cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490

Analysis

max time kernel
33s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
31-05-2024 20:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
Size

1.1MB
MD5

0fda798077c2b16bd9942b9fb55d19fa
SHA1

be8619e79b34b4e3842734e59c62417afa71fa94
SHA256

cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490
SHA512

df0f079948f565228b1ef3bcba540ab53d785f2fdaf35f9d6ce76d21ee42fe36a54b95b3b637362edb916f398e8af7993d961e0737e31984a437f2b9564a447c
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qp:CcaClSFlG4ZM7QzMa

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 2256	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	92
PID 1516 wrote to memory of 2256	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	92
PID 1516 wrote to memory of 2256	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	92
PID 1516 wrote to memory of 2984	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	98
PID 1516 wrote to memory of 2984	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	98
PID 1516 wrote to memory of 2984	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	98
PID 1516 wrote to memory of 2436	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	91
PID 1516 wrote to memory of 2436	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	91
PID 1516 wrote to memory of 2436	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	91
PID 1516 wrote to memory of 2904	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	97
PID 1516 wrote to memory of 2904	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	97
PID 1516 wrote to memory of 2904	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	97
PID 1516 wrote to memory of 3696	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	96
PID 1516 wrote to memory of 3696	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	96
PID 1516 wrote to memory of 3696	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	96
PID 1516 wrote to memory of 2820	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	95
PID 1516 wrote to memory of 2820	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	95
PID 1516 wrote to memory of 2820	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	95
PID 1516 wrote to memory of 2244	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	99
PID 1516 wrote to memory of 2244	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	99
PID 1516 wrote to memory of 2244	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	99
PID 1516 wrote to memory of 2992	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	100
PID 1516 wrote to memory of 2992	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	100
PID 1516 wrote to memory of 2992	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	100
PID 1516 wrote to memory of 3056	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	151
PID 1516 wrote to memory of 3056	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	151
PID 1516 wrote to memory of 3056	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	151
PID 1516 wrote to memory of 3444	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	102
PID 1516 wrote to memory of 3444	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	102
PID 1516 wrote to memory of 3444	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	102
PID 1516 wrote to memory of 4392	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	103
PID 1516 wrote to memory of 4392	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	103
PID 1516 wrote to memory of 4392	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	103
PID 1516 wrote to memory of 4404	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	104
PID 1516 wrote to memory of 4404	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	104
PID 1516 wrote to memory of 4404	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	104
PID 1516 wrote to memory of 4452	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	105
PID 1516 wrote to memory of 4452	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	105
PID 1516 wrote to memory of 4452	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	105
PID 1516 wrote to memory of 4388	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	106
PID 1516 wrote to memory of 4388	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	106
PID 1516 wrote to memory of 4388	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	106
PID 1516 wrote to memory of 2404	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	107
PID 1516 wrote to memory of 2404	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	107
PID 1516 wrote to memory of 2404	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	107
PID 1516 wrote to memory of 1340	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	108
PID 1516 wrote to memory of 1340	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	108
PID 1516 wrote to memory of 1340	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	108
PID 1516 wrote to memory of 644	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	109
PID 1516 wrote to memory of 644	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	109
PID 1516 wrote to memory of 644	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	109
PID 1516 wrote to memory of 232	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	110
PID 1516 wrote to memory of 232	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	110
PID 1516 wrote to memory of 232	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	110
PID 1516 wrote to memory of 2052	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	111
PID 1516 wrote to memory of 2052	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	111
PID 1516 wrote to memory of 2052	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	111
PID 1516 wrote to memory of 1360	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	112
PID 1516 wrote to memory of 1360	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	112
PID 1516 wrote to memory of 1360	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	112
PID 1516 wrote to memory of 3832	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	113
PID 1516 wrote to memory of 3832	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	113
PID 1516 wrote to memory of 3832	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	113
PID 1516 wrote to memory of 2348	1516	cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe	115

C:\Users\Admin\AppData\Local\Temp\cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe
"C:\Users\Admin\AppData\Local\Temp\cd281423bbaf1fc364bcf757bf49da8529926ac7724af2c749e551582a008490.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:2436
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:2256
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:6088
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:4712
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:4988
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:6064
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:2820
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:3696
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:2904
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:2984
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:2244
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:5808
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:2992
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:3056
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:3444
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:4392
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:5504
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      PID:6008
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        
        PID:2628
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        
        PID:1764
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:4404
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:4464
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:4452
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:6064
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:4388
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:6132
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:2404
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:5440
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:1340
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:5960
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:644
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:5884
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:232
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2980
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:2052
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:6072
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:1360
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1500
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:3832
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:4300
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:3220
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:4664
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2928
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:940
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:5080
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:2348
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1588
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1584
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      PID:3200
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:1144
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:4836
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:404
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:5448
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
1⤵
PID:3308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
0d1a36144f784c47241c907083665c79

SHA1
729420dac1ae2f636be664cc9ff57df5ae8d9267

SHA256
4c628500fbd7403fe8c24f0ff801242d71c7ccb014f4ba150d63501c077e7761

SHA512
52f03912b3754000f4cc88f7feaafc7ec26ded0a8eeb4ec2ebd2213d35c5d41c179a584633958c1193e268c3d90326081a547894497946968d413a5104c61933

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
10ffe941ac3b45a1b27eaab090d03e3b

SHA1
4f72abac858bc7659692930176f0cd4f18e354f1

SHA256
b2a27182b84ccf59736264c5fc788f96d92a2d3a14fe7c964e0976af00956144

SHA512
638a48fe06a5e0c47e50ac67e0df2d6952e5e39620a585e5fb086d40ff61cff9bee6a6cfda6582c54e216f052dc6ba4ce5d742ae5174a987701701e67dc65544

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a4e2d4727487955ad59bf2d1a6661981

SHA1
e52949b5d7226aaf75d3713ed2ff1283edab2259

SHA256
4b2d44fd28dcc86d4f73784cea9ac601d2e69574ea0fc6214b3481b10687e0e2

SHA512
f3c59196a57237caa7ad762e2e31bb3b95156eb33cdad7d7b28244842a733160a74c6568452252ce2add95980fe653dc5322a3d1722f9d798289557351b5ea55

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e9a63d75aa695cc53b66cffe5f0aa0c6

SHA1
6c89641439e6954ab7915b31f8b2aa2ec3aa4c70

SHA256
0354f516458c0440443beb53205e2da6ede95d013d17518fc3f6cf796fef03e1

SHA512
f39af820e4c0786a8ff15b005b2c0005889bfac997fb0244eae5e1024361e808990712fa8b295c6e742b21525b710ad7f096b41ce62e22c29ce62aaa3535003b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
bf2ff7a225aa8fe842ad6c888bfdbaf9

SHA1
909b1a02275469dc5cdf2332506cb30f56f5bf47

SHA256
3c4ae75c8ae328c6d16a5435f2e2e1058c67948f9d87ecf3b02a67f6505140dd

SHA512
4c43c4f32a399a83495eaeef2161b39add82e54ff3c5547aa960376e9e7d75856697d04bf50e33130839c31a2f5b121ce5f64a3eb67d7791de7bd53f169861bc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
6cb598bfc0a1a66e513108382f49153a

SHA1
e3f48f6eb958f6c696b24d07031a15bba1a9eccf

SHA256
c134ebad4d9203a3643a2213cd53aacb0af80988abad2eca464d4ba6eb711ec5

SHA512
bc871d22f8321ee10cac1b7b9646f3dd38a4a6692b7744d02e4754160e39e66d93d06888540777b99418aba531b11fa036b590cbed4c3625d7bbc9029613dba7

Download Submit
memory/1516-4-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/1516-63-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/1516-64-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download