6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e

Analysis

max time kernel
20s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
07/07/2024, 23:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe
Size

1.1MB
MD5

ff5bcf1cc3d1f4efd24ed492c478e10e
SHA1

155891a2f3616d23e8c55c421eb153a0c16bfc4d
SHA256

6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e
SHA512

4e3b35e2d4aeeca024c98e30978912e946360068fe063222f509157e0d8dab2a85726751e4000cf3286620748f0da1350b188f45fdc9602dd997c92860be99ad
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Q4:CcaClSFlG4ZM7QzMv

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
2860	svchcst.exe

Executes dropped EXE 8 IoCs

pid	Process
1376	svchcst.exe
2860	svchcst.exe
3648	svchcst.exe
3644	svchcst.exe
864	svchcst.exe
2012	svchcst.exe
4692	svchcst.exe
1716	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000_Classes\Local Settings	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe
1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe
1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe
1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe
1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe
1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe
1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe
1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe
1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe
1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe
1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe
1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe
1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe
1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe
1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe
1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe
1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe
1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe
1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe
1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe
1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe
1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe
1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe
1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe
1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe
1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe
2860	svchcst.exe
2860	svchcst.exe
2860	svchcst.exe
2860	svchcst.exe
2860	svchcst.exe
2860	svchcst.exe
2860	svchcst.exe
2860	svchcst.exe
2860	svchcst.exe
2860	svchcst.exe
2860	svchcst.exe
2860	svchcst.exe
2860	svchcst.exe
2860	svchcst.exe
2860	svchcst.exe
2860	svchcst.exe
2860	svchcst.exe
2860	svchcst.exe
2860	svchcst.exe
2860	svchcst.exe
2860	svchcst.exe
2860	svchcst.exe
2860	svchcst.exe
2860	svchcst.exe
2860	svchcst.exe
2860	svchcst.exe
2860	svchcst.exe
2860	svchcst.exe
2860	svchcst.exe
2860	svchcst.exe
2860	svchcst.exe
2860	svchcst.exe
2860	svchcst.exe
2860	svchcst.exe
2860	svchcst.exe
2860	svchcst.exe
2860	svchcst.exe
2860	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe
1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe
2860	svchcst.exe
2860	svchcst.exe
1376	svchcst.exe
1376	svchcst.exe
864	svchcst.exe
864	svchcst.exe
3644	svchcst.exe
3648	svchcst.exe
3644	svchcst.exe
3648	svchcst.exe
2012	svchcst.exe
2012	svchcst.exe
4692	svchcst.exe
4692	svchcst.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 1760	1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe	99
PID 1680 wrote to memory of 1760	1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe	99
PID 1680 wrote to memory of 1760	1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe	99
PID 1680 wrote to memory of 4704	1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe	98
PID 1680 wrote to memory of 516	1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe	95
PID 1680 wrote to memory of 4704	1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe	98
PID 1680 wrote to memory of 4704	1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe	98
PID 1680 wrote to memory of 516	1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe	95
PID 1680 wrote to memory of 516	1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe	95
PID 1680 wrote to memory of 3068	1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe	97
PID 1680 wrote to memory of 3068	1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe	97
PID 1680 wrote to memory of 3068	1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe	97
PID 1680 wrote to memory of 3928	1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe	94
PID 1680 wrote to memory of 3928	1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe	94
PID 1680 wrote to memory of 3928	1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe	94
PID 1680 wrote to memory of 812	1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe	93
PID 1680 wrote to memory of 812	1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe	93
PID 1680 wrote to memory of 812	1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe	93
PID 1680 wrote to memory of 1052	1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe	102
PID 1680 wrote to memory of 1052	1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe	102
PID 1680 wrote to memory of 1052	1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe	102
PID 1680 wrote to memory of 1944	1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe	100
PID 1680 wrote to memory of 184	1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe	101
PID 1680 wrote to memory of 1944	1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe	100
PID 1680 wrote to memory of 1944	1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe	100
PID 1680 wrote to memory of 184	1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe	101
PID 1680 wrote to memory of 184	1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe	101
PID 1680 wrote to memory of 2428	1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe	103
PID 1680 wrote to memory of 2428	1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe	103
PID 1680 wrote to memory of 2428	1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe	103
PID 1680 wrote to memory of 3460	1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe	96
PID 1680 wrote to memory of 3460	1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe	96
PID 1680 wrote to memory of 3460	1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe	96
PID 1680 wrote to memory of 4012	1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe	104
PID 1680 wrote to memory of 4012	1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe	104
PID 1680 wrote to memory of 4012	1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe	104
PID 1680 wrote to memory of 1860	1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe	105
PID 1680 wrote to memory of 1860	1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe	105
PID 1680 wrote to memory of 1860	1680	6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe	105
PID 1944 wrote to memory of 1376	1944	WScript.exe	107
PID 1944 wrote to memory of 1376	1944	WScript.exe	107
PID 1944 wrote to memory of 1376	1944	WScript.exe	107
PID 4704 wrote to memory of 2860	4704	WScript.exe	108
PID 4704 wrote to memory of 2860	4704	WScript.exe	108
PID 4704 wrote to memory of 2860	4704	WScript.exe	108
PID 516 wrote to memory of 3648	516	WScript.exe	109
PID 516 wrote to memory of 3648	516	WScript.exe	109
PID 516 wrote to memory of 3648	516	WScript.exe	109
PID 3928 wrote to memory of 3644	3928	WScript.exe	110
PID 3928 wrote to memory of 3644	3928	WScript.exe	110
PID 3928 wrote to memory of 3644	3928	WScript.exe	110
PID 184 wrote to memory of 864	184	WScript.exe	111
PID 184 wrote to memory of 864	184	WScript.exe	111
PID 184 wrote to memory of 864	184	WScript.exe	111
PID 3460 wrote to memory of 2012	3460	WScript.exe	112
PID 3460 wrote to memory of 2012	3460	WScript.exe	112
PID 3460 wrote to memory of 2012	3460	WScript.exe	112
PID 4012 wrote to memory of 4692	4012	WScript.exe	113
PID 4012 wrote to memory of 4692	4012	WScript.exe	113
PID 4012 wrote to memory of 4692	4012	WScript.exe	113
PID 1052 wrote to memory of 1716	1052	WScript.exe	114
PID 1052 wrote to memory of 1716	1052	WScript.exe	114
PID 1052 wrote to memory of 1716	1052	WScript.exe	114

C:\Users\Admin\AppData\Local\Temp\6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe
"C:\Users\Admin\AppData\Local\Temp\6ef4dd7406e479e85b1d9cc664819c899603eef597924fcf60edd3957f5f914e.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:812
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3928
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3644
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:516
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3648
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3460
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2012
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:3068
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4704
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2860
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:1760
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1188
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1376
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:184
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:864
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    PID:1716
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:2428
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4012
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4692
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:1860
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:3912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4624,i,10426317566413639638,17907471819827662535,262144 --variations-seed-version --mojo-platform-channel-handle=4256 /prefetch:8
1⤵
PID:464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
940c29c3baa77a1c8d98a8f08166f2ad

SHA1
8bcc2eef5dab97bbecbc34013bd9676adb39595a

SHA256
07b109d658b8a02e851557387bf4a8c7d113c0956c7956b94d5d4619c81a8436

SHA512
9d048b159883f73240c37fe64ed9311db9f8f54977ce90d97ba007bfb0adb05cb793ba2c33a3e4f86c86ec0a7367ef7104738ee94374dd0f2affbd0d3884fdfa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ae6755cfc7f01d2a7029764bf33eccb9

SHA1
e8b29ebde533078638a588e3e6aa76e0d2a02119

SHA256
d49e446f9d98ff53b96345d38b9a8506c9120c1cebf7b6b74b27bc0438c40d97

SHA512
96b2ea9a46b5698ba1e82a5c5536ef91b5df326028e1303ca2e446592fc7d54d5d1674c9a9d5bc260b1b1912ee623e249420bc4255e91a729bdad7daf0c9b7da

Download Submit
memory/1680-32-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/1680-33-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download