3baf5ffe90e05c04e29799aab86638f23af788263fc1bb01e4d9cce498d00aba

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/09/2024, 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3baf5ffe90e05c04e29799aab86638f23af788263fc1bb01e4d9cce498d00aba.exe
Size

1.1MB
MD5

58808fabead141c979dee46ce4bf5a13
SHA1

2f60cc3587770738314b00335cca868533d5dab0
SHA256

3baf5ffe90e05c04e29799aab86638f23af788263fc1bb01e4d9cce498d00aba
SHA512

b3a756434d5dcd55e4231947c746cb7948324953614847e40f9a98bd612207588d1e1659395a46c9dc6a89f379a5f520441b73870ec5bca458767b5b6bd0fb18
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QE:CcaClSFlG4ZM7QzMD

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2624	svchcst.exe

Executes dropped EXE 23 IoCs

pid	Process
2624	svchcst.exe
684	svchcst.exe
2032	svchcst.exe
2676	svchcst.exe
2444	svchcst.exe
1288	svchcst.exe
2440	svchcst.exe
1508	svchcst.exe
2372	svchcst.exe
2872	svchcst.exe
2036	svchcst.exe
2356	svchcst.exe
400	svchcst.exe
1516	svchcst.exe
2404	svchcst.exe
1888	svchcst.exe
2820	svchcst.exe
2220	svchcst.exe
1968	svchcst.exe
2168	svchcst.exe
1944	svchcst.exe
1280	svchcst.exe
2956	svchcst.exe

Loads dropped DLL 34 IoCs

pid	Process
2220	WScript.exe
2220	WScript.exe
2784	WScript.exe
1584	WScript.exe
1584	WScript.exe
1460	WScript.exe
1460	WScript.exe
2212	WScript.exe
2212	WScript.exe
2856	WScript.exe
2636	WScript.exe
2200	WScript.exe
2200	WScript.exe
2200	WScript.exe
1940	WScript.exe
2444	WScript.exe
2444	WScript.exe
2444	WScript.exe
1844	WScript.exe
1844	WScript.exe
2264	WScript.exe
2264	WScript.exe
3064	WScript.exe
3064	WScript.exe
2660	WScript.exe
2660	WScript.exe
2788	WScript.exe
2788	WScript.exe
320	WScript.exe
320	WScript.exe
2460	WScript.exe
2460	WScript.exe
3004	WScript.exe
3004	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3baf5ffe90e05c04e29799aab86638f23af788263fc1bb01e4d9cce498d00aba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2696	3baf5ffe90e05c04e29799aab86638f23af788263fc1bb01e4d9cce498d00aba.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe
2624	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2696	3baf5ffe90e05c04e29799aab86638f23af788263fc1bb01e4d9cce498d00aba.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2696	3baf5ffe90e05c04e29799aab86638f23af788263fc1bb01e4d9cce498d00aba.exe
2696	3baf5ffe90e05c04e29799aab86638f23af788263fc1bb01e4d9cce498d00aba.exe
2624	svchcst.exe
2624	svchcst.exe
684	svchcst.exe
684	svchcst.exe
2032	svchcst.exe
2032	svchcst.exe
2676	svchcst.exe
2676	svchcst.exe
2444	svchcst.exe
2444	svchcst.exe
1288	svchcst.exe
1288	svchcst.exe
2440	svchcst.exe
2440	svchcst.exe
1508	svchcst.exe
1508	svchcst.exe
2372	svchcst.exe
2372	svchcst.exe
2872	svchcst.exe
2872	svchcst.exe
2036	svchcst.exe
2036	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
400	svchcst.exe
400	svchcst.exe
1516	svchcst.exe
1516	svchcst.exe
2404	svchcst.exe
2404	svchcst.exe
1888	svchcst.exe
1888	svchcst.exe
2820	svchcst.exe
2820	svchcst.exe
2220	svchcst.exe
2220	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe
2168	svchcst.exe
2168	svchcst.exe
1944	svchcst.exe
1944	svchcst.exe
1280	svchcst.exe
1280	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 2220	2696	3baf5ffe90e05c04e29799aab86638f23af788263fc1bb01e4d9cce498d00aba.exe	30
PID 2696 wrote to memory of 2220	2696	3baf5ffe90e05c04e29799aab86638f23af788263fc1bb01e4d9cce498d00aba.exe	30
PID 2696 wrote to memory of 2220	2696	3baf5ffe90e05c04e29799aab86638f23af788263fc1bb01e4d9cce498d00aba.exe	30
PID 2696 wrote to memory of 2220	2696	3baf5ffe90e05c04e29799aab86638f23af788263fc1bb01e4d9cce498d00aba.exe	30
PID 2220 wrote to memory of 2624	2220	WScript.exe	32
PID 2220 wrote to memory of 2624	2220	WScript.exe	32
PID 2220 wrote to memory of 2624	2220	WScript.exe	32
PID 2220 wrote to memory of 2624	2220	WScript.exe	32
PID 2624 wrote to memory of 2784	2624	svchcst.exe	33
PID 2624 wrote to memory of 2784	2624	svchcst.exe	33
PID 2624 wrote to memory of 2784	2624	svchcst.exe	33
PID 2624 wrote to memory of 2784	2624	svchcst.exe	33
PID 2784 wrote to memory of 684	2784	WScript.exe	35
PID 2784 wrote to memory of 684	2784	WScript.exe	35
PID 2784 wrote to memory of 684	2784	WScript.exe	35
PID 2784 wrote to memory of 684	2784	WScript.exe	35
PID 684 wrote to memory of 1584	684	svchcst.exe	36
PID 684 wrote to memory of 1584	684	svchcst.exe	36
PID 684 wrote to memory of 1584	684	svchcst.exe	36
PID 684 wrote to memory of 1584	684	svchcst.exe	36
PID 1584 wrote to memory of 2032	1584	WScript.exe	37
PID 1584 wrote to memory of 2032	1584	WScript.exe	37
PID 1584 wrote to memory of 2032	1584	WScript.exe	37
PID 1584 wrote to memory of 2032	1584	WScript.exe	37
PID 2032 wrote to memory of 1608	2032	svchcst.exe	38
PID 2032 wrote to memory of 1608	2032	svchcst.exe	38
PID 2032 wrote to memory of 1608	2032	svchcst.exe	38
PID 2032 wrote to memory of 1608	2032	svchcst.exe	38
PID 1584 wrote to memory of 2676	1584	WScript.exe	39
PID 1584 wrote to memory of 2676	1584	WScript.exe	39
PID 1584 wrote to memory of 2676	1584	WScript.exe	39
PID 1584 wrote to memory of 2676	1584	WScript.exe	39
PID 2676 wrote to memory of 1460	2676	svchcst.exe	40
PID 2676 wrote to memory of 1460	2676	svchcst.exe	40
PID 2676 wrote to memory of 1460	2676	svchcst.exe	40
PID 2676 wrote to memory of 1460	2676	svchcst.exe	40
PID 1460 wrote to memory of 2444	1460	WScript.exe	41
PID 1460 wrote to memory of 2444	1460	WScript.exe	41
PID 1460 wrote to memory of 2444	1460	WScript.exe	41
PID 1460 wrote to memory of 2444	1460	WScript.exe	41
PID 2444 wrote to memory of 1992	2444	svchcst.exe	42
PID 2444 wrote to memory of 1992	2444	svchcst.exe	42
PID 2444 wrote to memory of 1992	2444	svchcst.exe	42
PID 2444 wrote to memory of 1992	2444	svchcst.exe	42
PID 1460 wrote to memory of 1288	1460	WScript.exe	43
PID 1460 wrote to memory of 1288	1460	WScript.exe	43
PID 1460 wrote to memory of 1288	1460	WScript.exe	43
PID 1460 wrote to memory of 1288	1460	WScript.exe	43
PID 1288 wrote to memory of 2212	1288	svchcst.exe	44
PID 1288 wrote to memory of 2212	1288	svchcst.exe	44
PID 1288 wrote to memory of 2212	1288	svchcst.exe	44
PID 1288 wrote to memory of 2212	1288	svchcst.exe	44
PID 2212 wrote to memory of 2440	2212	WScript.exe	45
PID 2212 wrote to memory of 2440	2212	WScript.exe	45
PID 2212 wrote to memory of 2440	2212	WScript.exe	45
PID 2212 wrote to memory of 2440	2212	WScript.exe	45
PID 2440 wrote to memory of 1852	2440	svchcst.exe	46
PID 2440 wrote to memory of 1852	2440	svchcst.exe	46
PID 2440 wrote to memory of 1852	2440	svchcst.exe	46
PID 2440 wrote to memory of 1852	2440	svchcst.exe	46
PID 2212 wrote to memory of 1508	2212	WScript.exe	47
PID 2212 wrote to memory of 1508	2212	WScript.exe	47
PID 2212 wrote to memory of 1508	2212	WScript.exe	47
PID 2212 wrote to memory of 1508	2212	WScript.exe	47

C:\Users\Admin\AppData\Local\Temp\3baf5ffe90e05c04e29799aab86638f23af788263fc1bb01e4d9cce498d00aba.exe
"C:\Users\Admin\AppData\Local\Temp\3baf5ffe90e05c04e29799aab86638f23af788263fc1bb01e4d9cce498d00aba.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2784
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:684
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1852
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1508
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2372
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2872
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2036
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:1684
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2356
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1940
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:400
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2444
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1516
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:1728
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2404
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1844
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1888
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2820
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2220
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1968
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2788
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2168
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:320
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1944
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2460
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1280
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2956
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3fe126921f6537cf36cd507b1649ffbb

SHA1
445c8796d072bb5829f0af8421e3eb7da34add70

SHA256
b4af7c7ab452f12e0ea38532d00cfa19cf99247ef169e5e698acd882e72750a6

SHA512
5d8527210f01cc30bda93521cdbd9828d03f2af3e2810996ad8c60cf62a35e415c0e54a34e00847ae30bf2718e8c431b65ed4f509c11986a8eb54ed6ed64ac94

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
66073a2944d79129b28645fed6bc1286

SHA1
2cbba938ab66f7f5c9b0cb2a5c58940e2e14599b

SHA256
87d79920ed0fb49971153bdcb8a8ca003a247e5937d8cc3dc3b871e91ef79042

SHA512
95b8dffed82c126394ce16db0af1874ade41cca2b096d9ffe388e9c6a462c86e21723f811c0fb8c8445047906b0dfe035f5a421b5d406b8e8d3e6a1ad5d4351b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
4e1e7d85973f6d9e8ea0c5f3b4407892

SHA1
9f2d0fe68b6aaa82af5e73a7ef7348ec9aae708f

SHA256
91ebbe86ec685b4a30b878755c0638c3ea7ced3300c719f6a616c28294a3333c

SHA512
a67d3efaf3142a2ffc4dd2532d1bd5704bbf50d47b909a9ebb8eefcd425b3dacd64d9fbbd1e88f067b6461c850b4c6b919719dd8d354917ae007761d9adeb917

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
418e489a61f524eb101168676ee507c0

SHA1
c2d403388bfdccf0d75b4ef92dd8a453c413057c

SHA256
2ec2f981acbd3a091e05e93f06c952fdf6372e4d4d4ad78e7ddfe60043b1ad3c

SHA512
56033db0322098091059ab662f14f51c8bd98fc6784e3a5c553428c3c91d160fa5f784e43020fde5630515f87a2dbd7dff88865a5ecc4f349f6482eaef1b522a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f8db619ebe2f315356d8a3c1cb7ce863

SHA1
6a7be253323ec01b077ec2632a10159e39c17b2b

SHA256
99940aede45164365f56d6948655491bf5e5eaf8cc50400fe99620b5d3cd29c8

SHA512
6abc38a731254105c4f336ef9954159d7711889c704002838872473450f9077a940b4817cf36ae7fa04f08439a2acb53c9ab37c85e21c2981eab353379bf431a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
93bffb400f506fbd69421b6075802c65

SHA1
b9d8c4ea6a8fd739f6cf167e1f58412525f15784

SHA256
2e455d4d9ba6db3056e273b33c3cc67d60d76c4a750b98b2d4d0e2bcc6aa57b1

SHA512
e00a5d4ad19c488dc18e50150fcd50505133666e333f12f9e0cb3a894162951e4195886798de3531561ff99b4a3fbca6fb351f1ff0bcd0e1ac20cd685962ec23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ab52ce62f84a24d48d9cebec5331b1c6

SHA1
6fcb810a46e83020e55af419752f5583f9dcb9ba

SHA256
908bec6021a78b90a02c6123db4ac62b590ea738e97fa35aac7c4dce624f3244

SHA512
8823f3f60863692a8fd2be8610670b06077ea7c948b7c46f9a1ab712276b27e48c19d0a394e7f51c0fbdf753f989af4cac5dab078e4f04ee5ee6a50427368cd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1c4a20bad462e2ead31b207cd4b0dd1b

SHA1
e6037559a47f711d0e930c907b6c33269cb8ecb9

SHA256
7cbf5f523fb2c8a62f6308bc56b5ff19556c167b7ce2c9e2d74329835c79d29e

SHA512
78e63943987dbb5fa66f2b9865002911c5225dbcba3e89ea0de4ed94dbd211e965e766073e19205a55a7d83cc631e87c50b9f6815d83fced9f41a72c842c145b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
24e4a44b907089d788280d647e33c77e

SHA1
ac5a4e397dea243c0022c55319e7c7035d013905

SHA256
7fcd076a55f0b7c8e9407217aee7e68893461d15cb8d2946ac5250af35137211

SHA512
c4a8dac1c1d5dfa976cc3e8fd299e423ab620463983b8c602be8a83ecc6598eb3f1d60a7370806e1f85a52dd91e4f1337a6dff2e99459f9a1e429a1ffb65a00b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
780c5b88f55c3463a252f361d53f98db

SHA1
244e739c7401ce41027d7786f4a48f4806a9939b

SHA256
d8b383df125f83a39c299a3134c88e981cf47755ddd6b44310f70231305c6bb0

SHA512
b12e3266edea4f9dff105ed8617c81a29f9873d646b6b326c5c29c0c590049dd85458b8ff7541957f9ab995896e7bfd08b171959e592ccc6edbedf998fdf1045

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0deab118abcf8e078322ee46edd4cfd3

SHA1
b0f46f2ca33e8ea264812838f6c7a98d0c55a0bf

SHA256
344ce7e23c768177547510b0627c60667804530f220048e11f21e1cda521c502

SHA512
e7e4c041addbecf42ec91877dac6c89a207a3c1eb0247d56c6e4844852a3c7a3a716809d5040d01b03ab332bd155a4f4fb014abc896b9598ac52218c74a1f3c0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
03f68343f5906993640e0b9e3f9c7964

SHA1
699e9c3fda1aa89e7a47ac8b77b41178c99cc8e2

SHA256
dd2d5bf380874e81adc5e05b667047dcf1b6c8a8953068fb177053e20c35f727

SHA512
76de9e035c0ad6ee3237006749fd28ee93a6fcd09700e265aaea432f7d2292aac87f0799221559caacd6dd58ff72af17d67627aace77bd2a36a802bbdc88b99c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
53586000e76ee6942df430b8716b4616

SHA1
97afd48071b6043c0a04b823875956b98a8d33bd

SHA256
486e66f5aafdb179f41e1d1f39c8fb5662bfad43d5d53dfa89405a04b0d42d69

SHA512
3a9a94289a667899d5ba7db41486854b9234929ecaa9d9aaff3188740cc084c0a633702be218f4b1a8afbfbd8a4e1a892eebbdfde1a7d3fb9c27c3482aa03bd7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5ef4272f4d6f345fc8cc1b2f059c81b4

SHA1
78bcb559f775d70e10396e1d6d7b95c28d2645d1

SHA256
19f8d5209b4a5789cdfd5b67cb0b9f6c3546c62912bcb1ef1c69a15602beb652

SHA512
002693255c600456d965b5a7e36f780deec4d80cd9fe56f7f974b8762e2b140002a1dabf4b059d6163c9cc00a0e1e9da71899e13347fb4bb2985bbc7058469cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7469a2c3009624ca015e78057300cbad

SHA1
c7357e07b9c36ac479a7fa62ba10fd45ada4ee3a

SHA256
ec85b2158a5415982c09a183a9625800c5ab3e6dcd2367e7175298e51331d349

SHA512
3cb358f6d1f51de47fe6fa460097eaaf928328f4f4bd193812d1e393a177df2a134321dffa80a13dab0736c77dc3badf4411f002f6c137349824e11738f6b298

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0a9da843bc4b64c47e6b57314ae81501

SHA1
fec340d04ce40750430ddde6c2469ea19b82c418

SHA256
12a5833f060e1a44fc923ba85dead8fe42c2953811a2ca8f88c8e43482454bc0

SHA512
09d67ee8b29486d5a8642acf5a804ae593e5740c78c2a0dd4caa96af598283808ff702ca25f7c03a9296d47304bca7499b4e6eeffef3295b9be2f35f1dfe1d98

Download Submit
memory/2696-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download