SHA1
b23ebf97cab8f546fec09ce5936d72df23c8daf9

SHA256
38b0d29e4f7dd1d554b0e09471e5d912e10a38d23c12acb4201a28277f46fe06

SHA512
5abc7957ff578e5f22e9f209310ec6ab294ccd50021f8bc0790550d863d1bf491a06e2b490db20d79ca1f2a20d804aa11bb17bb5ef9c8b24dd97cfb8fd95a069

Download Submit
memory/3056-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download