c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708

Analysis

max time kernel
34s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29/06/2024, 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe
Size

1.1MB
MD5

93a4c3d6c7ac966667e3e1c5fa8c19c0
SHA1

806f416c1d90b271e7ab0982ef660ca5b4b5786b
SHA256

c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708
SHA512

7c9d1760231a10fed6965f5357d8c643b98e323b69df614966db9df1a50cec7d6e26af84c5e03b1a9de8b01166c245c45fc47c630aba8cd3c1d81a50e06878c4
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qb:CcaClSFlG4ZM7QzMs

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 23 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 8 IoCs

pid	Process
5880	svchcst.exe
5900	svchcst.exe
5928	svchcst.exe
5944	svchcst.exe
5952	svchcst.exe
5976	svchcst.exe
5920	svchcst.exe
6064	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 23 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe
2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe
2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe
2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe
2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe
2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe
2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe
2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe
2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe
2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe
2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe
2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe
2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe
2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe
2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe
2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe
2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe
2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe
2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe
2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe
2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe
2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe
2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe
2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe
2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe
2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe
2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe
2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe
2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe
2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe
2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe
2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe
2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe
2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe
2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe
2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe
2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe
2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe
2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe
2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe
2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe
2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe
2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe
2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe
2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe
2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe
2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe
5880	svchcst.exe
5900	svchcst.exe
5900	svchcst.exe
5880	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 404	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	98
PID 2136 wrote to memory of 404	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	98
PID 2136 wrote to memory of 404	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	98
PID 2136 wrote to memory of 2804	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	104
PID 2136 wrote to memory of 2804	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	104
PID 2136 wrote to memory of 2804	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	104
PID 2136 wrote to memory of 5084	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	95
PID 2136 wrote to memory of 5084	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	95
PID 2136 wrote to memory of 5084	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	95
PID 2136 wrote to memory of 2924	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	101
PID 2136 wrote to memory of 2924	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	101
PID 2136 wrote to memory of 2924	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	101
PID 2136 wrote to memory of 2104	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	102
PID 2136 wrote to memory of 2104	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	102
PID 2136 wrote to memory of 2104	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	102
PID 2136 wrote to memory of 4460	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	91
PID 2136 wrote to memory of 4460	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	91
PID 2136 wrote to memory of 4460	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	91
PID 2136 wrote to memory of 4372	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	92
PID 2136 wrote to memory of 4372	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	92
PID 2136 wrote to memory of 4372	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	92
PID 2136 wrote to memory of 664	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	96
PID 2136 wrote to memory of 664	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	96
PID 2136 wrote to memory of 664	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	96
PID 2136 wrote to memory of 3832	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	110
PID 2136 wrote to memory of 3832	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	110
PID 2136 wrote to memory of 3832	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	110
PID 2136 wrote to memory of 2344	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	94
PID 2136 wrote to memory of 2344	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	94
PID 2136 wrote to memory of 2344	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	94
PID 2136 wrote to memory of 3944	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	97
PID 2136 wrote to memory of 3944	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	97
PID 2136 wrote to memory of 3944	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	97
PID 2136 wrote to memory of 2916	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	100
PID 2136 wrote to memory of 2916	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	100
PID 2136 wrote to memory of 2916	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	100
PID 2136 wrote to memory of 3356	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	105
PID 2136 wrote to memory of 3356	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	105
PID 2136 wrote to memory of 3356	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	105
PID 2136 wrote to memory of 212	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	103
PID 2136 wrote to memory of 212	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	103
PID 2136 wrote to memory of 212	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	103
PID 2136 wrote to memory of 1888	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	93
PID 2136 wrote to memory of 1888	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	93
PID 2136 wrote to memory of 1888	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	93
PID 2136 wrote to memory of 3672	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	109
PID 2136 wrote to memory of 3672	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	109
PID 2136 wrote to memory of 3672	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	109
PID 2136 wrote to memory of 3652	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	108
PID 2136 wrote to memory of 3652	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	108
PID 2136 wrote to memory of 3652	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	108
PID 2136 wrote to memory of 3964	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	107
PID 2136 wrote to memory of 3964	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	107
PID 2136 wrote to memory of 3964	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	107
PID 2136 wrote to memory of 4056	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	111
PID 2136 wrote to memory of 4056	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	111
PID 2136 wrote to memory of 4056	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	111
PID 2136 wrote to memory of 3592	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	99
PID 2136 wrote to memory of 3592	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	99
PID 2136 wrote to memory of 3592	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	99
PID 2136 wrote to memory of 4512	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	112
PID 2136 wrote to memory of 4512	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	112
PID 2136 wrote to memory of 4512	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	112
PID 2136 wrote to memory of 2332	2136	c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe	106

C:\Users\Admin\AppData\Local\Temp\c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe
"C:\Users\Admin\AppData\Local\Temp\c7e5ad4726f4217ed3cb17d6f6f9551435cfab4b8a0db33072d28cdeb5824708.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:4460
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:5984
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:4372
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:6016
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:5388
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:1888
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    PID:5928
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:3568
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:2344
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:6008
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:5084
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:5992
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:664
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    PID:6064
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:3944
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5880
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:404
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5900
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:3592
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    PID:5976
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:2916
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:5960
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:5888
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:6116
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:2924
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:5936
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:4448
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:2104
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:6040
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:5808
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      PID:1564
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:212
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    PID:5944
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:6136
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:2804
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    PID:5920
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:3720
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:3356
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:5968
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:3216
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:2332
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:6032
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:4116
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:3964
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:6096
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:5920
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:3652
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:6000
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1056
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:3672
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:6024
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:3684
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:3832
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:5912
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1296
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:4056
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:6108
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:5612
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:6008
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:4512
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    PID:5952
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:6124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2808 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
1⤵
PID:5500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2caa2e102cde23b48c1d5a47d901c3ff

SHA1
715fcb390ad3d9016885ab48ea99b2e204d1989b

SHA256
8e1f14065ac316ee2fcefab057390fe8b1ec88d9c35536f0755204ddf0d84ada

SHA512
9f6b298b5becff9b0af67c3181177876366db57d8d48ad3974dffa4f61fe7512b68d770e518d08d59c58d2707c52bd78930d2e36f00ef06f0a26d208e5372ae3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
4eb015050180a092b60b97791e9b6236

SHA1
c7431d26ab7d601634a857d9010498f6859d78f8

SHA256
dc12ff016b9e8b2da1f645cb69e04e8f50bc188bb1d975a8ba4e0d5eff0f9838

SHA512
f871244c27e0b5d95c94eb1487f056a1230f69410081e21869c47120bbe2ee87c49cac6c41418c1221363820b06ab7e1d1321dc23f1265795a5340f311d5df37

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ae612635c6708b53cc920f0aa0ece005

SHA1
068027bd4e8748b3f8abc6450502614b694c3387

SHA256
6b4348a0a1dd3eb69823e5f6cba834051a25ad75c05b09dc8a1e5a45e45f33a4

SHA512
31c923222af27106cee5b9485d85916b7aa82450141f081391e25d978cc4d2ac879b509886079134ce6beb7ba5c2ff91bf6f63cd73feb7481be28c30c4b503ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e9c9e1c5f19943be81d403e338e00d80

SHA1
d593e2046ec652ec29db3307a691c6078de0a225

SHA256
3100f537f67fc73133e38af858826cf4c47aa9624ed5884e5625d5ffa6b42a69

SHA512
9d995274666639bf42882ba138ce54eb1f58155600481444d6b1c568a8fc9a9108724a9ab92b739815bd2be856c62b9a68a75acdf0c710aca54143b188ec0752

Download Submit
memory/2136-4-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2136-50-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2136-52-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download