51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3

Analysis

max time kernel
27s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe
Size

1.1MB
MD5

0701807d60fd1ab688fb854b8e8faf1c
SHA1

0b706f92f12fe19ec30cb338c33dfd3bbc59aa84
SHA256

51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3
SHA512

1970ae2ee71dbbdae317cd7614c44c525feef918268d377f01d6c242fc0322666df2f1fe5f861be432ffef258b6c7bf0b0f8f6d5f1d2e56bdee3f5ec49bb2d75
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QM:acallSllG4ZM7QzML

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
1696	svchcst.exe

Executes dropped EXE 11 IoCs

pid	Process
3456	svchcst.exe
1696	svchcst.exe
3548	svchcst.exe
4132	svchcst.exe
388	svchcst.exe
3336	svchcst.exe
2900	svchcst.exe
2532	svchcst.exe
2516	svchcst.exe
1396	svchcst.exe
2204	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4728	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe
4728	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe
4728	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe
4728	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe
4728	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe
4728	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe
4728	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe
4728	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe
4728	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe
4728	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe
4728	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe
4728	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe
4728	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe
4728	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe
4728	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe
4728	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe
4728	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe
4728	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe
4728	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe
4728	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe
1696	svchcst.exe
1696	svchcst.exe
1696	svchcst.exe
1696	svchcst.exe
1696	svchcst.exe
1696	svchcst.exe
1696	svchcst.exe
1696	svchcst.exe
1696	svchcst.exe
1696	svchcst.exe
1696	svchcst.exe
1696	svchcst.exe
1696	svchcst.exe
1696	svchcst.exe
1696	svchcst.exe
1696	svchcst.exe
1696	svchcst.exe
1696	svchcst.exe
1696	svchcst.exe
1696	svchcst.exe
1696	svchcst.exe
1696	svchcst.exe
1696	svchcst.exe
1696	svchcst.exe
1696	svchcst.exe
1696	svchcst.exe
1696	svchcst.exe
1696	svchcst.exe
1696	svchcst.exe
1696	svchcst.exe
1696	svchcst.exe
1696	svchcst.exe
1696	svchcst.exe
1696	svchcst.exe
1696	svchcst.exe
1696	svchcst.exe
1696	svchcst.exe
1696	svchcst.exe
1696	svchcst.exe
1696	svchcst.exe
1696	svchcst.exe
1696	svchcst.exe
1696	svchcst.exe
1696	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4728	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
4728	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe
4728	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe
3456	svchcst.exe
3456	svchcst.exe
1696	svchcst.exe
1696	svchcst.exe
3548	svchcst.exe
4132	svchcst.exe
3548	svchcst.exe
4132	svchcst.exe
3336	svchcst.exe
3336	svchcst.exe
388	svchcst.exe
388	svchcst.exe
2900	svchcst.exe
2900	svchcst.exe
2532	svchcst.exe
2532	svchcst.exe
2516	svchcst.exe
2516	svchcst.exe
1396	svchcst.exe
1396	svchcst.exe
2204	svchcst.exe
2204	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4728 wrote to memory of 3656	4728	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe	97
PID 4728 wrote to memory of 3656	4728	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe	97
PID 4728 wrote to memory of 3656	4728	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe	97
PID 4728 wrote to memory of 3812	4728	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe	99
PID 4728 wrote to memory of 3812	4728	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe	99
PID 4728 wrote to memory of 3812	4728	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe	99
PID 4728 wrote to memory of 3828	4728	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe	92
PID 4728 wrote to memory of 3828	4728	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe	92
PID 4728 wrote to memory of 3828	4728	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe	92
PID 4728 wrote to memory of 2320	4728	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe	93
PID 4728 wrote to memory of 2320	4728	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe	93
PID 4728 wrote to memory of 2320	4728	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe	93
PID 4728 wrote to memory of 1612	4728	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe	94
PID 4728 wrote to memory of 1612	4728	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe	94
PID 4728 wrote to memory of 1612	4728	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe	94
PID 4728 wrote to memory of 2384	4728	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe	95
PID 4728 wrote to memory of 2384	4728	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe	95
PID 4728 wrote to memory of 2384	4728	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe	95
PID 4728 wrote to memory of 952	4728	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe	96
PID 4728 wrote to memory of 952	4728	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe	96
PID 4728 wrote to memory of 952	4728	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe	96
PID 4728 wrote to memory of 4540	4728	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe	91
PID 4728 wrote to memory of 4540	4728	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe	91
PID 4728 wrote to memory of 4540	4728	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe	91
PID 4728 wrote to memory of 1052	4728	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe	98
PID 4728 wrote to memory of 1052	4728	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe	98
PID 4728 wrote to memory of 1052	4728	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe	98
PID 4728 wrote to memory of 1112	4728	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe	100
PID 4728 wrote to memory of 1112	4728	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe	100
PID 4728 wrote to memory of 1112	4728	51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe	100
PID 2384 wrote to memory of 3456	2384	WScript.exe	102
PID 2384 wrote to memory of 3456	2384	WScript.exe	102
PID 2384 wrote to memory of 3456	2384	WScript.exe	102
PID 3812 wrote to memory of 4132	3812	WScript.exe	103
PID 3812 wrote to memory of 4132	3812	WScript.exe	103
PID 3812 wrote to memory of 4132	3812	WScript.exe	103
PID 1112 wrote to memory of 1696	1112	WScript.exe	123
PID 1112 wrote to memory of 1696	1112	WScript.exe	123
PID 1112 wrote to memory of 1696	1112	WScript.exe	123
PID 3828 wrote to memory of 3548	3828	WScript.exe	105
PID 3828 wrote to memory of 3548	3828	WScript.exe	105
PID 3828 wrote to memory of 3548	3828	WScript.exe	105
PID 3656 wrote to memory of 388	3656	WScript.exe	106
PID 3656 wrote to memory of 388	3656	WScript.exe	106
PID 3656 wrote to memory of 388	3656	WScript.exe	106
PID 2320 wrote to memory of 3336	2320	WScript.exe	107
PID 2320 wrote to memory of 3336	2320	WScript.exe	107
PID 2320 wrote to memory of 3336	2320	WScript.exe	107
PID 952 wrote to memory of 2900	952	WScript.exe	108
PID 952 wrote to memory of 2900	952	WScript.exe	108
PID 952 wrote to memory of 2900	952	WScript.exe	108
PID 1052 wrote to memory of 2532	1052	WScript.exe	122
PID 1052 wrote to memory of 2532	1052	WScript.exe	122
PID 1052 wrote to memory of 2532	1052	WScript.exe	122
PID 3812 wrote to memory of 2516	3812	WScript.exe	110
PID 3812 wrote to memory of 2516	3812	WScript.exe	110
PID 3812 wrote to memory of 2516	3812	WScript.exe	110
PID 1112 wrote to memory of 1396	1112	WScript.exe	125
PID 1112 wrote to memory of 1396	1112	WScript.exe	125
PID 1112 wrote to memory of 1396	1112	WScript.exe	125
PID 2516 wrote to memory of 1928	2516	svchcst.exe	112
PID 2516 wrote to memory of 1928	2516	svchcst.exe	112
PID 2516 wrote to memory of 1928	2516	svchcst.exe	112
PID 1112 wrote to memory of 2204	1112	WScript.exe	113

C:\Users\Admin\AppData\Local\Temp\51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe
"C:\Users\Admin\AppData\Local\Temp\51e9ff1ebdcab586db924e6d827e7f892dd5a2602141dbafc6449dfe5b1320d3.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4728
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:4540
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3828
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3548
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3336
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:1612
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3456
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:952
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2900
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3656
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:388
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2532
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3812
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4132
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      PID:1928
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:3288
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1112
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1696
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1396
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:2204
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      PID:1252
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      PID:2304
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      PID:3236
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      PID:2240

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv QgUB7QKRY0GFYhXUuyyNSQ.0.2
1⤵
PID:2532

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:1696

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:1396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1268 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
1⤵
PID:4248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5465e98b54b47d65941e5d12deb27c9d

SHA1
50e5e6ced6e5e332b303de4fa146482fbdf782d5

SHA256
38f339c2f4c0d7ea1ba1500460c63bc626a2465b3ca48c4d63ee2b0f3eafb82a

SHA512
50c6bc8c7da8c036c909672ade71b08aea49bc58474c40e660d7dc23c3a9869cfad82b4dc96335057ecd5bd1011f3db712f667b4085555e3dc6fb90de56b1c3a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
40f6f449a0c0a78f06881de564a4dc40

SHA1
a62314078557574e0f10c41f9b464dc9e59a7c6e

SHA256
cbb361d338fb376ca0dbdd84b40624810fd17a684530d66a0164f6b2c86ef12e

SHA512
0c5d678e40000cd79fff37c09a1d810dd1cee6447111ec5bb3f10433d34e6eabc65b15193b8f45df0e15ca9ae89d1de3e4b74965a88dfed9cf0557bccd641d22

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
774844b08b364b32d1209ef0d962d2fd

SHA1
967a30d076aa269a5cef321d36ac1f5c1eb180cb

SHA256
c9beda5ae7965cd968f1e6b1e11f17b1b443b8fc6dddb9ad0fe830aafe35ae3a

SHA512
2bab1d82f2cf484029722e64dd75516645e3f2dc6028153b65479757a3d33bbe883a1ac97771f1a9dfff1927cbfc58b5460f0c21a3ce01a4eae32b205772c4ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
61adb21970019b912bb984c168f1d2cb

SHA1
fbd1754a4d21d854bc495c1616e67b595a27c10f

SHA256
6f3a7f3518a2ca3e96c3f5c95da652a569fa20632b7d177fcbb4bdb135f36950

SHA512
cd77b3a2018d88724ae8f9f52a48edcc14c2fa21fa8a76a6a559a8afd687159ceb102eff3ee4c9c07f39d4dc99c4ae80a6a12274a890604b45f82455109404b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
78f22d6d12937c4b1bb8feea06334bd6

SHA1
c3555c27d4b7627f2e1be39213f52b765689fd30

SHA256
28150bda91bc064a546d1fc6fa0a2cf9222131c91b31233a8581a3b9de6a1a01

SHA512
5abca3ae991f6d2c3f87242aebfb3bf46320968eeb6207e06e67c3721e1a3072f92e934a47beb77007082272e972cec658d4ef07c3a40ca8a52b98de7da269f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c09c3000459ca6234f573dfc22c209bc

SHA1
ee73aa1058ffe69be4ee720be912559504edbbdc

SHA256
3f9a51d2e4fc1f4c0c838015b50d443962904b4768462a97890b4732065bb082

SHA512
e0ee3a2cb57ef4279236e95773291ddd60b52b456ca7eb29afc6ad9c35ce9eff3546ce4821e8fbc68b8bb23bb637c41a4021c990f968aff93a2ea28d1c276f6a

Download Submit
memory/388-45-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/388-37-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1396-58-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1696-49-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2204-78-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2204-66-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2516-63-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2516-52-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2532-47-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2532-48-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2900-43-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2900-42-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3336-44-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3456-40-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3548-33-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3548-38-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4132-34-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4132-39-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4728-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4728-27-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download