Analysis Overview
SHA256
9bdf16d92ece5f2ea0c80dc3dff97074eb44b7704ffc23325934145bd81cc87d
Threat Level: Shows suspicious behavior
The file 9bdf16d92ece5f2ea0c80dc3dff97074eb44b7704ffc23325934145bd81cc87d was found to be: Shows suspicious behavior.
Malicious Activity Summary
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-02 22:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-02 22:29
Reported
2024-06-02 22:32
Platform
win7-20231129-en
Max time kernel
150s
Max time network
123s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9bdf16d92ece5f2ea0c80dc3dff97074eb44b7704ffc23325934145bd81cc87d.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9bdf16d92ece5f2ea0c80dc3dff97074eb44b7704ffc23325934145bd81cc87d.exe
"C:\Users\Admin\AppData\Local\Temp\9bdf16d92ece5f2ea0c80dc3dff97074eb44b7704ffc23325934145bd81cc87d.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
Network
Files
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 62f967c127f1478b67657629c853fa77 |
| SHA1 | 7b637e21ff6d44571893719611838b0c51a3b986 |
| SHA256 | c2b91ebd60c9a12f3fbd0bf586c212628a91d458df413c3cfeef68c7039f309f |
| SHA512 | 72024ca907b90c8b15246b15920ced399d80faef46eb27587b1b60eefbb4ec5d0ebfb52d6f9add4ab4293487c935e9c93f9f55f8137f3b528f048b2881547dac |
memory/1720-8-0x0000000000400000-0x0000000000551000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | 50b99661f373303faae96d827e752cc2 |
| SHA1 | f958ebc65033cb518241d6a34319231bf6a436e6 |
| SHA256 | f18e4d6d2bb30d78c1ecac2c45ea87ceb090a10ecd849264515d1da89d6d3340 |
| SHA512 | 70ec7b484a11f27a1d3ea0d8c7b3c7734770ec3a2d4ec7e2aad27786c63d9501505be70a78518e0c80b1ec40100e59ec1396ebe26fb09508fd79907207d8e053 |
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 41bdc303960afcda8ebae4f3e29f0b52 |
| SHA1 | 4cbf649fb04c836614138308a06ecd48dcb2882d |
| SHA256 | da674cdbd4dd762cc32ce0bd2ec36929a626e0e87f7ab7a4a1b1e1ce0123d999 |
| SHA512 | 800b5b01cc41e7633f203579e7f6ec0a9f6408f7af79dcfa74596be9264dbb8baade6b1439dedb5194496aa27b8b0e2680ce65ad91032138ea0ac2c8a0872cf1 |
C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini
| MD5 | 67b9b3e2ded7086f393ebbc36c5e7bca |
| SHA1 | e6299d0450b9a92a18cc23b5704a2b475652c790 |
| SHA256 | 44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d |
| SHA512 | 826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09 |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 25741fab0bc335b1ed971b3134b0edd3 |
| SHA1 | 9849046efa3f20662f73cefd0d090bef480c9835 |
| SHA256 | 05963c6d3a7cc5421377a784df6474456fcbd2f95c7190f2ddb4a9ccbfbe7f98 |
| SHA512 | 6e772baf90739a76c5c477780e2d158502b55d9c898e69402b0a3bfb840949959c6779f9b291c0503a4fcad95369be55b5f3233ded9329d49d5cde3f1a8369e1 |
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 5ba8c208c5700f7f25c2e24e00d50ac8 |
| SHA1 | 9838a0ab093ed94bc85a80b1feee14b68e4df8d1 |
| SHA256 | 213371c33e19f6f9e28f089e3206fe50c39b190548b0500f7ba8aff869a68cd6 |
| SHA512 | 065e45ebe4197cdf7e13b799928dfb29e17d4a1741e3e103000b147288b34f16300b72874ec85aefa2c04cc939df115a9fb383d5c95982c1371e75605d1a9b17 |
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 2af86d83545125b952334759f8554ae3 |
| SHA1 | ddfef7be6fbd8d8185c772a9a78eb18617a9637b |
| SHA256 | 7dd3660d7e87e64f451b4d1882d07c1733ce38d828770910453cc1b7f457d11d |
| SHA512 | 38d2854f941ff77a2fec871ba6513df9862fe4f86778b22053b4c3e25995b192f4ab943051a2c613cc3e78d275bc543b0dff09149cb4620e307809d20beae17b |
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | ae63ded87a90f9812749cac189d07a57 |
| SHA1 | 5a37ba565ce8c2445ff71f7c3d7adc38cb68627f |
| SHA256 | 6251cc562aff44a7222fe555019800d44c515c0319748fae595621d92f5d9236 |
| SHA512 | 293cf9a753b1456071db8840910ec3ee7a0a00342caeb27a3bf7c150b54e51a22673e8262fd4376bad6c29eff3b3a77c1c47c1e10c49abffaba899b9193d9429 |
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 0e6005a9dcb5a78d6fdd54527602f926 |
| SHA1 | 90adc62e99f3c94c643596af0e17b5853b91fe1f |
| SHA256 | 847552b1ad30bd72f24acfe4afa5c326d3e79d7c2f147c958d72e92daca716da |
| SHA512 | b4acfd81c1e926fcd305690aa3780bbec50460bcf947d17c20d6445faca4e774294b9da3a144207ccb3855e3ea2008a2d82ef691f32a4db6c7c3eb8202c6b568 |
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 85fa416be0b995c6e53ce5e2df106d8a |
| SHA1 | bcffe6d0eb7594897fb6c1c1e6e409bacd04f009 |
| SHA256 | f08a191ea7850c2d2e0fa0cd1f40254eecb8dcb63a9dfa94cc8a97f609c49293 |
| SHA512 | 5d92938d833d0555e94027148d0d9fc064274885bb4992f4e5840e7be03b629a3d2dc3703f9a7aa7614cb46ee19f9cfe26c69cc2e3a162f4be9045e5da18efbf |
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | c85adfb789ee03eba0d843b08042e4db |
| SHA1 | 263793011d11bd0dd1daf4b55215a8802f9bf6e2 |
| SHA256 | 8cc7784dcb4efa452913063eacec257cd1b6577c80bb3540f7cfcc48320dbf59 |
| SHA512 | b52184fa3c8a36d8e9293921a40820991247bbd203aa991678dafcd5cc96af20bf2df3e0b876b77a0d6a91f5b43aa2768137f88fca28357f883410d3b9f77539 |
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | cd3670279cfd4857ab7ae976f56ad473 |
| SHA1 | 2b4136cb5f5aa98e7cf48135db771fe497da942f |
| SHA256 | 9824342f00af60b70c73fd0b0b08c54f1439d6f6964ce1286a7eec748047041f |
| SHA512 | 30e7536c3209027ad3df30edd10d69b666a936c4184f3ad26ebf683ae2d066607b9eda521955af0a3cb235d6d84cc5c6fda747525bef19ec3a5016db66945889 |
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 0667072f0b99c114be29b17a58be850a |
| SHA1 | 8ec8d5ba1f5842c2f07a4332fb04ba60b0bc7143 |
| SHA256 | 002841eff29a50e5cf34cf60cfb5bbbf780c4d2f8809016ab22a0e084fc10d07 |
| SHA512 | 5e0c61897463fd935f2e0420389e4d7c6b08232e63175ccc96db2b6f3d294e9196bc5efd6445ccc8f460efc0791c13ea040b36ce3130f12e414a3ab7b678dfd9 |
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 70e226fbd8b4b3f2ddf8a8753a77586a |
| SHA1 | a81a39d08f77479d0ee65599dd2749031c32fc19 |
| SHA256 | 3eb2bfca11e83ada63c9e426764e07267c058964f959ca5e0c3f0f8933e40026 |
| SHA512 | f8c3f2f4172e8cabb856cbc2527dae48cba6d740a8ad9844bb32013ccba200b4c03dfdbe3713d9caa5f7416b8729cba4d516a73989b388c952ab08205b3cd4b8 |
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 10ffe941ac3b45a1b27eaab090d03e3b |
| SHA1 | 4f72abac858bc7659692930176f0cd4f18e354f1 |
| SHA256 | b2a27182b84ccf59736264c5fc788f96d92a2d3a14fe7c964e0976af00956144 |
| SHA512 | 638a48fe06a5e0c47e50ac67e0df2d6952e5e39620a585e5fb086d40ff61cff9bee6a6cfda6582c54e216f052dc6ba4ce5d742ae5174a987701701e67dc65544 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-02 22:29
Reported
2024-06-02 22:32
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
156s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\9bdf16d92ece5f2ea0c80dc3dff97074eb44b7704ffc23325934145bd81cc87d.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\9bdf16d92ece5f2ea0c80dc3dff97074eb44b7704ffc23325934145bd81cc87d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\WScript.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9bdf16d92ece5f2ea0c80dc3dff97074eb44b7704ffc23325934145bd81cc87d.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9bdf16d92ece5f2ea0c80dc3dff97074eb44b7704ffc23325934145bd81cc87d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9bdf16d92ece5f2ea0c80dc3dff97074eb44b7704ffc23325934145bd81cc87d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9bdf16d92ece5f2ea0c80dc3dff97074eb44b7704ffc23325934145bd81cc87d.exe
"C:\Users\Admin\AppData\Local\Temp\9bdf16d92ece5f2ea0c80dc3dff97074eb44b7704ffc23325934145bd81cc87d.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 19b9f38e03869c4b463722b783c9de8c |
| SHA1 | 7148eddb6bc5459dd9eeb2ecb2170fb5eaba4575 |
| SHA256 | bcf6b029e9a26d281b3f5afd1894a74856040b1d42770f9bbb58b012836667a9 |
| SHA512 | d8d1168d40573023b9be6ada05ade4014088e710ad562e3ca0b03c456da995d35b9a16d4e582b4e1eb53d4ea8058a8d59b0b2ecf0eaeeabb385a807acd0833ad |
memory/4580-8-0x0000000000400000-0x0000000000551000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | fa5aeb039efa08a786befab2a05e8298 |
| SHA1 | 174a11410292d112cd2e0f2b08ca7c6f501a53fd |
| SHA256 | acd9064e97bc33ef4b9ec26613bfecfb0258cf8223906786301b2949b4be8b73 |
| SHA512 | 199c784edb5dcfbac28441318a303f07c2e914fdf7898397e70408ca28b8f501a31c8177a19c368edf55ccf26287e94a5440a8d31ae4dd6d1e50f2673ea4698a |
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | a3b1a2435db9006df38c9e78df96e2f2 |
| SHA1 | a8a6d302d102686610f54547bdf0245b177a752f |
| SHA256 | 8ca1784265581709551e81326c9733c10ac943c899070bee9b799f88dad7870e |
| SHA512 | fe8a0d2a67e28fcf1b31e640132a669186ddb33302b135d11c0706a5c9e98548d53d51be0d2ecc9d20c43efbe393d7865c57ca9b6c651deca93f67aff0968210 |
C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini
| MD5 | 67b9b3e2ded7086f393ebbc36c5e7bca |
| SHA1 | e6299d0450b9a92a18cc23b5704a2b475652c790 |
| SHA256 | 44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d |
| SHA512 | 826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09 |
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | 95e18fa5ff75a8e5840f247fe8a88323 |
| SHA1 | 3d1b4c6d7f84fcce6ee5d181b29e794eca88d3d7 |
| SHA256 | bcc9bba9757bcf60be83bafe7d9003dd57659a0c53cdead5617fe054c0932a41 |
| SHA512 | d7ecff3b42120b06e65354d756d01caccf917224128eae16be1fb379b7e4b41b3647bf2e102329b6425352639eeb80c7247d2748cc36ce62fb24da93929a80e8 |