9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b

Analysis

max time kernel
33s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05-03-2024 21:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe
Size

1.1MB
MD5

d6132cc188ebcc1482a23f4f9e25c997
SHA1

a4f425b0b253613c7fa2050c77096d5431487cad
SHA256

9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b
SHA512

3284fde921012c6055c15890b836d98827435af3b9dbb38d5b95bfc4cbcb00b00406e01e981299a31c6fc4085fb616d8ebbdda8f5ac3414fd9d8d4efbd3c492a
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Q8:CcaClSFlG4ZM7QzM7

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe

Deletes itself 1 IoCs

pid	Process
5952	svchcst.exe

Executes dropped EXE 8 IoCs

pid	Process
5912	svchcst.exe
5928	svchcst.exe
5920	svchcst.exe
5936	svchcst.exe
5952	svchcst.exe
6040	svchcst.exe
6048	svchcst.exe
6060	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe
2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe
2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe
2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe
2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe
2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe
2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe
2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe
2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe
2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe
2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe
2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe
2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe
2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe
2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe
2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe
2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe
2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe
2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe
2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe
2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe
2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe
2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe
2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe
2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe
2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe
2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe
2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe
2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe
2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe
2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe
2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe
2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe
2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe
2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe
2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe
2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe
2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe
2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe
2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe
2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe
2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe
2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe
2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe
5952	svchcst.exe
5952	svchcst.exe
5952	svchcst.exe
5952	svchcst.exe
5952	svchcst.exe
5952	svchcst.exe
5952	svchcst.exe
5952	svchcst.exe
5952	svchcst.exe
5952	svchcst.exe
5952	svchcst.exe
5952	svchcst.exe
5952	svchcst.exe
5952	svchcst.exe
5952	svchcst.exe
5952	svchcst.exe
5952	svchcst.exe
5952	svchcst.exe
5952	svchcst.exe
5952	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe
2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe
5920	svchcst.exe
5920	svchcst.exe
5952	svchcst.exe
5952	svchcst.exe
5912	svchcst.exe
5936	svchcst.exe
5912	svchcst.exe
5936	svchcst.exe
5928	svchcst.exe
5928	svchcst.exe
6048	svchcst.exe
6048	svchcst.exe
6040	svchcst.exe
6060	svchcst.exe
6060	svchcst.exe
6040	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2320	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	119
PID 2168 wrote to memory of 2320	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	119
PID 2168 wrote to memory of 2320	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	119
PID 2168 wrote to memory of 1648	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	102
PID 2168 wrote to memory of 1648	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	102
PID 2168 wrote to memory of 1648	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	102
PID 2168 wrote to memory of 3708	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	117
PID 2168 wrote to memory of 3708	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	117
PID 2168 wrote to memory of 3708	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	117
PID 2168 wrote to memory of 2052	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	115
PID 2168 wrote to memory of 2052	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	115
PID 2168 wrote to memory of 2052	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	115
PID 2168 wrote to memory of 3564	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	114
PID 2168 wrote to memory of 3564	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	114
PID 2168 wrote to memory of 3564	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	114
PID 2168 wrote to memory of 1000	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	113
PID 2168 wrote to memory of 1000	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	113
PID 2168 wrote to memory of 1000	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	113
PID 2168 wrote to memory of 2728	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	112
PID 2168 wrote to memory of 2728	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	112
PID 2168 wrote to memory of 2728	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	112
PID 2168 wrote to memory of 5000	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	111
PID 2168 wrote to memory of 5000	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	111
PID 2168 wrote to memory of 5000	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	111
PID 2168 wrote to memory of 4596	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	107
PID 2168 wrote to memory of 4596	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	107
PID 2168 wrote to memory of 4596	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	107
PID 2168 wrote to memory of 3896	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	105
PID 2168 wrote to memory of 3896	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	105
PID 2168 wrote to memory of 3896	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	105
PID 2168 wrote to memory of 3716	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	118
PID 2168 wrote to memory of 3716	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	118
PID 2168 wrote to memory of 3716	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	118
PID 2168 wrote to memory of 1348	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	120
PID 2168 wrote to memory of 1348	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	120
PID 2168 wrote to memory of 1348	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	120
PID 2168 wrote to memory of 1308	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	110
PID 2168 wrote to memory of 1308	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	110
PID 2168 wrote to memory of 1308	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	110
PID 2168 wrote to memory of 1596	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	116
PID 2168 wrote to memory of 1596	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	116
PID 2168 wrote to memory of 1596	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	116
PID 2168 wrote to memory of 4696	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	109
PID 2168 wrote to memory of 4696	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	109
PID 2168 wrote to memory of 4696	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	109
PID 2168 wrote to memory of 3460	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	108
PID 2168 wrote to memory of 3460	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	108
PID 2168 wrote to memory of 3460	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	108
PID 2168 wrote to memory of 3672	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	106
PID 2168 wrote to memory of 3672	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	106
PID 2168 wrote to memory of 3672	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	106
PID 2168 wrote to memory of 3420	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	104
PID 2168 wrote to memory of 3420	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	104
PID 2168 wrote to memory of 3420	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	104
PID 2168 wrote to memory of 3284	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	103
PID 2168 wrote to memory of 3284	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	103
PID 2168 wrote to memory of 3284	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	103
PID 2168 wrote to memory of 3724	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	101
PID 2168 wrote to memory of 3724	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	101
PID 2168 wrote to memory of 3724	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	101
PID 2168 wrote to memory of 4928	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	100
PID 2168 wrote to memory of 4928	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	100
PID 2168 wrote to memory of 4928	2168	9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe	100
PID 2052 wrote to memory of 5912	2052	WScript.exe	123

C:\Users\Admin\AppData\Local\Temp\9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe
"C:\Users\Admin\AppData\Local\Temp\9ae3f97c9a69251c125f97941937a05f8d29d226c18c8e92c85e5b5b2e1f499b.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:4928
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:3724
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:1648
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:3284
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:3420
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:3896
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:3672
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:4596
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:3460
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:4696
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:1308
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:6060
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:6000
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:5000
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:2728
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:4556
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      PID:2168
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:1000
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:6048
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:3564
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5920
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:5936
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5912
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:1596
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5936
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:3708
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5928
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:3716
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1656
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:2320
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:5952
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:1348
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:6040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3972 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
1⤵
PID:4252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
ff17d600d7b4240abc5947a9b1373a19

SHA1
2531202c2d64389b1c43b1accc73007c260933ae

SHA256
63848531804d98864a65c49df513044ccc8429bde2764b6b07b7c8b6bdd746e5

SHA512
7816f44f50c15a806421b69e1042fed01a44462e2ce2244822077a7aae431fa8e6f199c7036df930451ba5fbee4f76fc50bc3cd649b919a0be6774f66abda908

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
fb757130836576e5f952cb011021776c

SHA1
68f6351ef6dd363f67e76b91e7d8150050948698

SHA256
2d8143967be00cc4d6f3a1b8671885498b80e57ec52a84e19eaf136e64980e5b

SHA512
6f7311c6964be509733152377344d37f311021a6638946d275d282aa1b0212d8d790175b8c4e61fba6f5f4299c0e5da3307b69b03f619273462edd5c3cfce0d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c76f0342b41210930d4c28abc31768d0

SHA1
37e8f6914ccc53e46320cf73aa74392a28a665bf

SHA256
c5b4c496d4c197ed9d722fa9c9532701b8daa8db98b7a58363445edfcd580206

SHA512
7e77c7fddbf32cf5e51f7bb7262e70f7c88833c874425b51ac7cbaea592731de02d0ba7fa996bf6e0f7dd38c9c92b7e121ff813829709e1e873005f4f084b06f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0ec4c75ca1dbf0a7c8f055ba565aae62

SHA1
4ae2403997b7552a9fcfefbb10d82153a19069f4

SHA256
3539f5972027441c1f25d9d0684f25b8b9a6e153418d383e6dc940f16915cbf0

SHA512
5a12dba2325205c8297a5b5b0301174b8c54c1c3323ab3e2116b6475f8c39f6a2d900ce4e4a447d9f026da644be6814ce76b7810e5bd501a31a2cbce4608ad1d

Download Submit