569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35

Analysis

max time kernel
23s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2024, 04:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe
Size

1.1MB
MD5

9b3224ee2c2c7bad4a58a92a8ed91d9f
SHA1

b2542cd1a89839fd2943e9e2d30fa809bf8936b6
SHA256

569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35
SHA512

eee65996303d778dc961e3a57b939ba944c97acc7b028f6c83390f4e45ffc78a6b2445bce35b63773f84a5ed15bcc0e7dcd5a0dc839f5f5fa2eda661534c7f40
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QI:CcaClSFlG4ZM7QzM/

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe
3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe
3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe
3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe
3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe
3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe
3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe
3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe
3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe
3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe
3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe
3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe
3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe
3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe
3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe
3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe
3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe
3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe
3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe
3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe
3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe
3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe
3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe
3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe
3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe
3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe
3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe
3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe
3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe
3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe
3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe
3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe
3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe
3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe
3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe
3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe
3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe
3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe
3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe
3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe
3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe
3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe
3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 3932 wrote to memory of 5112	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	106
PID 3932 wrote to memory of 5112	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	106
PID 3932 wrote to memory of 5112	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	106
PID 3932 wrote to memory of 4164	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	108
PID 3932 wrote to memory of 4164	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	108
PID 3932 wrote to memory of 4164	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	108
PID 3932 wrote to memory of 4848	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	105
PID 3932 wrote to memory of 4848	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	105
PID 3932 wrote to memory of 4848	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	105
PID 3932 wrote to memory of 3668	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	104
PID 3932 wrote to memory of 3668	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	104
PID 3932 wrote to memory of 3668	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	104
PID 3932 wrote to memory of 3628	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	103
PID 3932 wrote to memory of 3628	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	103
PID 3932 wrote to memory of 3628	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	103
PID 3932 wrote to memory of 1224	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	110
PID 3932 wrote to memory of 1224	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	110
PID 3932 wrote to memory of 1224	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	110
PID 3932 wrote to memory of 4040	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	100
PID 3932 wrote to memory of 4040	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	100
PID 3932 wrote to memory of 4040	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	100
PID 3932 wrote to memory of 4736	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	109
PID 3932 wrote to memory of 4736	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	109
PID 3932 wrote to memory of 4736	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	109
PID 3932 wrote to memory of 3864	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	107
PID 3932 wrote to memory of 3864	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	107
PID 3932 wrote to memory of 3864	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	107
PID 3932 wrote to memory of 2304	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	102
PID 3932 wrote to memory of 2304	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	102
PID 3932 wrote to memory of 2304	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	102
PID 3932 wrote to memory of 4244	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	99
PID 3932 wrote to memory of 4244	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	99
PID 3932 wrote to memory of 4244	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	99
PID 3932 wrote to memory of 3028	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	101
PID 3932 wrote to memory of 3028	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	101
PID 3932 wrote to memory of 3028	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	101
PID 3932 wrote to memory of 3056	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	98
PID 3932 wrote to memory of 3056	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	98
PID 3932 wrote to memory of 3056	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	98
PID 3932 wrote to memory of 3508	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	97
PID 3932 wrote to memory of 3508	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	97
PID 3932 wrote to memory of 3508	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	97
PID 3932 wrote to memory of 552	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	95
PID 3932 wrote to memory of 4996	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	96
PID 3932 wrote to memory of 552	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	95
PID 3932 wrote to memory of 4996	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	96
PID 3932 wrote to memory of 4996	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	96
PID 3932 wrote to memory of 552	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	95
PID 3932 wrote to memory of 4780	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	94
PID 3932 wrote to memory of 4780	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	94
PID 3932 wrote to memory of 4780	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	94
PID 3932 wrote to memory of 3532	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	93
PID 3932 wrote to memory of 3532	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	93
PID 3932 wrote to memory of 3532	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	93
PID 3932 wrote to memory of 2880	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	92
PID 3932 wrote to memory of 2880	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	92
PID 3932 wrote to memory of 2880	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	92
PID 3932 wrote to memory of 3248	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	91
PID 3932 wrote to memory of 3248	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	91
PID 3932 wrote to memory of 3248	3932	569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe	91

C:\Users\Admin\AppData\Local\Temp\569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe
"C:\Users\Admin\AppData\Local\Temp\569baf7ba8ab63217761ebef8e45501a448f40503cc549826ad8f0164177ce35.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3932
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:3248
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:5812
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:2880
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:5684
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:3532
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:5708
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:4780
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:5692
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:552
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:5676
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:4996
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:5716
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:3508
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:5748
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:3056
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:5700
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:4244
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:5604
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:4040
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:5612
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:3028
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:5732
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:5376
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:2304
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:5896
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1080
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:3628
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:5772
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:5544
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:3668
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:5724
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:5608
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:4288
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:4848
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:5756
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:5496
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:5112
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:5668
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:5208
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:3864
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:5660
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:5432
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:5760
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:4164
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:5740
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:3080
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:5756
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      PID:2280
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:4736
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:5588
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2340
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      PID:5380
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        
        PID:2776
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        
        PID:404
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:6076
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:1224
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:5888
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:5212
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3740 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
1⤵
PID:3516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3353d1633bca569636039038a518d927

SHA1
780e7b0504ce0c3eb7a2d5ab9cc18b9d0596bd34

SHA256
6f9daffcca457b49869f9b22fe00e63b4c232c9e13998ab908b91909aa446b8d

SHA512
66a8b0877d6c6f196b85b4e8bf7d67da20fd3749543d65b54599233fc68f476445e70f9ad8e54cb3a71676c6b8a51957f11df2442883f1283c6d526884ec0c18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
a5111e7258e76428f5792ba557569e87

SHA1
1765624ca7c3c3062e0060c717b506f3e4e3dcac

SHA256
3927679339e34eb17cd2203b6afbaeac217bd5ed519633d4e4ca37f37b75fea0

SHA512
158f3b6eb75422f4e0ed7469a34d9d89a49e8f5c32a530163056b591a39b6cb248adc48668d62a3da45efcdf4e2e826fe986ecd7c63f0509f90446eef072d942

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a7abbe21bd06224da6044ceefc079882

SHA1
45948d51fb8d65cd1032448311043927dcfa0d2f

SHA256
5f4905388f1de9cd98bc931f1f041dd2543394219661a271c11fff5b0d8222b2

SHA512
3371b7d36aadb7aa31617ba0d8cb23e2ccd36c8268946e8ec526e98e61d0312622b089331f05a36775fd59174fa8a68595e664a665feeb9afce17c906a8b1bd5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2fccf43217e36abdf23c10eacb8450ae

SHA1
2bef23f857d438dad240cf714a1a3c40438b77ce

SHA256
a8b4c6b9cc9166796e848102315774838e485eca75e768a093cd9ee4683cbfd4

SHA512
96c721c587e8186f2fe7b68549deaf0e3568d04bcb0a49eb6bcac021381ad828e6aa6b610a407de8d8c6ac71ab4868d78111ae3aa729ebe0b613032c097d616b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
04676f3d0be46ef4dec98f21e22e2f25

SHA1
5e57ebda6cf3d0e4b23bd31978ccf6a78e01c525

SHA256
2c1a01edc59fe9b72b53d70e1bae025338d11e584ac5fc450f7fd625f40acf87

SHA512
7d6c5dd38a2f27f25bd176f83277507621bb074f5086019fc51f954688d65b3972260644a50bfe9de76c040597c12c805088833c7cc1ec6b89eac2728764277d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
5bc546c4b06929b560c302dc61b1d0b2

SHA1
957dd89a5318bfd18ea23f618456d0eda0ea4904

SHA256
42a2e38aac5af7327b1feeaad0d1b530acb14a5d5f62d316297e751e9abd989a

SHA512
ecd9e36ffb276fc739f9d0bfcf787680f86d446b71d20bb87ca895e60e0691c1ca4c3fec14a64798771b74b2d8af8ba84a01ade2180306922b3802898f63ab00

Download Submit
memory/3932-38-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/3932-47-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download