Malware Analysis Report

2024-10-19 08:27

Sample ID 240125-v4l66acfcr
Target 9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e
SHA256 9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e
Tags
kinsing loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e

Threat Level: Known bad

The file 9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e was found to be: Known bad.

Malicious Activity Summary

kinsing loader

Kinsing

Checks computer location settings

Loads dropped DLL

Deletes itself

Executes dropped EXE

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-25 17:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 17:32

Reported

2024-01-25 17:35

Platform

win7-20231129-en

Max time kernel

149s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2856 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe C:\Windows\SysWOW64\WScript.exe
PID 2856 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe C:\Windows\SysWOW64\WScript.exe
PID 2856 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe C:\Windows\SysWOW64\WScript.exe
PID 2856 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe C:\Windows\SysWOW64\WScript.exe
PID 3040 wrote to memory of 2764 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 3040 wrote to memory of 2764 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 3040 wrote to memory of 2764 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 3040 wrote to memory of 2764 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2764 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2764 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2764 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2764 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2516 wrote to memory of 1676 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2516 wrote to memory of 1676 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2516 wrote to memory of 1676 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2516 wrote to memory of 1676 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1676 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 1676 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 1676 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 1676 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 1932 wrote to memory of 1096 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1932 wrote to memory of 1096 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1932 wrote to memory of 1096 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1932 wrote to memory of 1096 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1096 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 1096 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 1096 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 1096 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2236 wrote to memory of 2284 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2236 wrote to memory of 2284 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2236 wrote to memory of 2284 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2236 wrote to memory of 2284 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2284 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2284 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2284 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2284 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2292 wrote to memory of 976 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2292 wrote to memory of 976 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2292 wrote to memory of 976 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2292 wrote to memory of 976 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 976 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 976 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 976 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 976 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2004 wrote to memory of 2368 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2004 wrote to memory of 2368 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2004 wrote to memory of 2368 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2004 wrote to memory of 2368 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2368 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2368 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2368 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2368 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 1584 wrote to memory of 1872 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1584 wrote to memory of 1872 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1584 wrote to memory of 1872 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1584 wrote to memory of 1872 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1872 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 1872 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 1872 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 1872 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 1584 wrote to memory of 1460 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1584 wrote to memory of 1460 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1584 wrote to memory of 1460 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1584 wrote to memory of 1460 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe

"C:\Users\Admin\AppData\Local\Temp\9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 9ac34382b3b2b527e79a84793e273f78
SHA1 060474ffdfe4ed5f2981a4059bb27bc5aa2ca21e
SHA256 ec2b756bcd86c66931828932e2faf585f6792b46c1cbb4dad6251c38943d475e
SHA512 36b6f137ddfee7d1ea9506fc0a0e19368b87655f5eb50380dd97ac9eafa69237bb8cba9d33cbdc3a7b42797d099453ff2b0aa4bfff42df1846ed86fc432b309a

\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 44359611d3dbda466f71868d64ac2dcb
SHA1 a72d353406c55d60d2c253fcb6d4d9b0d1698746
SHA256 54a155e2ecf45901a714f8c504e9fd3e53266d91a321180605aea7d1fcbcc741
SHA512 52c09ebb563f136cc3f4ca7bbbb8dcbc3fdf1b79b2ca290411fc6015534a2499722e8c8abd446d8cd3e7276a85d76700158816eb0272897e8d9ac7b73a930480

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 1c4a20bad462e2ead31b207cd4b0dd1b
SHA1 e6037559a47f711d0e930c907b6c33269cb8ecb9
SHA256 7cbf5f523fb2c8a62f6308bc56b5ff19556c167b7ce2c9e2d74329835c79d29e
SHA512 78e63943987dbb5fa66f2b9865002911c5225dbcba3e89ea0de4ed94dbd211e965e766073e19205a55a7d83cc631e87c50b9f6815d83fced9f41a72c842c145b

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

MD5 67b9b3e2ded7086f393ebbc36c5e7bca
SHA1 e6299d0450b9a92a18cc23b5704a2b475652c790
SHA256 44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d
SHA512 826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 619955d43a58558c766025119a5a66cb
SHA1 cfb43d2b9cb68699667ca8d4929e71b25ed115ab
SHA256 a129bff17a859b7b2d6681f519c985c661797dd508ac249d30f02a0a78858cee
SHA512 20f9499cddf2fb824365830736255a1dce689da0e94fa8e999ee4e28883e65637410710ea01204b5f3d48213f697461288da2b7a535511da87f848b1e6e83bc6

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 f21c274add6f68abbe173d5a56cd1b87
SHA1 ec21a2daf446e350caceb7cd442c7c884114e704
SHA256 9d5ac21c38e1a8957ee4955df4ddd82cab5924e5bf77c224875330849352291e
SHA512 502a7d33358778d639a3d77122d8141ff359586b94526b8edb506617ee9c4b4aa4efe3d4a842842b432b4153bdb5fadde409300074f765454aa08594ab39a30a

\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 2e698d56b34d4d58156fbe00e6b9a1c6
SHA1 c74f3d5fca80e69fa614b829abb23fa31d891604
SHA256 7742873ac05e7679a3fa9eafc987a68f44912ce22feeb8d1843a622916611ae7
SHA512 02aabbd08b1dbbc09332856f43e06609aefda5d9f72d523b80e3aa580213cb2d1f532867a6f61c61e6e0c5d6931d6753d2ab5d4898d53743f36e3bae1a92c9e3

C:\Users\Admin\AppData\Roaming\svchcst.exe

MD5 fbbf6e2ccb0dbb078fb65c536cc89f47
SHA1 80f5bcefc153470b07e7f49d845a992070a46449
SHA256 f3113785dad80bf60bb5a23a2578e7086e5b1a303d28e0e6a4c64c9221f53663
SHA512 dfdc04fc0c3d919c72a4c377bef113d397b97a09563cb81c83a622c7fa26bf629b6b8bdbe1e5530e6b85a7bb66b730950aac9f0616c7b2bd73250839a73b03b1

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 3ed43de1cee96aaf1d64189d4482a672
SHA1 a346f6b3eca7b8442021d9878288d91084d00d79
SHA256 b2905e040a668759a3fbdc7f07ff57b3e197bbeec24099b65734e884c1e0bd98
SHA512 8f8536a36603c14a567034f0119212a6b3bf9dd52afcbe213b4e26c737394fe838baf0743440f62cd5d61d8d9c694279679e155920a9af3c2cac1549d43040dc

\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 e8b040d53d137dcf8b232ed1366edb70
SHA1 28a7d40298f23d5dc1d94206ef38e4397ed960c8
SHA256 d3eeba3305e4a16b8a5d26c479016f55dff772f7215e70c8c60d388972ab2ec6
SHA512 94db32b97d7181f37346f43abd394db33d03d881eee1d12b0d8feecae667cb0a55a3d557a5b0c5d3b815a7df7658e263bb20d8158c557258deeddc541d731711

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 6c7c14146ea4f274fb125f7272c7657b
SHA1 d42b2069f27a259a2e94d04ffd5f4139753b93cf
SHA256 bc821b5517428117ed808690c3d0e9a4f962e25d6bd0c0946c520c78ec3b773b
SHA512 b02e7c44544fef5a13c8a03936f0a5a8371006588cc20281fd006bb987f1e0af64807f018243737d100825eac65851938d01db0d42f91195def1619d11fa9e64

C:\Users\Admin\AppData\Roaming\svchcst.exe

MD5 a8836fd41f4a97a2a022a92da983fbe9
SHA1 050f2452612b9f67ab3e26ee78e1447b61785ed6
SHA256 a1e5959d4e02e09451ce33e3e37cbfe6333c19a35d33cf35766e619853f56212
SHA512 856fbcb3ab4914191d48fabb92c3f959f85558d70cb9dd5077eb42aadd535c545e582e8e8775e2055c37c5bf8b39f22f0d6e939dd18ca17458c1276c4e99d8f6

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 4433cc23fc280ad8dcff9966bac19fe4
SHA1 62cc2abfe6e2ee0fd6b5cbce20daff4ba787bff0
SHA256 ca7cfd972b03d0b30404c8233125adda1dacc81a2e43e919d70bf1c2700af55b
SHA512 6a5e7454dde98251a987bedc21e628550c469480cbe41f3b3644789da38e782c8b94660d4a076697cc7abf3fcc767650d00ac3639b11cfeba96ece8110920b4f

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 1ef0f0b572c2f4293cad723d25d00c42
SHA1 21070aedce103ee5e41ef411b732699f04623804
SHA256 92f0114d24a1bf7f670197c1b6e8cecc445559bbf6b12e1a82538aa9213fe4a3
SHA512 0af8482f8df004ae0534ab1d23addd55149209ab50bfb1ecbfc4d9ee49c7cce91b53fd3ed3b155e020286772eaa8396c89b8f67befe3ca5d9804b7871add0c4c

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 f357ee21e8909b2637bfc8fb601b07f8
SHA1 57dde600c63cc54bf3a32a6c0ab046fe7f73e18f
SHA256 1653df838ea35052ce23026f3ce82671010ffe2a5cf5e73b127d6492ddec0b5a
SHA512 848cf5b987c346b0f47b18575b9f78bf0e431501a74f2615314c08f8f3ad80013eeb3f2c61ac16bcf1071db13e4f065e1f134f797d3588d7a7201817eee975d3

\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 1c8384e69e50f70352988a68e7a53ae9
SHA1 256f9088ae2bd58bf9fd82147b39b6540625b15c
SHA256 e33d02a2be228cf314b0c83529ecf0ff98524e9688afb31c6af1baeaf4835429
SHA512 cc13bcded1eceb51c6f2807e9616235d423df3a52d4d738e6e3fc25336f0cc9608cdb0d4fc66aeb859de18eafb90829ed0d7b8ce1e57f386ea81018030a2c87f

C:\Users\Admin\AppData\Roaming\svchcst.exe

MD5 60e1ca004125977d1f8980464e2cfa70
SHA1 1e0d6c3220aa75f664324f2abe0d19a5b7c69b92
SHA256 db86d9c6b47699812951766de422440605268b55b76b2ab35a912554f030dbe5
SHA512 8bcb79b00c658f67f9d69933a744f354176577548954d9ecae2981089a175cd56a5e7ddbdd4b78b920739b4ed3c5529852ea646f8d91a083934a3ac05181e06f

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 ddd204c2596c95e0b37f2faf17345158
SHA1 fb5c9a676eb0b0e08ed0498a5696bbd7d443b1a2
SHA256 6ba8498e50d16dedd7a4479998981b504b684f524c08329269fd4eb6e3fe52a2
SHA512 17f8ff158d74cb8b37954cd5d458440cbf7e41dd03d08d5101b55f7ca259fdd1e36967e5231a31362c68456d0e91bdbac1c83cc19876ab7ec1c97bde0ec03244

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 8791e512506fcb2893ca2a7b33738a44
SHA1 00e931316c854293abe79989380f30de85c8447b
SHA256 581dc56e5bf85e9e8f3187df45e62d6cf90a089b96f317cadd5e3f4a975b0344
SHA512 8b94c449794bd88bc0ffcf8e8f60c2d3f84ca9837ed0c592a90377c2a277ffc44f83a1b485cee2ad9769b8ca96f3fc8cd1cd1d162b3cd8fcfb789830b022b2d1

\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 707b321aecdadf975041a3aba828beef
SHA1 5fd7ef898c46e4e9d682b81505666eaceb0da001
SHA256 e3e787b1a13be39d24ce7f8d5194ce9cf6d028350a9635f84c46ba6b97deace3
SHA512 bf07b1d493a57fc79ac6c430720e81bd1cf23e13b8f579f9c10fc2ed87f8970de2215e85598a68a010f6023d084baf39c9f792525c6b5c2f24b6079000dc6d52

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 951aaea1269f2a203f3dd7cd181c5d34
SHA1 3623d216764b24aa0b02cbc136287252bf5b412a
SHA256 228b66ed4c4a1270fe5a6655cdd849de937351e95974b96acafa59b8107b7dd4
SHA512 cd84967ad43a13c3cd57cc80f6533a9e9fd93a5eddf4807825b8d19883da4acda3e7b4ff963f23209c579050fedf834382d8e718386c852ceaf350b2b0f91816

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 234d3bd7d4c79c9f8515c4e3812a1c9b
SHA1 f0add1f9e02bad7016d7b183f6d64d4800df4e12
SHA256 c9ba84b70031261f15918f7e74bd45b7b889b8e8427efa4ff19537e3d27633d0
SHA512 3d42cb367d8ba46cff006692c69f88ab165b9b326000c0bf187e682ce181413dd6f8eb083972765f332dc4309996b3621018ce3cf22d4d944c2b3c0e51f4aea0

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 2c3b5340da071ac89dded61dffd49fb5
SHA1 77a880658d0b70e5455379099427bfdae8cc0ae8
SHA256 d7433fbea40ea3f87e991ce54c73436c110cfbb83748d554aea8d94051a5224e
SHA512 7e69f14c55afec39149491531c2a499b6253aa71ad448e722912f239fde055826b34383bd8d14773af08ef475b5fe53451a0a93e0bcc46fbeba3872198200f3c

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 5f762b3b2477d92959f29d768008d453
SHA1 ceaa2b37d64bcffd7f862a75e1d0fb06edbddb97
SHA256 5827d14409ed9f3361d81904d50e067223457590dda163a680ce4216e495a3d5
SHA512 fd1445d89a0fa5d185ce51442c402d9906fa8bf7c1458a862568ad0649dfa22c5f90ed243b98339ec9706541d244b0217f1cd05e715dc49067e059fe08d80420

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 18daeaff7fc134fc2edabbaea7e7e9f0
SHA1 a6a3002f7828141bac042e08241df957ef348bb4
SHA256 56a26505482cb65715785a972070bd6b72ad56c09ec26f7a97d7b0ac5bf52303
SHA512 6a91ececa4ca5ffbd12c7ca83888a63a7baf2be281610d9b0d83ee9dfcb8f6d04c1466de5ac1b53abe3daaf2998ec40b4b3a1a1d6fc271f35d25523358bd3df0

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 b10f68ba9ebd3b819da4be2e0d597f4e
SHA1 b0fc0bd7169fe45a1116116c20ceef191b96037e
SHA256 833e2453eafe6b716d5f3bfd62c9142e6cfe17d44604a9cb64b166737aa8d9f4
SHA512 901c8a1edb4233c3eee92fdc2f7cb546cf34acf84a89cd20c60948e6ce7f9c7a35fa074921b8a01623cf90f32c8e32a4ee981fe84ce416e10a7b82770abdc381

\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 c90d3f79161670ce94f06e5514560453
SHA1 453afe30dbfca2586ef0b6536dbe1c35ab9eefda
SHA256 862cdfe637dd5458c1521a1a3aaa74be322647e08e13fd7d13e43a8aa6f23825
SHA512 936b8e3277f502164804ce1c00f22eef00b7d256b4653b5db5b2b03088d3dfd20b51ada50b867bf6afebf0eef6166aa57bb55dfb89a718b00c87abe8ce171e1f

C:\Users\Admin\AppData\Roaming\svchcst.exe

MD5 b08fbf68e6da490403ff16381636f4db
SHA1 3f38f922b7eaaac8fdd722302be99155a26248d8
SHA256 17acf6eb824c95d1f72d5bf1c5b3f7597a98c6edb722dcf483a93e43d72c6de5
SHA512 7907de422c1c0a3f93eaf36d06ecda7f89df7b2ad0b53b623bdfbef49930db7c3348f0985992f4a57609938b214d3f06aa3d105bd729749c56220b3cd6b1b47f

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 17:32

Reported

2024-01-25 17:35

Platform

win10v2004-20231215-en

Max time kernel

144s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe"

Signatures

Kinsing

loader kinsing

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1624 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe C:\Windows\SysWOW64\WScript.exe
PID 1624 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe C:\Windows\SysWOW64\WScript.exe
PID 1624 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe C:\Windows\SysWOW64\WScript.exe
PID 1624 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe C:\Windows\SysWOW64\WScript.exe
PID 1624 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe C:\Windows\SysWOW64\WScript.exe
PID 1624 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe C:\Windows\SysWOW64\WScript.exe
PID 800 wrote to memory of 1216 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 800 wrote to memory of 1216 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 800 wrote to memory of 1216 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1400 wrote to memory of 4936 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1400 wrote to memory of 4936 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1400 wrote to memory of 4936 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe

"C:\Users\Admin\AppData\Local\Temp\9eb0e0fe6eeb7a906e5562fe955d7b0bfab3e62f09f3997b740cb2ec87d9167e.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 137.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 4b5a0a618e78ccbe04e0786d8c283ce0
SHA1 c937fb61b98879f219aab77cf0844320f69ba0ba
SHA256 177a1c11edd7f933c52ccc6bef99bfeeda7c342243872be1276cca5e27cdf33d
SHA512 1043469036b8b3371c07bd43bd45ea2b8441db0fa5fd369086b8236560561e208542d472aa428a2677a3b789dadeb204c911fb1af2e7ae85dfd26f72a18ba16b

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 f469cdf8df240e14025ba8608a893e94
SHA1 9ed94d56da438f293ba371373f3f204c7d1c5269
SHA256 3627e902a55ffa64f7e1a096ab4d5e9a7fa66d444e4e476b9726ce8c075d3778
SHA512 ec6645adea7634428a5502a53c47501ef71456c893d740b3d47c5ef4effa566521f5ab31d9d1adc64c3ab2d188e03b205412490aace3a75734b758fd59095f5f