f868de331616392a73f169e336c2cd1dfdd72f87c67e0a93b582144d9457070a

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-09-2024 13:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f868de331616392a73f169e336c2cd1dfdd72f87c67e0a93b582144d9457070a.exe
Size

1.1MB
MD5

6971b3e1ac3a0bdbdc8dbb8d8b2d3a6c
SHA1

3f6e61324733af3c84cc8a108ee0591bfad98a96
SHA256

f868de331616392a73f169e336c2cd1dfdd72f87c67e0a93b582144d9457070a
SHA512

a99567234593d2a6eeefd8e000899eab5e4140e6207186ff4e80c17ba8bb163b11958a5a0f410e779a7df053e1348c92e4e1deb5816e8c8ba201061f127d5777
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qc:acallSllG4ZM7QzM7

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2976	svchcst.exe

Executes dropped EXE 21 IoCs

pid	Process
2976	svchcst.exe
1652	svchcst.exe
1664	svchcst.exe
2196	svchcst.exe
2500	svchcst.exe
1348	svchcst.exe
880	svchcst.exe
584	svchcst.exe
2544	svchcst.exe
1604	svchcst.exe
2436	svchcst.exe
2196	svchcst.exe
668	svchcst.exe
3064	svchcst.exe
2748	svchcst.exe
2564	svchcst.exe
1488	svchcst.exe
1616	svchcst.exe
2904	svchcst.exe
3020	svchcst.exe
2140	svchcst.exe

Loads dropped DLL 34 IoCs

pid	Process
2340	WScript.exe
2340	WScript.exe
1292	WScript.exe
1848	WScript.exe
1848	WScript.exe
2952	WScript.exe
1636	WScript.exe
1636	WScript.exe
1636	WScript.exe
2032	WScript.exe
2356	WScript.exe
2356	WScript.exe
2356	WScript.exe
340	WScript.exe
340	WScript.exe
1744	WScript.exe
2220	WScript.exe
2220	WScript.exe
2216	WScript.exe
2216	WScript.exe
2444	WScript.exe
2444	WScript.exe
1108	WScript.exe
1108	WScript.exe
1992	WScript.exe
1992	WScript.exe
1184	WScript.exe
1184	WScript.exe
1648	WScript.exe
1648	WScript.exe
3016	WScript.exe
3016	WScript.exe
2076	WScript.exe
2076	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 45 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f868de331616392a73f169e336c2cd1dfdd72f87c67e0a93b582144d9457070a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1796	f868de331616392a73f169e336c2cd1dfdd72f87c67e0a93b582144d9457070a.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe
2976	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1796	f868de331616392a73f169e336c2cd1dfdd72f87c67e0a93b582144d9457070a.exe

Suspicious use of SetWindowsHookEx 44 IoCs

pid	Process
1796	f868de331616392a73f169e336c2cd1dfdd72f87c67e0a93b582144d9457070a.exe
1796	f868de331616392a73f169e336c2cd1dfdd72f87c67e0a93b582144d9457070a.exe
2976	svchcst.exe
2976	svchcst.exe
1652	svchcst.exe
1652	svchcst.exe
1664	svchcst.exe
1664	svchcst.exe
2196	svchcst.exe
2196	svchcst.exe
2500	svchcst.exe
2500	svchcst.exe
1348	svchcst.exe
1348	svchcst.exe
880	svchcst.exe
880	svchcst.exe
584	svchcst.exe
584	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
2436	svchcst.exe
2436	svchcst.exe
2196	svchcst.exe
2196	svchcst.exe
668	svchcst.exe
668	svchcst.exe
3064	svchcst.exe
3064	svchcst.exe
2748	svchcst.exe
2748	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe
1488	svchcst.exe
1488	svchcst.exe
1616	svchcst.exe
1616	svchcst.exe
2904	svchcst.exe
2904	svchcst.exe
3020	svchcst.exe
3020	svchcst.exe
2140	svchcst.exe
2140	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 2340	1796	f868de331616392a73f169e336c2cd1dfdd72f87c67e0a93b582144d9457070a.exe	31
PID 1796 wrote to memory of 2340	1796	f868de331616392a73f169e336c2cd1dfdd72f87c67e0a93b582144d9457070a.exe	31
PID 1796 wrote to memory of 2340	1796	f868de331616392a73f169e336c2cd1dfdd72f87c67e0a93b582144d9457070a.exe	31
PID 1796 wrote to memory of 2340	1796	f868de331616392a73f169e336c2cd1dfdd72f87c67e0a93b582144d9457070a.exe	31
PID 2340 wrote to memory of 2976	2340	WScript.exe	33
PID 2340 wrote to memory of 2976	2340	WScript.exe	33
PID 2340 wrote to memory of 2976	2340	WScript.exe	33
PID 2340 wrote to memory of 2976	2340	WScript.exe	33
PID 2976 wrote to memory of 1292	2976	svchcst.exe	34
PID 2976 wrote to memory of 1292	2976	svchcst.exe	34
PID 2976 wrote to memory of 1292	2976	svchcst.exe	34
PID 2976 wrote to memory of 1292	2976	svchcst.exe	34
PID 1292 wrote to memory of 1652	1292	WScript.exe	35
PID 1292 wrote to memory of 1652	1292	WScript.exe	35
PID 1292 wrote to memory of 1652	1292	WScript.exe	35
PID 1292 wrote to memory of 1652	1292	WScript.exe	35
PID 1652 wrote to memory of 1848	1652	svchcst.exe	36
PID 1652 wrote to memory of 1848	1652	svchcst.exe	36
PID 1652 wrote to memory of 1848	1652	svchcst.exe	36
PID 1652 wrote to memory of 1848	1652	svchcst.exe	36
PID 1848 wrote to memory of 1664	1848	WScript.exe	37
PID 1848 wrote to memory of 1664	1848	WScript.exe	37
PID 1848 wrote to memory of 1664	1848	WScript.exe	37
PID 1848 wrote to memory of 1664	1848	WScript.exe	37
PID 1664 wrote to memory of 2952	1664	svchcst.exe	38
PID 1664 wrote to memory of 2952	1664	svchcst.exe	38
PID 1664 wrote to memory of 2952	1664	svchcst.exe	38
PID 1664 wrote to memory of 2952	1664	svchcst.exe	38
PID 2952 wrote to memory of 2196	2952	WScript.exe	39
PID 2952 wrote to memory of 2196	2952	WScript.exe	39
PID 2952 wrote to memory of 2196	2952	WScript.exe	39
PID 2952 wrote to memory of 2196	2952	WScript.exe	39
PID 2196 wrote to memory of 1636	2196	svchcst.exe	40
PID 2196 wrote to memory of 1636	2196	svchcst.exe	40
PID 2196 wrote to memory of 1636	2196	svchcst.exe	40
PID 2196 wrote to memory of 1636	2196	svchcst.exe	40
PID 1636 wrote to memory of 2500	1636	WScript.exe	41
PID 1636 wrote to memory of 2500	1636	WScript.exe	41
PID 1636 wrote to memory of 2500	1636	WScript.exe	41
PID 1636 wrote to memory of 2500	1636	WScript.exe	41
PID 2500 wrote to memory of 2032	2500	svchcst.exe	42
PID 2500 wrote to memory of 2032	2500	svchcst.exe	42
PID 2500 wrote to memory of 2032	2500	svchcst.exe	42
PID 2500 wrote to memory of 2032	2500	svchcst.exe	42
PID 1636 wrote to memory of 1348	1636	WScript.exe	43
PID 1636 wrote to memory of 1348	1636	WScript.exe	43
PID 1636 wrote to memory of 1348	1636	WScript.exe	43
PID 1636 wrote to memory of 1348	1636	WScript.exe	43
PID 1348 wrote to memory of 3056	1348	svchcst.exe	44
PID 1348 wrote to memory of 3056	1348	svchcst.exe	44
PID 1348 wrote to memory of 3056	1348	svchcst.exe	44
PID 1348 wrote to memory of 3056	1348	svchcst.exe	44
PID 2032 wrote to memory of 880	2032	WScript.exe	45
PID 2032 wrote to memory of 880	2032	WScript.exe	45
PID 2032 wrote to memory of 880	2032	WScript.exe	45
PID 2032 wrote to memory of 880	2032	WScript.exe	45
PID 880 wrote to memory of 2356	880	svchcst.exe	46
PID 880 wrote to memory of 2356	880	svchcst.exe	46
PID 880 wrote to memory of 2356	880	svchcst.exe	46
PID 880 wrote to memory of 2356	880	svchcst.exe	46
PID 584 wrote to memory of 2184	584	svchcst.exe	48
PID 584 wrote to memory of 2184	584	svchcst.exe	48
PID 584 wrote to memory of 2184	584	svchcst.exe	48
PID 584 wrote to memory of 2184	584	svchcst.exe	48

C:\Users\Admin\AppData\Local\Temp\f868de331616392a73f169e336c2cd1dfdd72f87c67e0a93b582144d9457070a.exe
"C:\Users\Admin\AppData\Local\Temp\f868de331616392a73f169e336c2cd1dfdd72f87c67e0a93b582144d9457070a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1292
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1652
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:880
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:584
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2544
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:340
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1604
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1744
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2436
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2220
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2196
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:668
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3064
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2444
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2748
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1108
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2564
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1488
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1184
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1616
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2904
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3016
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3020
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2140
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1348
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
d4993dc9d3acec6e4d9ef3bb0c8fec33

SHA1
1a47a801b2adcbfbd6e85109cf306d21f502c653

SHA256
a2fa372dc289b98e37dff82c1aa20164d9a318153ef38b1378fbadac0c0c52f8

SHA512
1e22886faeda2900c5e0726db2beb185546ad45afda54e1ab5b61377b80069353e3e67eb7b2f70f081ccde5f64ffa9a6d11fe12f802a8984d82b370926e9d816

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
cd34ba54e0dd84bc94990092afc183a9

SHA1
938feedabe63e3e7c6cbb6a405512e21a7ebe449

SHA256
44358f1aedf540acf9e56069e4cc6d4e6a2445ccba362dad9ec4e2f59e0178ab

SHA512
1c261ac13591d4d1cd3692dae12de7fb393134b014dbc766b2946b6ea983e74cef7984bb7003241d5221dea9df78e5f5fe31a839ad7d8453a79db887c8d09958

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a6723d81dd75369a43431bd61814ac74

SHA1
c3d950a8d9f5738222594d01dcaae3fcb467d548

SHA256
add1a22f571c2dfbfda508d6ad632223ab81690c73a376500e56855afeb1752b

SHA512
d7a42037066b1b1d1dffbc792aef400ca374665b012f02de40a6ff118482acd14555edabd6750defb402a6cf4e273a132c1856103202e47aa090119546718727

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
70e226fbd8b4b3f2ddf8a8753a77586a

SHA1
a81a39d08f77479d0ee65599dd2749031c32fc19

SHA256
3eb2bfca11e83ada63c9e426764e07267c058964f959ca5e0c3f0f8933e40026

SHA512
f8c3f2f4172e8cabb856cbc2527dae48cba6d740a8ad9844bb32013ccba200b4c03dfdbe3713d9caa5f7416b8729cba4d516a73989b388c952ab08205b3cd4b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
9e8dca236ce949019c46b94428612ac9

SHA1
0917050afcbb7b94fce6fbb9827fb57de7432b0b

SHA256
bd9f06dbb8f2165c3b75da289ad7983f0c57328d236b2c68a2b5798188874fb3

SHA512
23ce9deba9286cbb24c1725503542b63d7e44ea7ada302e5aba6595f84398e2162008d7431f842cccfb2b8fae126216d85c566931d5fcc8c8c5625e2c05f44d6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6d7f7c489889b75561316023d3e8b801

SHA1
222906d8a273e49d99b9107d388856ba8e6a5400

SHA256
3c01dd72d85883db4a345c0092b799f8deb31d43fde226e7df011c64d95202a7

SHA512
7238e65f9b93ee3be8828f01b54fbb6acaeaaf31e2b62af398356b02fa80d615acc3f41139fb001b9c1e8855e5cfa467f2883acda663a08194955cadb409a24a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ae63ded87a90f9812749cac189d07a57

SHA1
5a37ba565ce8c2445ff71f7c3d7adc38cb68627f

SHA256
6251cc562aff44a7222fe555019800d44c515c0319748fae595621d92f5d9236

SHA512
293cf9a753b1456071db8840910ec3ee7a0a00342caeb27a3bf7c150b54e51a22673e8262fd4376bad6c29eff3b3a77c1c47c1e10c49abffaba899b9193d9429

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1af246ca0660faf0fa7da4b4c9c61316

SHA1
c050b0bd311f2e5240cd7e9df583e41b133e9521

SHA256
2b84bcefb62d7564e2e7d1be8105a26f798b4c73cca142c054da02262f61ede8

SHA512
3fadf6605620aea1f9c9e94d62193fc416af6d5272bc675d399ea1ea96a070b4de69cab61736cea89c744ce3b203f0790d617789d25811a6ca535fc9f6159793

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
51b2348c37bbedcb127fa176820f5ea2

SHA1
6e70ca09179127890e64c4ffa345b2af573c39fa

SHA256
7b37f5580068bfba5583d762d9b64c8ee6468a9e064547f230757c4be595bd02

SHA512
0f9755ae0408b0dd6e1279bfa8c5dfbe63b3775a81a3c5b342c5e56e7521d292b0c4e94053e6fa0c3da233f3af60aae2dc28749f991ea81fd9bf2627698a343e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d6aef0b19d7d8dc2eda464cf358007b7

SHA1
c271fa23eee2c534cc862f7575df47f660c94d27

SHA256
70965d19e9afccec497ac21e98bfea9be46cf5df938982b3d19e6295aab3bb1d

SHA512
c547f50069f9f97dd9877bdb529f4ed49f9761d5cab1ff703e5185a6071e7591b98237834c6bd386b68b9c6504b76bdc581bf17a6fcef94e74b1483d47cf764a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1a9d2727f5157f704f57fb2f0e0a7939

SHA1
4085542ccb9a53b29208916307ee515880d6410f

SHA256
46c5d3b8a158fe319dfd325df66634b1bdef724bab79b7007f565e44beb34f31

SHA512
7ec52df630965769dae3e05a1b9fd489c7d5413ea77b28cbe2435e839f80d7eabdbbcc74af4cf544b9f0f57403a505501b08753ffeaec8cf6c32972fc3e72d68

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
06a252a9516053e44ec8e64f1ebf0533

SHA1
29ac97e0cdade946c4feb81ad3f78d70953a2277

SHA256
6b8a799c3d4b977adb7220f6790b2ac09080ca3ccde5a2c33c83b33ea905928c

SHA512
0775aabeef7c910e03efc40f96143025a2ee3544dd656c78d09ef63c85d040037752aabe72fdf3b636ee31422ae8de01b73c85e27247203d5efc1635eaf15b2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
19182e2937f01a6b159ba080053beb6b

SHA1
d46f3cee37416bddb56f55542a3155f1cd3860ad

SHA256
f3737d337dec7f634eeb53148d016d464ff8f898aa07469b43fd98571e012a28

SHA512
2cae2dfa6cc18365b23be8964522793638a8d49c90127d0565900fda02538f81d3b65047dfd114fb10c64b54886e973718597f07679309e37b8d8ce5d479383d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
14386af3031239e6a043b5589c04b675

SHA1
2ab8503c7557ce79c040b08305850b2300fe3e7a

SHA256
ae6fbed4aa5fb383474075ef1e96c4b5d3b156fb5b3e9ee8f6f96e1712148f9f

SHA512
293b1cc874169814d810e3e64f5787e0e2470765c384077bb06aaa58d8cbc39f70c9542b2792dfb54776b04da027ee0ec9fd2facb6a9bcf2645a68dc9f39deed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d7f4369271c2dd4043d68a9389a5947b

SHA1
7d4264a26b94e8698be16ce99c9eedffb3ab9b99

SHA256
714fe8332a2c9707cef093a1ba4f683b9cef2516c1cb3100baf442a51fd90e0c

SHA512
eb8c7bb0c049ee36d94fd94bc59c8a53fc0257f9dfd4c7e195938558b02f9ce254cfe0cca002b20b922d201421fea13f6206af69158e2221288139d1be7916bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
14a9d33dac78166202a0ae4224e9467c

SHA1
d45ccd1ca3d4475e6fac852b76eec0f0ed250548

SHA256
4e58df5c03ffa280dd725365848f4748217277c6574eb06b3deb5a08bcb4856e

SHA512
1d7c40c61faf8a9fbdb11fb602361136a61577b6b4fd26792ebd619a5477f34d2a560ce41b76eaf0a480e3bbb79c8569fff305e2fc201c43ecb7b9daad52345d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
3e3f6ab6d6fe867362ee1de36445fda7

SHA1
0eaa16c6ecb28e45ba32ce887f898f7236417632

SHA256
89c1ffeb86c3fc02022a369ab4c15f604f6ae27711190bc03f4ce4e8951e16f6

SHA512
d1c5495ad726dbfe62e8cbc7ab7937ee63705f6422aeb6f9a4bac9101d1dd86a8f78c9c560e5e8bab8e06c179c7e56000f0b873bda054dcb4a43339bb01ddfab

Download Submit
memory/584-109-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/584-104-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/668-172-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/668-165-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/880-90-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/880-93-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1348-76-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1348-84-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1488-199-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1488-206-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1604-132-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1604-141-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1616-211-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1616-214-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1648-229-0x00000000048B0000-0x0000000004A0F000-memory.dmp

Filesize
1.4MB

Download
memory/1652-37-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1652-28-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1664-49-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1796-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1796-10-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2140-231-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2196-164-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2196-155-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2196-60-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2196-53-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2216-173-0x0000000004790000-0x00000000048EF000-memory.dmp

Filesize
1.4MB

Download
memory/2340-14-0x0000000004510000-0x000000000466F000-memory.dmp

Filesize
1.4MB

Download
memory/2436-144-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2436-152-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2500-71-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2544-126-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2564-198-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2748-189-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2748-182-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2904-219-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2904-222-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2976-24-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3020-230-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3064-181-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3064-174-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download