06bda8faab5e6f8460bdc18727fc12a323dde150d98f41b1477ac365df47b316

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06bda8faab5e6f8460bdc18727fc12a323dde150d98f41b1477ac365df47b316.exe
Size

1.1MB
MD5

c95f845b3532906893538d13876898d0
SHA1

d505c9dcd00a99ac0bfef4528cf3c8d41df10c07
SHA256

06bda8faab5e6f8460bdc18727fc12a323dde150d98f41b1477ac365df47b316
SHA512

48026292cf126cc1f58d548764ef39aae72af5881b0f6e801de86cde0f05271c44b05a10f10da9609e968d0e38a675c8908e111b4148816ba9febbd7401e20e4
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QY:CcaClSFlG4ZM7QzMf

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2192	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2192	svchcst.exe
688	svchcst.exe
2160	svchcst.exe
2312	svchcst.exe
844	svchcst.exe
1844	svchcst.exe
1628	svchcst.exe
2100	svchcst.exe
2768	svchcst.exe
592	svchcst.exe
1936	svchcst.exe
2336	svchcst.exe
1680	svchcst.exe
1316	svchcst.exe
304	svchcst.exe
2520	svchcst.exe
2100	svchcst.exe
2768	svchcst.exe
2816	svchcst.exe
1600	svchcst.exe
2328	svchcst.exe
1604	svchcst.exe
2008	svchcst.exe

Loads dropped DLL 43 IoCs

pid	Process
1960	WScript.exe
1960	WScript.exe
2600	WScript.exe
2600	WScript.exe
2976	WScript.exe
2976	WScript.exe
1536	WScript.exe
2316	WScript.exe
2316	WScript.exe
672	WScript.exe
672	WScript.exe
1396	WScript.exe
1396	WScript.exe
2448	WScript.exe
2448	WScript.exe
1060	WScript.exe
2612	WScript.exe
1732	WScript.exe
1732	WScript.exe
1740	WScript.exe
1740	WScript.exe
1164	WScript.exe
1164	WScript.exe
1332	WScript.exe
1332	WScript.exe
1000	WScript.exe
1000	WScript.exe
632	WScript.exe
632	WScript.exe
2340	WScript.exe
2340	WScript.exe
2604	WScript.exe
2604	WScript.exe
2424	WScript.exe
2424	WScript.exe
2292	WScript.exe
2292	WScript.exe
952	WScript.exe
952	WScript.exe
1932	WScript.exe
1932	WScript.exe
960	WScript.exe
960	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	06bda8faab5e6f8460bdc18727fc12a323dde150d98f41b1477ac365df47b316.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2000	06bda8faab5e6f8460bdc18727fc12a323dde150d98f41b1477ac365df47b316.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe
2192	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2000	06bda8faab5e6f8460bdc18727fc12a323dde150d98f41b1477ac365df47b316.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2000	06bda8faab5e6f8460bdc18727fc12a323dde150d98f41b1477ac365df47b316.exe
2000	06bda8faab5e6f8460bdc18727fc12a323dde150d98f41b1477ac365df47b316.exe
2192	svchcst.exe
2192	svchcst.exe
688	svchcst.exe
688	svchcst.exe
2160	svchcst.exe
2160	svchcst.exe
2312	svchcst.exe
2312	svchcst.exe
844	svchcst.exe
844	svchcst.exe
1844	svchcst.exe
1844	svchcst.exe
1628	svchcst.exe
1628	svchcst.exe
2100	svchcst.exe
2100	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
592	svchcst.exe
592	svchcst.exe
1936	svchcst.exe
1936	svchcst.exe
2336	svchcst.exe
2336	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
1316	svchcst.exe
1316	svchcst.exe
304	svchcst.exe
304	svchcst.exe
2520	svchcst.exe
2520	svchcst.exe
2100	svchcst.exe
2100	svchcst.exe
2768	svchcst.exe
2768	svchcst.exe
2816	svchcst.exe
2816	svchcst.exe
1600	svchcst.exe
1600	svchcst.exe
2328	svchcst.exe
2328	svchcst.exe
1604	svchcst.exe
1604	svchcst.exe
2008	svchcst.exe
2008	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 1960	2000	06bda8faab5e6f8460bdc18727fc12a323dde150d98f41b1477ac365df47b316.exe	30
PID 2000 wrote to memory of 1960	2000	06bda8faab5e6f8460bdc18727fc12a323dde150d98f41b1477ac365df47b316.exe	30
PID 2000 wrote to memory of 1960	2000	06bda8faab5e6f8460bdc18727fc12a323dde150d98f41b1477ac365df47b316.exe	30
PID 2000 wrote to memory of 1960	2000	06bda8faab5e6f8460bdc18727fc12a323dde150d98f41b1477ac365df47b316.exe	30
PID 1960 wrote to memory of 2192	1960	WScript.exe	33
PID 1960 wrote to memory of 2192	1960	WScript.exe	33
PID 1960 wrote to memory of 2192	1960	WScript.exe	33
PID 1960 wrote to memory of 2192	1960	WScript.exe	33
PID 2192 wrote to memory of 2600	2192	svchcst.exe	34
PID 2192 wrote to memory of 2600	2192	svchcst.exe	34
PID 2192 wrote to memory of 2600	2192	svchcst.exe	34
PID 2192 wrote to memory of 2600	2192	svchcst.exe	34
PID 2600 wrote to memory of 688	2600	WScript.exe	35
PID 2600 wrote to memory of 688	2600	WScript.exe	35
PID 2600 wrote to memory of 688	2600	WScript.exe	35
PID 2600 wrote to memory of 688	2600	WScript.exe	35
PID 688 wrote to memory of 2976	688	svchcst.exe	36
PID 688 wrote to memory of 2976	688	svchcst.exe	36
PID 688 wrote to memory of 2976	688	svchcst.exe	36
PID 688 wrote to memory of 2976	688	svchcst.exe	36
PID 2976 wrote to memory of 2160	2976	WScript.exe	37
PID 2976 wrote to memory of 2160	2976	WScript.exe	37
PID 2976 wrote to memory of 2160	2976	WScript.exe	37
PID 2976 wrote to memory of 2160	2976	WScript.exe	37
PID 2160 wrote to memory of 1536	2160	svchcst.exe	38
PID 2160 wrote to memory of 1536	2160	svchcst.exe	38
PID 2160 wrote to memory of 1536	2160	svchcst.exe	38
PID 2160 wrote to memory of 1536	2160	svchcst.exe	38
PID 1536 wrote to memory of 2312	1536	WScript.exe	39
PID 1536 wrote to memory of 2312	1536	WScript.exe	39
PID 1536 wrote to memory of 2312	1536	WScript.exe	39
PID 1536 wrote to memory of 2312	1536	WScript.exe	39
PID 2312 wrote to memory of 2316	2312	svchcst.exe	40
PID 2312 wrote to memory of 2316	2312	svchcst.exe	40
PID 2312 wrote to memory of 2316	2312	svchcst.exe	40
PID 2312 wrote to memory of 2316	2312	svchcst.exe	40
PID 2316 wrote to memory of 844	2316	WScript.exe	41
PID 2316 wrote to memory of 844	2316	WScript.exe	41
PID 2316 wrote to memory of 844	2316	WScript.exe	41
PID 2316 wrote to memory of 844	2316	WScript.exe	41
PID 844 wrote to memory of 672	844	svchcst.exe	42
PID 844 wrote to memory of 672	844	svchcst.exe	42
PID 844 wrote to memory of 672	844	svchcst.exe	42
PID 844 wrote to memory of 672	844	svchcst.exe	42
PID 672 wrote to memory of 1844	672	WScript.exe	43
PID 672 wrote to memory of 1844	672	WScript.exe	43
PID 672 wrote to memory of 1844	672	WScript.exe	43
PID 672 wrote to memory of 1844	672	WScript.exe	43
PID 1844 wrote to memory of 1396	1844	svchcst.exe	44
PID 1844 wrote to memory of 1396	1844	svchcst.exe	44
PID 1844 wrote to memory of 1396	1844	svchcst.exe	44
PID 1844 wrote to memory of 1396	1844	svchcst.exe	44
PID 1396 wrote to memory of 1628	1396	WScript.exe	45
PID 1396 wrote to memory of 1628	1396	WScript.exe	45
PID 1396 wrote to memory of 1628	1396	WScript.exe	45
PID 1396 wrote to memory of 1628	1396	WScript.exe	45
PID 1628 wrote to memory of 2448	1628	svchcst.exe	46
PID 1628 wrote to memory of 2448	1628	svchcst.exe	46
PID 1628 wrote to memory of 2448	1628	svchcst.exe	46
PID 1628 wrote to memory of 2448	1628	svchcst.exe	46
PID 2448 wrote to memory of 2100	2448	WScript.exe	47
PID 2448 wrote to memory of 2100	2448	WScript.exe	47
PID 2448 wrote to memory of 2100	2448	WScript.exe	47
PID 2448 wrote to memory of 2100	2448	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\06bda8faab5e6f8460bdc18727fc12a323dde150d98f41b1477ac365df47b316.exe
"C:\Users\Admin\AppData\Local\Temp\06bda8faab5e6f8460bdc18727fc12a323dde150d98f41b1477ac365df47b316.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2192
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2600
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:688
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:844
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:672
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2100
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1060
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2768
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2612
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:592
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1732
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1936
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1740
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2336
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1164
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1680
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1332
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1316
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1000
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:304
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:632
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2520
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2100
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2604
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2768
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2816
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1600
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:952
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2328
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1604
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:960
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2008
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
b5f398ed2b313d6ebf575db813190cf0

SHA1
2ce0e2533f9fccb77628772392c3583e865d88d0

SHA256
5dc47b412b057e608318794826ca6bc10022f380aeeb654bb03429749eef111f

SHA512
673917928a8e2cc089a4453a37dcf8a68a8239968352ac8a085b83b82b65f3764ad9b4f07e7448802819e12c0e43756586f97770bcc164aa3b75fead83f67a86

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5c256ba320c7487a2c3cdb62bea97bb5

SHA1
2a28e5d7bd4483a40fb6035f1ec6fcf1d66cb2fc

SHA256
854aeaf6ba44537fc01088f8c336552a1aab4c6df84938d241c8616b6f0802e4

SHA512
bb55f293471dda9b074664d4cf2dad094f8f0c2479c1fd754dd85199d1d1b1012cfa3b050711ac0b59368d6bf1756cfcadcaff1e47d4f103a093a0b77782fdc0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5f2a40f410e1db471d583c90bb1bf208

SHA1
1e49ed23e02976dede24633c367ab8c92fb4fd9b

SHA256
03c04fafe55862423025fe6e16bbeda1dbded8150a0c0dd363164733051fe1e4

SHA512
98a4ba3960f66728d4a286c8cff2223742d701467a647b6d4a2f118a6e2c53c9a4f6c329a36c099b151d42279ba0823ff07a8df49c87d02a7470f595052f725c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a4e2d4727487955ad59bf2d1a6661981

SHA1
e52949b5d7226aaf75d3713ed2ff1283edab2259

SHA256
4b2d44fd28dcc86d4f73784cea9ac601d2e69574ea0fc6214b3481b10687e0e2

SHA512
f3c59196a57237caa7ad762e2e31bb3b95156eb33cdad7d7b28244842a733160a74c6568452252ce2add95980fe653dc5322a3d1722f9d798289557351b5ea55

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5f762b3b2477d92959f29d768008d453

SHA1
ceaa2b37d64bcffd7f862a75e1d0fb06edbddb97

SHA256
5827d14409ed9f3361d81904d50e067223457590dda163a680ce4216e495a3d5

SHA512
fd1445d89a0fa5d185ce51442c402d9906fa8bf7c1458a862568ad0649dfa22c5f90ed243b98339ec9706541d244b0217f1cd05e715dc49067e059fe08d80420

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0746413c017663c2889cbadf684741eb

SHA1
6a61f92238e17b83adba719b52d2f3d9cd205b8a

SHA256
5e9eb3cc7e536ea1249b6bdb65b934565018fa760198e2b2c8f5537de84b86bd

SHA512
e222a18584aadd15f5c4706601acc6fa30d6a08325f2679724eba4b2952e56d4d7e1a97c42ae88aefacfa59b87723118d2dd28c1541204715dc1e11b4867b05c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
dcda7be7bee467e770890045f8b7ae2a

SHA1
c2d1c9669b5115473dd2fcb27bb76aed83afdcd1

SHA256
5818c70269cba768813218e1a65265488b4c36ebee593535af98a52bf1eeed33

SHA512
5a69286101d6a3f52a919910584f2618e2e7adcf8b77806b5e4ecd8b881a86693df968818cec771b93b50d05849e165da0d66c5cfb121297f56cf7bef804a408

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
99c6d3daae7cb362152020047cb956dc

SHA1
4d70b60a43d37fbfea1be333aad269606ae3d3a7

SHA256
b35a71753d085b170fca9949910d93671a298e1fcc05cf0cdff308dba4d12324

SHA512
37098e0594a21439720df6adc851063d275020c7a337326cf0f83c8fce79ac210bd42c5458e49e560c4641b569be88b34ee5ee99dccba5c2655fee127c21e110

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b5e11596fa3b5ec67af0232750a3cadb

SHA1
80cb25f5250390b6b2130c8b4eefc9872cc4939d

SHA256
d6429bbb3e3d5c86f30efdb3aa599d47eb8f130c1d0f2a6345e3e9387f7670b3

SHA512
06c71dd481c8936cb5c8a259111986a31b94e7bf73267a081e2162e16b3bffc633a257b5dcf2fd64c7bcc95a20ee841d5d07ca2ea5a16b7f862aec9cde5f17f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0192d17fea0102bde8e142aabd30379e

SHA1
f625075beef58c06ca68d43a3ba5cc1caa8efdfd

SHA256
98e8ea7a93d93f491f56d4026b5683e7fdeff25fe26f518e2e81a1319ef49719

SHA512
43002329c61c0fedc908a1838c1868573a5f6f64b4bad3295182b341562cd4b17710ce021e75157830b5b29d29141ae394b3addae4f8c180259f02cb44648163

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
b80e64a84f22d05c1da6e47ce54973aa

SHA1
5cad9390328f2c7439c775fabb7a0456663085d9

SHA256
9dd0f5f176d3fad7c0eb3bdd6f14036a878cbce9fd50fb1a47318da147bfd82e

SHA512
983affb7f9189c1eb80982438c288ee607e7ee91675b6a6e854873c476961b39ddec66801e0a09bedd0f133a0132693a5fed5c8ff0f8c3d3aa4f470fdb8c39b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
73dd42e0ba8cff47f0542d7d8aa40f90

SHA1
ffbb1b56415be5abcf4613aed3136768f2edbc38

SHA256
c73b4e554a4ae515ae3aa320a19d752e3d848d00ed0cd8f084081ed530b8fc3d

SHA512
efd0075f9e70dd557271bdbcd782a083ae2cde8cd5674bf7f8cf63064847951adfcbaa9c9cff91c57d19c7308d0b7bf4754bfbe8fce6ec0e41d920bde7f5a67e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1f0deda1a4891631abde62392caba5cc

SHA1
097e344999c604505ef2a9ddfea80d71e46c902c

SHA256
3bfcb39019488dd6cb46625826152ee7d629d43032fda67d9da6ae0b3e6549eb

SHA512
e86651e32daedb7b34e759f99065fcbd77657882d76c6ddbcfde348c165d59fd997e5f44b02489714e9d8cccf1b7afea8d50af72a4f890cdbdabbe7049e12edb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
453ce8ac7ce54e4e49f2da121d7809f7

SHA1
c5f271c45cc723b6af6da56856972639c299cd0f

SHA256
1903cdc7d907083fb2aa60619d9d36992daf8df0c6e3db8658ad6213bfb00fde

SHA512
460fd43f7c2347c8a9d081b22d5e4b0cadf989918c707256f9d7b125a80e2ab5406ce75abb12c59b70409e66c720a142be2476cf6cc5bb7c808a724a8a414a14

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b660c4a543e9c3462098681bcdca2734

SHA1
e9195d0372b898a539caef6fbeb95f2b203f435c

SHA256
968af1af5ea43712b544a1443157c3bec28fa9bc30852dcc155bcdcfcfafeb53

SHA512
e15debc85ff3694d14bab23e0af1576ad6d675ac2dd702c0ddf05f80a4b4df38d361c32909d626c230f609ad83cd14e8a269046a05d2743ddb0b7ae1a45f6c8e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f793a1008bffbe1fae01865a040a6383

SHA1
5e9af2d5905560324f01f124cda5bc030a51ae5d

SHA256
6c8d5f196979b669eb39d1eb48f2c4820d51f80abddfa1d5961f07c149c365e6

SHA512
1044583af306617a4036354fb7e635e58d41708693c4e89ac22673548efb090f3877f20f18f78a8ce136cc9525ab42b64302ece0cc85b4d9d0d6f04f65453caf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
81fe3aaf3f3a082688828047a814df03

SHA1
ce7d6b4bd7e481461ecadc01109070d29e1c6c55

SHA256
b618dc1f4e11fa2f8f3043fbf0f553a0bcca7b29ebc9b996f7f4b9be439df702

SHA512
35bfcf311be00b3b2c7a7c1d088c9535a5f21dab3980d5eab3c04b713d558fe82353502f8a9c66d42ea8bb1d426126f62029035a920bfd162133c75d7593bce6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
d6772d9602a935a7658f83e5f280c0f0

SHA1
5f927eeefc70079e0af4fe678db9cc8443afdb6c

SHA256
9ae7ede33bb26f68942bc0670309e2b76f998594345d980a390f529d13b3cf1d

SHA512
e7320b7b57177643e727e666492488e1d5d716e8dc21eb3abc56113cb8c65501e82cdaeacee4aa837d20cdbb0ba86a9e07c539a7724ed89749f427a2f0de855f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
25c8b51df4852bb669b884eb21dd8da7

SHA1
0f4bd488ebd90c372c8ef7cc254ee7fbfd40e278

SHA256
b9c29938ffb12da03a452049955b39f25955e364ef6dd5f10df8a6d2b688bbfd

SHA512
c3ee5d9d2a71fec8867a63262c66b88fda3162c9e62ed92aa28f2e71a62c347e057151177eb7522be147432011121ea39a355b51a2ee6d07214b043d9b9d5472

Download Submit
memory/2000-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download