8f5059fe5072a389672060fc8fbe7f49642ef708d1632bfeade3aed5a89fb8f0

Analysis

max time kernel
79s
max time network
18s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 03:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f5059fe5072a389672060fc8fbe7f49642ef708d1632bfeade3aed5a89fb8f0.exe
Size

1.1MB
MD5

ad0aeafe540a0152a1331066f2ec4f89
SHA1

374747c38ea91d1d822e29a031320234d1b64c7d
SHA256

8f5059fe5072a389672060fc8fbe7f49642ef708d1632bfeade3aed5a89fb8f0
SHA512

2d32cedc21e301ad5278830753d7bea4d9ba8ea22c07ab0a53e80099936d913349459d4159b437a7e9d43924fa20e414e08286eb0d075f8c591584c189ef7e59
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qk:acallSllG4ZM7QzMz

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2716	svchcst.exe

Executes dropped EXE 15 IoCs

pid	Process
2716	svchcst.exe
1368	svchcst.exe
2708	svchcst.exe
1072	svchcst.exe
2364	svchcst.exe
672	svchcst.exe
604	svchcst.exe
2448	svchcst.exe
2824	svchcst.exe
2280	svchcst.exe
2396	svchcst.exe
2124	svchcst.exe
880	svchcst.exe
836	svchcst.exe
2560	svchcst.exe

Loads dropped DLL 17 IoCs

pid	Process
2780	WScript.exe
2780	WScript.exe
1912	WScript.exe
2212	WScript.exe
1620	WScript.exe
1620	WScript.exe
624	WScript.exe
1880	WScript.exe
360	WScript.exe
2800	WScript.exe
2800	WScript.exe
2248	WScript.exe
1072	WScript.exe
2044	WScript.exe
1856	WScript.exe
2364	WScript.exe
2492	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 35 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8f5059fe5072a389672060fc8fbe7f49642ef708d1632bfeade3aed5a89fb8f0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1872	8f5059fe5072a389672060fc8fbe7f49642ef708d1632bfeade3aed5a89fb8f0.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe
2716	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1872	8f5059fe5072a389672060fc8fbe7f49642ef708d1632bfeade3aed5a89fb8f0.exe

Suspicious use of SetWindowsHookEx 32 IoCs

pid	Process
1872	8f5059fe5072a389672060fc8fbe7f49642ef708d1632bfeade3aed5a89fb8f0.exe
1872	8f5059fe5072a389672060fc8fbe7f49642ef708d1632bfeade3aed5a89fb8f0.exe
2716	svchcst.exe
2716	svchcst.exe
1368	svchcst.exe
1368	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe
1072	svchcst.exe
1072	svchcst.exe
2364	svchcst.exe
2364	svchcst.exe
672	svchcst.exe
672	svchcst.exe
604	svchcst.exe
604	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2280	svchcst.exe
2280	svchcst.exe
2396	svchcst.exe
2396	svchcst.exe
2124	svchcst.exe
2124	svchcst.exe
880	svchcst.exe
836	svchcst.exe
836	svchcst.exe
880	svchcst.exe
2560	svchcst.exe
2560	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 2780	1872	8f5059fe5072a389672060fc8fbe7f49642ef708d1632bfeade3aed5a89fb8f0.exe	30
PID 1872 wrote to memory of 2780	1872	8f5059fe5072a389672060fc8fbe7f49642ef708d1632bfeade3aed5a89fb8f0.exe	30
PID 1872 wrote to memory of 2780	1872	8f5059fe5072a389672060fc8fbe7f49642ef708d1632bfeade3aed5a89fb8f0.exe	30
PID 1872 wrote to memory of 2780	1872	8f5059fe5072a389672060fc8fbe7f49642ef708d1632bfeade3aed5a89fb8f0.exe	30
PID 2780 wrote to memory of 2716	2780	WScript.exe	32
PID 2780 wrote to memory of 2716	2780	WScript.exe	32
PID 2780 wrote to memory of 2716	2780	WScript.exe	32
PID 2780 wrote to memory of 2716	2780	WScript.exe	32
PID 2716 wrote to memory of 1912	2716	svchcst.exe	33
PID 2716 wrote to memory of 1912	2716	svchcst.exe	33
PID 2716 wrote to memory of 1912	2716	svchcst.exe	33
PID 2716 wrote to memory of 1912	2716	svchcst.exe	33
PID 2716 wrote to memory of 1620	2716	svchcst.exe	34
PID 2716 wrote to memory of 1620	2716	svchcst.exe	34
PID 2716 wrote to memory of 1620	2716	svchcst.exe	34
PID 2716 wrote to memory of 1620	2716	svchcst.exe	34
PID 1912 wrote to memory of 1368	1912	WScript.exe	35
PID 1912 wrote to memory of 1368	1912	WScript.exe	35
PID 1912 wrote to memory of 1368	1912	WScript.exe	35
PID 1912 wrote to memory of 1368	1912	WScript.exe	35
PID 1368 wrote to memory of 2212	1368	svchcst.exe	36
PID 1368 wrote to memory of 2212	1368	svchcst.exe	36
PID 1368 wrote to memory of 2212	1368	svchcst.exe	36
PID 1368 wrote to memory of 2212	1368	svchcst.exe	36
PID 2212 wrote to memory of 2708	2212	WScript.exe	37
PID 2212 wrote to memory of 2708	2212	WScript.exe	37
PID 2212 wrote to memory of 2708	2212	WScript.exe	37
PID 2212 wrote to memory of 2708	2212	WScript.exe	37
PID 1620 wrote to memory of 1072	1620	WScript.exe	38
PID 1620 wrote to memory of 1072	1620	WScript.exe	38
PID 1620 wrote to memory of 1072	1620	WScript.exe	38
PID 1620 wrote to memory of 1072	1620	WScript.exe	38
PID 2708 wrote to memory of 2416	2708	svchcst.exe	39
PID 2708 wrote to memory of 2416	2708	svchcst.exe	39
PID 2708 wrote to memory of 2416	2708	svchcst.exe	39
PID 2708 wrote to memory of 2416	2708	svchcst.exe	39
PID 1620 wrote to memory of 2364	1620	WScript.exe	40
PID 1620 wrote to memory of 2364	1620	WScript.exe	40
PID 1620 wrote to memory of 2364	1620	WScript.exe	40
PID 1620 wrote to memory of 2364	1620	WScript.exe	40
PID 2364 wrote to memory of 624	2364	svchcst.exe	41
PID 2364 wrote to memory of 624	2364	svchcst.exe	41
PID 2364 wrote to memory of 624	2364	svchcst.exe	41
PID 2364 wrote to memory of 624	2364	svchcst.exe	41
PID 2364 wrote to memory of 1880	2364	svchcst.exe	42
PID 2364 wrote to memory of 1880	2364	svchcst.exe	42
PID 2364 wrote to memory of 1880	2364	svchcst.exe	42
PID 2364 wrote to memory of 1880	2364	svchcst.exe	42
PID 624 wrote to memory of 672	624	WScript.exe	43
PID 624 wrote to memory of 672	624	WScript.exe	43
PID 624 wrote to memory of 672	624	WScript.exe	43
PID 624 wrote to memory of 672	624	WScript.exe	43
PID 672 wrote to memory of 360	672	svchcst.exe	44
PID 672 wrote to memory of 360	672	svchcst.exe	44
PID 672 wrote to memory of 360	672	svchcst.exe	44
PID 672 wrote to memory of 360	672	svchcst.exe	44
PID 1880 wrote to memory of 604	1880	WScript.exe	45
PID 1880 wrote to memory of 604	1880	WScript.exe	45
PID 1880 wrote to memory of 604	1880	WScript.exe	45
PID 1880 wrote to memory of 604	1880	WScript.exe	45
PID 360 wrote to memory of 2448	360	WScript.exe	46
PID 360 wrote to memory of 2448	360	WScript.exe	46
PID 360 wrote to memory of 2448	360	WScript.exe	46
PID 360 wrote to memory of 2448	360	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\8f5059fe5072a389672060fc8fbe7f49642ef708d1632bfeade3aed5a89fb8f0.exe
"C:\Users\Admin\AppData\Local\Temp\8f5059fe5072a389672060fc8fbe7f49642ef708d1632bfeade3aed5a89fb8f0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1912
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1368
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2416
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1620
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1072
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2364
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:672
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:360
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2448
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2824
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2248
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2280
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1072
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2396
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2044
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2124
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1856
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:880
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:836
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2492
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2560
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2276
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        
        PID:1236
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2920
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
38e586bc98f86a01ab8de4bd2278b56b

SHA1
c8545c04af1b94e3e2753c1c23d50f5d1fa04a18

SHA256
2b642d3000b983adc627fbe144986f21c9d444f0ce6991113955e20e7dc7e5f1

SHA512
20dff6d44c2373dd45d7a1c0fdd523cce29d6bc2d1187648329ae85ed011f8436368142dabdc7a5773132079795dde788ca4df2d003120aa291faa6645990a87

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
53586000e76ee6942df430b8716b4616

SHA1
97afd48071b6043c0a04b823875956b98a8d33bd

SHA256
486e66f5aafdb179f41e1d1f39c8fb5662bfad43d5d53dfa89405a04b0d42d69

SHA512
3a9a94289a667899d5ba7db41486854b9234929ecaa9d9aaff3188740cc084c0a633702be218f4b1a8afbfbd8a4e1a892eebbdfde1a7d3fb9c27c3482aa03bd7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
7e30bbf5f589f6ae6e5daf322f9f4c63

SHA1
4078c36ab68538c4d3aa3996b3a218fa786e5813

SHA256
9ed68f0cb63b2fca99956af2a550eb26ac99a883afef4ea6dc1236c14593266b

SHA512
63bb07bfbef6c96b50bbcb60d7f805930aaeefd6eadaa39dcb3e591c84636c670257a7f544bb0565174578a517d06de29a6c086812ef5cfb3039aea1917fb4b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
427acf0d31e4c051a5ecca486df18aaa

SHA1
66ed2e8e5533846366375ce855fb7b5d574d97fc

SHA256
397aa2536df328968f7006d3c5a2d0e7e53ab1e6d2deae8bb5bc7a242b4ba012

SHA512
aa2fe9a10550076d478762ed2043437460bfa1d81c3e6b793127d1235f8a6e75dc6002aad415f8086387faf7dc75a83f1790662cdfa58aa66596c640ed35b778

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3be529c48598ce74c5871846d63ca15c

SHA1
93bb8e6882b776b47589ffa48116e17c98071383

SHA256
f9f80c033a3cb1e2e9a8aa108427d6985dd2a08c2bea70e4dda2309f03ab7b2a

SHA512
e848a532aa9acfddfb754e081353660af23f3d0ee7720f6162fc5e8a2104d98b7be8aa461ea274a311634ae3b5b0bd219731da7d6b43c3b381de56d03bb43608

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ddd204c2596c95e0b37f2faf17345158

SHA1
fb5c9a676eb0b0e08ed0498a5696bbd7d443b1a2

SHA256
6ba8498e50d16dedd7a4479998981b504b684f524c08329269fd4eb6e3fe52a2

SHA512
17f8ff158d74cb8b37954cd5d458440cbf7e41dd03d08d5101b55f7ca259fdd1e36967e5231a31362c68456d0e91bdbac1c83cc19876ab7ec1c97bde0ec03244

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d0a7594dbfff2934bae6e22de9f233fe

SHA1
b2a276918a0f5fb2da4440d77ec65c3c644dcf74

SHA256
b5ba466f75e4b160d164ce3886c42fe86c339961f2f303cfdba40d2c711bc61d

SHA512
3d0c5b27841efaa0286d2b58d1749c1efe45ce115cbcb2af1473e29ec3791501a278c90f087e995279518b3c3aec687edca8937f77ff2520ed6b8d3dff6c0a63

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
9f87870aabac31b89e8f641cc4796a67

SHA1
0e7c4d9fa14eb4afe07e0ded564229685c3cbe4b

SHA256
c5ccc91ebc3838b354e5ae05c7b3efa01813e004b427f843ba23e78ff272e695

SHA512
28c7fe3049354286831a5c2b52ea96583bef30c4a294d07bfb10c11bb9e3469b944d8029d58f73611daa616a279e280d0c14fa037d390ab34a5daa2f5a25c4f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
bd0cc8385e2c94da465451e7bd8d4303

SHA1
6866d3d8d4bc37bbd976b44b74d4cef9b018da66

SHA256
099ad392a60ee09509cf2982deb126acb373115124e33c1c9d18931fa32af630

SHA512
5212403107457416b6b8e3c033c9521f744845edbf0c9bba5c962bea5946c2a24e1081cf472e907b3e16fb593b98c119802e3162e5260b30574f2c086af3d6b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
423a0fabd3a9fd2cbedc3aba67c69650

SHA1
880097557ac6718e93822ac7efc9a3e2986c51de

SHA256
d77f549afde3b88ac747c3d0dee3069f914fac77b572ae08737ffc05f696491b

SHA512
c65d3db8250c7885b05075ebc3485db4506dde6c435247ad6a86e9085d59b039f4629583b327662a2eb40c79bc135d5d17b5bfb01f63ee02726aa57ecd7ed139

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ae75c3a96c26ddc15e3c678434b18374

SHA1
7abb4cd173f5c8565c891bc5305922439e880fed

SHA256
1b84f073d7c021672b1951a420b183f570b94f4d7c14c86698b22bbd353bf965

SHA512
e817ab91d4d73840a290ff2e999a5136328b315afa16ec831b6ddabea08cf07d8dd61b332cbeded13bde712e7c87538228ff8d163c0f659da84134f04e5a3b7e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2caa2e102cde23b48c1d5a47d901c3ff

SHA1
715fcb390ad3d9016885ab48ea99b2e204d1989b

SHA256
8e1f14065ac316ee2fcefab057390fe8b1ec88d9c35536f0755204ddf0d84ada

SHA512
9f6b298b5becff9b0af67c3181177876366db57d8d48ad3974dffa4f61fe7512b68d770e518d08d59c58d2707c52bd78930d2e36f00ef06f0a26d208e5372ae3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ad9767e183b20cf57ef41a8b81378707

SHA1
5eb955901200687f8e26aa586657d4c7a3b3c44c

SHA256
924bfce102571f701ea3b2e3f2af56de2de19530c338dc303c867645d491fc05

SHA512
8434dfdc0d7ea8e0ae54c4951dae545d0b2f127ca65eb3bd5a0d1498336994dba8642cbbfd2ea11d995c48a57bfdc73953742668dcad6bcc5e884c69af32d7b9

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2f7f47132aec17bd7ee58b2dd5e13564

SHA1
65ea8c608dd69ae6a0b4079c4bf474f2d2fdaf52

SHA256
18616012fce171743b368b0d1d1afa9ad5fc189eb9ddb9afcbf38c6ce2161fd9

SHA512
80bb83b6ad19cb854ab0c11010227f1dc881c500ae7fc29ee9e69a2ca35a6a9dfacc447d36f406a31bd050331e4618850cd6b5cb110d3a6e38837ef32b72b541

Download Submit
memory/360-84-0x0000000003B30000-0x0000000003C8F000-memory.dmp

Filesize
1.4MB

Download
memory/604-80-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/672-75-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/672-82-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/836-165-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/836-174-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/880-160-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/880-170-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1072-51-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1072-133-0x00000000050D0000-0x000000000522F000-memory.dmp

Filesize
1.4MB

Download
memory/1236-200-0x00000000040F0000-0x000000000424F000-memory.dmp

Filesize
1.4MB

Download
memory/1308-199-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1308-202-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1368-39-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1368-31-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1620-57-0x0000000005680000-0x00000000057DF000-memory.dmp

Filesize
1.4MB

Download
memory/1620-46-0x0000000003D70000-0x0000000003ECF000-memory.dmp

Filesize
1.4MB

Download
memory/1856-159-0x00000000053C0000-0x000000000551F000-memory.dmp

Filesize
1.4MB

Download
memory/1856-177-0x00000000053C0000-0x000000000551F000-memory.dmp

Filesize
1.4MB

Download
memory/1872-10-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1872-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1912-30-0x0000000003F90000-0x00000000040EF000-memory.dmp

Filesize
1.4MB

Download
memory/2044-163-0x0000000003C70000-0x0000000003DCF000-memory.dmp

Filesize
1.4MB

Download
memory/2044-146-0x0000000003C70000-0x0000000003DCF000-memory.dmp

Filesize
1.4MB

Download
memory/2124-155-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2124-147-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2212-43-0x0000000005090000-0x00000000051EF000-memory.dmp

Filesize
1.4MB

Download
memory/2248-119-0x0000000003F30000-0x000000000408F000-memory.dmp

Filesize
1.4MB

Download
memory/2276-198-0x0000000005510000-0x000000000566F000-memory.dmp

Filesize
1.4MB

Download
memory/2276-193-0x0000000005510000-0x000000000566F000-memory.dmp

Filesize
1.4MB

Download
memory/2280-129-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2280-120-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2364-67-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2364-164-0x0000000003C30000-0x0000000003D8F000-memory.dmp

Filesize
1.4MB

Download
memory/2396-142-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2396-134-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2448-97-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2492-192-0x0000000005080000-0x00000000051DF000-memory.dmp

Filesize
1.4MB

Download
memory/2492-178-0x0000000005080000-0x00000000051DF000-memory.dmp

Filesize
1.4MB

Download
memory/2492-186-0x0000000005080000-0x00000000051DF000-memory.dmp

Filesize
1.4MB

Download
memory/2552-196-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2560-179-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2560-185-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2700-187-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2700-197-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2708-55-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2716-27-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2716-15-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2800-103-0x00000000051C0000-0x000000000531F000-memory.dmp

Filesize
1.4MB

Download
memory/2824-109-0x0000000004090000-0x000000000449B000-memory.dmp

Filesize
4.0MB

Download
memory/2824-104-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2824-115-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3012-201-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3012-203-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download